Edit tour

Windows Analysis Report
http://ciiscp.org/wordpress/mail.uu.se.html

Overview

General Information

Sample URL:	http://ciiscp.org/wordpress/mail.uu.se.html
Analysis ID:	1592358
Infos:

Detection

Outlook Phishing

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Suricata IDS alerts for network traffic

Yara detected Outlook Phishing page

Detected non-DNS traffic on DNS port

Form action URLs do not match main URL

HTML body contains low number of good links

HTML body with high number of embedded images detected

HTML title does not match URL

Suricata IDS alerts with low severity for network traffic

Suspicious form URL found

Classification

Process Tree

System is w10x64

chrome.exe (PID: 6440 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 3968 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 --field-trial-handle=2264,i,12879587691625082442,13133716170211826207,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 5536 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://ciiscp.org/wordpress/mail.uu.se.html" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
dropped/chromecache_41	JoeSecurity_OutlookPhishing	Yara detected Outlook Phishing page	Joe Security

HTML

Source	Rule	Description	Author	Strings
1.0.pages.csv	JoeSecurity_OutlookPhishing	Yara detected Outlook Phishing page	Joe Security

Suricata Signatures

ET PHISHING Possible Successful Outlook Web App Phish 2016-12-28

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T01:38:17.739396+0100	2032732	1	Successful Credential Theft Detected	192.168.2.6	61353	192.254.188.250	443	TCP

ETPRO PHISHING Successful Phish Yale Credentials Nov 24

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-16T01:38:17.739396+0100	2815089	1	Successful Credential Theft Detected	192.168.2.6	61353	192.254.188.250	443	TCP

HTTP traffic detected: POST /well-known/pki-validation/uu.php HTTP/1.1Host: mail.lifetothebrim.orgConnection: keep-aliveContent-Length: 128Cache-Control: max-age=0sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://ciiscp.orgContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://ciiscp.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9

Source: chromecache_45.4.dr, chromecache_44.4.dr	String found in binary or memory: http://iyfhshsp.com/?dn=referer_detect&pid=5POL4F2O4
Source: chromecache_41.4.dr	String found in binary or memory: http://www.uu.se
Source: chromecache_41.4.dr	String found in binary or memory: https://mail.lifetothebrim.org/well-known/pki-validation/uu.php
Source: chromecache_41.4.dr	String found in binary or memory: https://mail.uu.se/owa
Source: chromecache_41.4.dr	String found in binary or memory: https://mail.uu.se/owa/auth/15.2.1544/themes/resources/favicon.ico
Source: chromecache_41.4.dr	String found in binary or memory: https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-regular.eot?#iefix
Source: chromecache_41.4.dr	String found in binary or memory: https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-regular.ttf
Source: chromecache_41.4.dr	String found in binary or memory: https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-semibold.eot?#iefix
Source: chromecache_41.4.dr	String found in binary or memory: https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-semibold.ttf
Source: chromecache_41.4.dr	String found in binary or memory: https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-semilight.eot?#iefix
Source: chromecache_41.4.dr	String found in binary or memory: https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-semilight.ttf
Source: chromecache_41.4.dr	String found in binary or memory: https://outlook.com/student.uu.se

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61377 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61352 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61370
Source: unknown	Network traffic detected: HTTP traffic on port 61354 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61526 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61526
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61527
Source: unknown	Network traffic detected: HTTP traffic on port 61370 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61262
Source: unknown	Network traffic detected: HTTP traffic on port 61481 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61364
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61246
Source: unknown	Network traffic detected: HTTP traffic on port 61273 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61353 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61481
Source: unknown	Network traffic detected: HTTP traffic on port 61527 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61262 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61364 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61273
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61274
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61352
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61353
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61354
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61377

Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:61273 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:61354 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:61481 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:61526 version: TLS 1.2

Source: classification engine

Classification label: mal68.phis.win@19/10@14/7

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 --field-trial-handle=2264,i,12879587691625082442,13133716170211826207,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "http://ciiscp.org/wordpress/mail.uu.se.html"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 --field-trial-handle=2264,i,12879587691625082442,13133716170211826207,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	3 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
http://ciiscp.org/wordpress/mail.uu.se.html	100%	Avira URL Cloud	phishing

Source	Detection	Scanner	Label
https://mail.uu.se/owa/auth/15.2.1544/themes/resources/favicon.ico	0%	Avira URL Cloud	safe
https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-semilight.ttf	0%	Avira URL Cloud	safe
http://iyfhshsp.com/?dn=referer_detect&pid=5POL4F2O4	0%	Avira URL Cloud	safe
https://ciiscp.org/wordpress/UU-images/cta-button.png	100%	Avira URL Cloud	phishing
https://mail.uu.se/owa	0%	Avira URL Cloud	safe
https://mail.lifetothebrim.org/favicon.ico	0%	Avira URL Cloud	safe
https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-semibold.eot?#iefix	0%	Avira URL Cloud	safe
https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-regular.eot?#iefix	0%	Avira URL Cloud	safe
https://mail.lifetothebrim.org/well-known/pki-validation/uu.php	0%	Avira URL Cloud	safe
http://www.uu.se	0%	Avira URL Cloud	safe
https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-semilight.eot?#iefix	0%	Avira URL Cloud	safe
https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-semibold.ttf	0%	Avira URL Cloud	safe
https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-regular.ttf	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ciiscp.org	20.163.176.101	true	false	unknown
www.google.com	142.250.181.228	true	false	high
mail.uu.se	130.238.62.31	true	false	unknown
mail.lifetothebrim.org	192.254.188.250	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ciiscp.org/wordpress/mail.uu.se.html	true		unknown
https://mail.uu.se/owa/auth/15.2.1544/themes/resources/favicon.ico	false	Avira URL Cloud: safe	unknown
https://mail.lifetothebrim.org/well-known/pki-validation/uu.php	true	Avira URL Cloud: safe	unknown
https://mail.lifetothebrim.org/cgi-sys/suspendedpage.cgi	false		unknown
https://ciiscp.org/wordpress/mail.uu.se.html	false		unknown
https://ciiscp.org/wordpress/UU-images/cta-button.png	false	Avira URL Cloud: phishing	unknown
https://mail.lifetothebrim.org/favicon.ico	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-semibold.eot?#iefix	chromecache_41.4.dr	false	Avira URL Cloud: safe	unknown
http://www.uu.se	chromecache_41.4.dr	false	Avira URL Cloud: safe	unknown
https://outlook.com/student.uu.se	chromecache_41.4.dr	false		high
https://mail.uu.se/owa	chromecache_41.4.dr	false	Avira URL Cloud: safe	unknown
https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-regular.eot?#iefix	chromecache_41.4.dr	false	Avira URL Cloud: safe	unknown
http://iyfhshsp.com/?dn=referer_detect&pid=5POL4F2O4	chromecache_45.4.dr, chromecache_44.4.dr	false	Avira URL Cloud: safe	unknown
https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-semilight.ttf	chromecache_41.4.dr	false	Avira URL Cloud: safe	unknown
https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-semilight.eot?#iefix	chromecache_41.4.dr	false	Avira URL Cloud: safe	unknown
https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-regular.ttf	chromecache_41.4.dr	false	Avira URL Cloud: safe	unknown
https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-semibold.ttf	chromecache_41.4.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
20.163.176.101	ciiscp.org	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
192.254.188.250	mail.lifetothebrim.org	United States	46606	UNIFIEDLAYER-AS-1US	true
130.238.62.31	mail.uu.se	Sweden	1653	SUNETSUNETSwedishUniversityNetworkEU	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.250.181.228	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4
192.168.2.6

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592358
Start date and time:	2025-01-16 01:37:02 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	http://ciiscp.org/wordpress/mail.uu.se.html
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.phis.win@19/10@14/7
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 216.58.212.163, 172.217.16.206, 142.250.110.84, 142.250.185.78, 142.250.186.174, 216.58.206.46, 142.250.65.238, 74.125.0.102, 142.250.186.74, 142.250.186.42, 142.250.184.234, 142.250.185.74, 142.250.186.138, 142.250.185.138, 142.250.185.106, 216.58.206.74, 216.58.212.170, 142.250.74.202, 172.217.18.10, 172.217.23.106, 216.58.212.138, 172.217.16.202, 172.217.16.138, 142.250.185.170, 2.23.77.188, 199.232.210.172, 142.250.186.163, 13.107.246.45, 184.28.90.27, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, accounts.google.com, content-autofill.googleapis.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, ocsp.digicert.com, edgedl.me.gvt1.com, redirector.gvt1.com, update.googleapis.com, r1.sn-t0aekn7e.gvt1.com, clients.l.google.com, r1---sn-t0aekn7e.gvt1.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: http://ciiscp.org/wordpress/mail.uu.se.html

Input	Output
URL: http://ciiscp.org Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": false, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false, "reasoning": "This appears to be a straightforward organizational website using a legitimate .org TLD. No suspicious elements are present in the URL structure." }
URL: http://ciiscp.org
URL: https://ciiscp.org/wordpress/mail.uu.se.html... Model: Joe Sandbox AI	{ "risk_score": 6, "reasoning": "The provided JavaScript snippet contains several behaviors that raise moderate security concerns. It uses dynamic code execution through the `ActiveXObject` constructor, which could potentially allow for the execution of remote or malicious code. Additionally, the script attempts to render S/MIME controls, which could be used for data exfiltration or other malicious purposes. While the script appears to have a legitimate purpose related to email functionality, the use of legacy APIs and the potential for abuse warrant further review and caution." }
var a_fRC = 1; var g_fFcs = 1; var a_fLOff = 0; var a_fCAC = 0; var a_fEnbSMm = 0; /// <summary> /// Is Mime Control installed? /// </summary> function IsMimeCtlInst(progid) { if (!a_fEnbSMm) return false; var oMimeVer = null; try { // TODO: ingore this on none IE browser // //oMimeVer = new ActiveXObject(progid); } catch (e) { } if (oMimeVer != null) return true; else return false; } /// <summary> /// Render out the S-MIME control if it is installed. /// </summary> function RndMimeCtl() { if (IsMimeCtlInst("MimeBhvr.MimeCtlVer")) RndMimeCtlHlpr("MimeNSe2k3", "D801B381-B81D-47a7-8EC4-EFC111666AC0", "MIMEe2k3", "mimeLogoffE2k3"); if (IsMimeCtlInst("OwaSMime.MimeCtlVer")) RndMimeCtlHlpr("MimeNSe2k7sp1", "833aa5fb-7aca-4708-9d7b-c982bf57469a", "MIMEe2k7sp1", "mimeLogoffE2k7sp1"); if (IsMimeCtlInst("OwaSMime2.MimeCtlVer")) RndMimeCtlHlpr("MimeNSe2k9", "4F40839A-C1E5-47E3-804D-A2A17F42DA21", "MIMEe2k9", "mimeLogoffE2k9"); } /// <summary> /// Helper function to factor out the rendering of the S/MIME control. /// </summary> function RndMimeCtlHlpr(objid, classid, ns, id) { document.write("<OBJECT id='" + objid + "' classid='CLSID:" + classid + "'></OBJECT>"); document.write("<?IMPORT namespace='" + ns + "' implementation=#" + objid + ">"); document.write("<" + ns + ":Logoff id='" + id + "' style='display:none'/>"); } -->
URL: https://ciiscp.org/wordpress/mail.uu.se.html... Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": "The provided JavaScript code appears to be a legitimate login page script with no obvious malicious behaviors. It primarily handles the initialization and redirection of the login page, with some basic cookie and browser compatibility checks. There are no indicators of dynamic code execution, data exfiltration, or other high-risk activities. The script seems to be part of a trusted Microsoft application, and the behaviors are consistent with typical login page functionality." }
// flogon.js // // This file contains the script used by Logon.aspx // //Copyright (c) 2003-2006 Microsoft Corporation. All rights reserved. /// <summary> /// OnLoad handler for logon page /// </summary> window.onload = function () { // If we are replacing the current window with the logon page, initialize the logon page UI now // if (a_fRC) initLogon(); // Otherwise we need to find the window to replace with the logon page and redirect that window // else redir(); }; /// <summary> /// Initializes the logon page /// </summary> function initLogon() { try { // // we don't call document.execCommand("ClearAuthenticationCache","false"); anymore. As a part of the Pending-Notification // infrastructure, we are making a change to make sure startpage does not get loaded more than once. This solution is cookie // based. This execCommand was clearing all cookies in the scenario when a user logged on from a child window during an // FBA timeout. We do not want that to happen anymore. If this breaks anything, we may need to consider a different solution. // // Old Comments: // If the "Clear the Authentication Cache" flag is set to true and // we are coming from the logoff page , clear the cache. See bug 41770 and 5840 for details. // // Logoff the S-Mime control. // LogoffMime(); } catch (e) { } // Check for username cookie // var re = /(^\|; )logondata=acc=([0\|1])&lgn=([^;]+)(;\|$)/; var rg = re.exec(document.cookie); if (rg) { // Fill in username, set security to private, and restore the "use basic" selection // gbid("username").value = rg[3]; try { var signInErrorElement = gbid("signInErrorDiv"); if (signInErrorElement) { signInErrorElement.focus(); } else { gbid("password").focus(); } } catch (e) {} if (gbid("chkPrvt") && !gbid("chkPrvt").checked) { gbid("chkPrvt").click(); } if (rg[2] == "1" && gbid("chkBsc")) // chkBsc doesn't exist if the request comes from ECP gbid("chkBsc").click(); } else { // The variable g_fFcs is set to false when the password gains focus, // so that we don't accidentally set focus to the username field while // the user is typing their password // if (g_fFcs) { try { gbid("username").focus(); } catch (e) { } } } // OWA Premium currently supports // IE 7+, Safari 3+, Firefox 3+ for Windows / Mac if (IsOwaPremiumBrowser() && gbid("chkBsc")) // chkBsc doesn't exist if the request comes from ECP gbid("chkBsc").disabled = false; // Are cookies enabled? // var sCN = "cookieTest"; document.cookie = sCN + "=1"; var cookiesEnabled = document.cookie.indexOf(sCN + "=") != -1; if (cookiesEnabled == false) { shw(gbid("cookieMsg")); hd(gbid("lgnDiv")); } // Show the public/private warning message clkSec(); } /// <summary> /// Finds the frame we want to load the logon page into, and then loads it there /// </summary> function redir() { var o = window; // If we're in a dialog, open a logon window and close the dialog - this // basically inlines a version of opnWin() so that we don't need to include // uglobal.js in logon.aspx // try { if (o.dialogArguments) { var sWN = new String(Math.round(Math.random() * 100000)); var sF = "toolbar=0,location=0,directories=0,status=1,menubar=0,scrollbars=1,resizable=1,width=800,height=600"; var iT = Math.round((screen.availHeight - 600) / 2); var iL =
URL: https://ciiscp.org/wordpress/mail.uu.se.html... Model: Joe Sandbox AI	{ "risk_score": 3, "reasoning": "The provided JavaScript snippet appears to be a legitimate login-related functionality with some placeholder text handling and a 'show password' feature. There are no high-risk indicators like dynamic code execution, data exfiltration, or obfuscated code. The moderate-risk indicators, such as external data transmission and aggressive DOM manipulation, are limited to common login-related functionality. Overall, the script seems to be implementing standard login-related features without any clear malicious intent." }
var mainLogonDiv = window.document.getElementById("mainLogonDiv"); var showPlaceholderText = false; var mainLogonDivClassName = 'mouse'; if (mainLogonDivClassName == "tnarrow") { showPlaceholderText = true; // Output meta tag for viewport scaling document.write('<meta name="viewport" content="width = 320, initial-scale = 1.0, user-scalable = no" />'); } else if (mainLogonDivClassName == "twide"){ showPlaceholderText = true; } function setPlaceholderText() { window.document.getElementById("username").placeholder = "Anvndarnamn"; window.document.getElementById("password").placeholder = "Lsenord"; window.document.getElementById("passwordText").placeholder = "Lsenord"; } function showPasswordClick() { var showPassword = window.document.getElementById("showPasswordCheck").checked; passwordElement = window.document.getElementById("password"); passwordTextElement = window.document.getElementById("passwordText"); if (showPassword) { passwordTextElement.value = passwordElement.value; passwordElement.style.display = "none"; passwordTextElement.style.display = "inline"; passwordTextElement.focus(); } else { passwordElement.value = passwordTextElement.value; passwordTextElement.style.display = "none"; passwordTextElement.value = ""; passwordElement.style.display = "inline"; passwordElement.focus(); } }
URL: https://ciiscp.org/wordpress/mail.uu.se.html Model: Joe Sandbox AI	{ "contains_trigger_text": false, "trigger_text": "unknown", "prominent_button_name": "sign in", "text_input_field_labels": [ "User name:", "Password:" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false, "contains_chinese_text": false, "contains_fake_security_alerts": false }

URL: https://ciiscp.org/wordpress/mail.uu.se.html Model: Joe Sandbox AI	{ "brands": [ "Uppsala Universitet" ] }
	{ "brands": [ "Uppsala Universitet" ] }
URL: https://ciiscp.org/wordpress/mail.uu.se.html Model: Joe Sandbox AI	```json{ "legit_domain": "uu.se", "classification": "known", "reasons": [ "The brand 'Uppsala Universitet' is a known educational institution in Sweden.", "The legitimate domain for Uppsala Universitet is 'uu.se'.", "The provided URL 'ciiscp.org' does not match the legitimate domain 'uu.se'.", "The URL 'ciiscp.org' does not have any clear association with Uppsala Universitet.", "The presence of input fields for 'User name' and 'Password' on an unrelated domain is suspicious." ], "riskscore": 8} Google indexed: True
URL: ciiscp.org Brands: Uppsala Universitet Input Fields: User name:, Password:

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with no line terminators
Category:	downloaded
Size (bytes):	40
Entropy (8bit):	4.327567157116928
Encrypted:	false
SSDEEP:	3:mSryoSbSsvVXyY:mSrFSbScVXL
MD5:	C561EA20923CC4A7C28FC7CBD47B7B27
SHA1:	2B9BEB9F18C67725EF563E8D4997075EE7FABC14
SHA-256:	CF4C2F20FC4CD264541BDAAC94B46C06A6751D614518E1185C00DEF57B835C74
SHA-512:	297F50815FA0FD8EA470E00250E3BE61529589608AC428D3D029892202B11420F394DECE84F98861AC544DE7075940ACFCCB5C93FD47E2522B0CCBB1B383DCD4
Malicious:	false
Reputation:	low
URL:	https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzQSHgk97JOQCEz3NxIFDeeNQA4SBQ3OQUx6EgUNTx8adg==?alt=proto
Preview:	ChsKBw3njUAOGgAKBw3OQUx6GgAKBw1PHxp2GgA=

Chrome Cache Entry: 41

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (13745), with CRLF line terminators
Category:	downloaded
Size (bytes):	58885
Entropy (8bit):	5.982282431428558
Encrypted:	false
SSDEEP:	768:HCj2sGVhLdSc/y881E1GirLX9ciGwP6zz+/JqTfGaPqEIIPdKV7aQblShEShJHSl:rnGinX9cJzz+/Jq3bPkF5rmO
MD5:	A4E3C5F6F628A7CBE495CE7BA0E43A2D
SHA1:	E367EE36095E5AF0683B91AC69A8ACE4538A7548
SHA-256:	3220511F2DFCA78DB17E5E2BA047DB313A4769921A3E3F327F8FBAA547722834
SHA-512:	4F3F367E831B069EDC387D1C0D7F00D2DA53535956250ACE43572903C03D003F304183FA3A99B99245B58147ED4D5EDC491A1503C848F7141561394852E4B912
Malicious:	false
Reputation:	low
URL:	https://ciiscp.org/wordpress/mail.uu.se.html
Preview:	..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.. Copyright (c) 2011 Microsoft Corporation. All rights reserved. -->.. OwaPage = ASP.auth_logon_aspx -->...... {57A118C6-2DA9-419d-BE9A-F92B0F9A418B} -->..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> ..<html>..<head>..<meta http-equiv="X-UA-Compatible" content="IE=10" />..<link rel="shortcut icon" href="https://mail.uu.se/owa/auth/15.2.1544/themes/resources/favicon.ico" type="image/x-icon">..<meta http-equiv="Content-Type" content="text/html; CHARSET=utf-8">..<meta name="Robots" content="NOINDEX, NOFOLLOW">..<title>Outlook</title>..<style>..@font-face {.. font-family: "wf_segoe-ui_normal";.. src: url("https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-regular.eot?#iefix") format("embedded-opentype"),.. url("https://mail.uu.se/owa/auth/15.2.1544/themes/resources/segoeui-regular.ttf") format("truetype");..}....@font-face {.. font-family: "wf_segoe-ui_semilight"

Chrome Cache Entry: 42

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	downloaded
Size (bytes):	894
Entropy (8bit):	5.0132631273961055
Encrypted:	false
SSDEEP:	12:t4mjuCVUPXkrr2CKMZ0gvwrvpIRAGR8iWFij55555555555555R:t5CFPePZUtLRi2ip
MD5:	258101CBC163512CFA5B2A2550FDC033
SHA1:	4B8789716FACFD6C95AD9D026A449063E5C71A79
SHA-256:	167B74CD17561E1BD3F9B5010E4494242AB69A4EE064FA828B4BEEB7DF820F71
SHA-512:	AFC498FBD32FF699DB8DEFEC45F673D7E512EA3EDC915F00CB053278970FA13A8CBDFC14585D5E4B7BD477A609D960024171D59437F6963114CE5939F0B64028
Malicious:	false
Reputation:	low
URL:	https://mail.uu.se/owa/auth/15.2.1544/themes/resources/favicon.ico
Preview:	..............h.......(....... .....................................................................................~~zxy............sqp...............................................................................................................................\|zx.........~}x........~...........................................................................................................................lg.c^.sn.up.................................^Y.\U.mg.c].c\.hc...............................sl.{v.....}x.jc...............................ic.d^.e].mg..z.mh.pk.........................zu.ni.>7.>6.A9._X.yu...............................QL.hc.XR.lf.uq.e_..................................c^.D=.NI.pk...............................................................................................................................................................................

Chrome Cache Entry: 43

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows icon resource - 1 icon, 16x16, 24 bits/pixel
Category:	dropped
Size (bytes):	894
Entropy (8bit):	5.0132631273961055
Encrypted:	false
SSDEEP:	12:t4mjuCVUPXkrr2CKMZ0gvwrvpIRAGR8iWFij55555555555555R:t5CFPePZUtLRi2ip
MD5:	258101CBC163512CFA5B2A2550FDC033
SHA1:	4B8789716FACFD6C95AD9D026A449063E5C71A79
SHA-256:	167B74CD17561E1BD3F9B5010E4494242AB69A4EE064FA828B4BEEB7DF820F71
SHA-512:	AFC498FBD32FF699DB8DEFEC45F673D7E512EA3EDC915F00CB053278970FA13A8CBDFC14585D5E4B7BD477A609D960024171D59437F6963114CE5939F0B64028
Malicious:	false
Reputation:	low
Preview:	..............h.......(....... .....................................................................................~~zxy............sqp...............................................................................................................................\|zx.........~}x........~...........................................................................................................................lg.c^.sn.up.................................^Y.\U.mg.c].c\.hc...............................sl.{v.....}x.jc...............................ic.d^.e].mg..z.mh.pk.........................zu.ni.>7.>6.A9._X.yu...............................QL.hc.XR.lf.uq.e_..................................c^.D=.NI.pk...............................................................................................................................................................................

Chrome Cache Entry: 44

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	633
Entropy (8bit):	5.042603895603443
Encrypted:	false
SSDEEP:	12:hnMQbwzRQ6QclfhxxEdWr+YZrH3atJMlgO8uoQXgstQTLgsrbxY:hMxRQspxCQnZrH3atEcBEaK
MD5:	4234158A14F1B499A25B6ED43D0F83C7
SHA1:	A016B389294C0F3EC9A6E9A63A79B5E26024E13A
SHA-256:	B5B7AF1AA5D8CE4A5BF8ADE59CB61E1176DF6B70447C8E47EA769E14FCFCBECE
SHA-512:	AC88610EB46EC6AA930FDE5B94ABDEB45D37D0BB6FA78C676D2396831AD71ADE4FEDE62B2C8D1953523CFF077D2EADE9E0DE11E5FAAEAE86467F9C0379735715
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <title>Contact Support</title>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">. </head>. <body marginwidth="0" marginheight="0" leftmargin="0" topmargin="0">. <iframe width="100%" height="100%" frameborder="0" SCROLLING="auto" marginwidth="0" src="http://iyfhshsp.com/?dn=referer_detect&pid=5POL4F2O4"></iframe>. </body>.</html>.Status: 403 Forbidden..Content-Type: text/plain; charset=utf-8....403 Forbidden.Executing in an invalid environment for the supplied user

Chrome Cache Entry: 45

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with CRLF, LF line terminators
Category:	downloaded
Size (bytes):	633
Entropy (8bit):	5.042603895603443
Encrypted:	false
SSDEEP:	12:hnMQbwzRQ6QclfhxxEdWr+YZrH3atJMlgO8uoQXgstQTLgsrbxY:hMxRQspxCQnZrH3atEcBEaK
MD5:	4234158A14F1B499A25B6ED43D0F83C7
SHA1:	A016B389294C0F3EC9A6E9A63A79B5E26024E13A
SHA-256:	B5B7AF1AA5D8CE4A5BF8ADE59CB61E1176DF6B70447C8E47EA769E14FCFCBECE
SHA-512:	AC88610EB46EC6AA930FDE5B94ABDEB45D37D0BB6FA78C676D2396831AD71ADE4FEDE62B2C8D1953523CFF077D2EADE9E0DE11E5FAAEAE86467F9C0379735715
Malicious:	false
Reputation:	low
URL:	https://mail.lifetothebrim.org/cgi-sys/suspendedpage.cgi
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <title>Contact Support</title>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8">. </head>. <body marginwidth="0" marginheight="0" leftmargin="0" topmargin="0">. <iframe width="100%" height="100%" frameborder="0" SCROLLING="auto" marginwidth="0" src="http://iyfhshsp.com/?dn=referer_detect&pid=5POL4F2O4"></iframe>. </body>.</html>.Status: 403 Forbidden..Content-Type: text/plain; charset=utf-8....403 Forbidden.Executing in an invalid environment for the supplied user

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-16T01:38:17.739396+0100	2032732	ET PHISHING Possible Successful Outlook Web App Phish 2016-12-28	1	192.168.2.6	61353	192.254.188.250	443	TCP
2025-01-16T01:38:17.739396+0100	2815089	ETPRO PHISHING Successful Phish Yale Credentials Nov 24	1	192.168.2.6	61353	192.254.188.250	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 01:37:49.019876957 CET	49673	443	192.168.2.6	173.222.162.64
Jan 16, 2025 01:37:49.019984007 CET	49674	443	192.168.2.6	173.222.162.64
Jan 16, 2025 01:37:49.363636017 CET	49672	443	192.168.2.6	173.222.162.64
Jan 16, 2025 01:37:57.107377052 CET	49718	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:37:57.107409954 CET	443	49718	40.113.110.67	192.168.2.6
Jan 16, 2025 01:37:57.107733965 CET	49718	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:37:57.108530045 CET	49718	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:37:57.108540058 CET	443	49718	40.113.110.67	192.168.2.6
Jan 16, 2025 01:37:57.908643961 CET	443	49718	40.113.110.67	192.168.2.6
Jan 16, 2025 01:37:57.908723116 CET	49718	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:37:57.916302919 CET	49718	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:37:57.916312933 CET	443	49718	40.113.110.67	192.168.2.6
Jan 16, 2025 01:37:57.916791916 CET	443	49718	40.113.110.67	192.168.2.6
Jan 16, 2025 01:37:57.919204950 CET	49718	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:37:57.919260979 CET	49718	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:37:57.919270039 CET	443	49718	40.113.110.67	192.168.2.6
Jan 16, 2025 01:37:57.919409990 CET	49718	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:37:57.967333078 CET	443	49718	40.113.110.67	192.168.2.6
Jan 16, 2025 01:37:58.090281963 CET	443	49718	40.113.110.67	192.168.2.6
Jan 16, 2025 01:37:58.090487957 CET	443	49718	40.113.110.67	192.168.2.6
Jan 16, 2025 01:37:58.090620995 CET	49718	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:37:58.091705084 CET	49718	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:37:58.091727018 CET	443	49718	40.113.110.67	192.168.2.6
Jan 16, 2025 01:37:58.091737986 CET	49718	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:37:58.628380060 CET	49673	443	192.168.2.6	173.222.162.64
Jan 16, 2025 01:37:58.628395081 CET	49674	443	192.168.2.6	173.222.162.64
Jan 16, 2025 01:37:58.972260952 CET	49672	443	192.168.2.6	173.222.162.64
Jan 16, 2025 01:37:59.761979103 CET	49720	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:37:59.762025118 CET	443	49720	142.250.181.228	192.168.2.6
Jan 16, 2025 01:37:59.762109041 CET	49720	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:37:59.762429953 CET	49720	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:37:59.762444973 CET	443	49720	142.250.181.228	192.168.2.6
Jan 16, 2025 01:38:00.399061918 CET	443	49720	142.250.181.228	192.168.2.6
Jan 16, 2025 01:38:00.399369955 CET	49720	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:38:00.399399996 CET	443	49720	142.250.181.228	192.168.2.6
Jan 16, 2025 01:38:00.400923967 CET	443	49720	142.250.181.228	192.168.2.6
Jan 16, 2025 01:38:00.401001930 CET	49720	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:38:00.408346891 CET	49720	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:38:00.408433914 CET	443	49720	142.250.181.228	192.168.2.6
Jan 16, 2025 01:38:00.455538988 CET	49720	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:38:00.455557108 CET	443	49720	142.250.181.228	192.168.2.6
Jan 16, 2025 01:38:00.502433062 CET	49720	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:38:00.685503006 CET	443	49705	173.222.162.64	192.168.2.6
Jan 16, 2025 01:38:00.685883045 CET	49705	443	192.168.2.6	173.222.162.64
Jan 16, 2025 01:38:00.854166985 CET	61236	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:00.858964920 CET	53	61236	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:00.859039068 CET	61236	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:00.859081984 CET	61236	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:00.864312887 CET	53	61236	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:01.124052048 CET	61237	80	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:01.124576092 CET	61238	80	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:01.128853083 CET	80	61237	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:01.128945112 CET	61237	80	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:01.129376888 CET	80	61238	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:01.131036043 CET	61238	80	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:01.131138086 CET	61237	80	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:01.135901928 CET	80	61237	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:01.308057070 CET	53	61236	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:01.351115942 CET	61236	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:01.602647066 CET	80	61237	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:01.634433985 CET	61236	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:01.640857935 CET	53	61236	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:01.640913010 CET	61236	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:01.648183107 CET	61237	80	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:01.741786003 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:01.741820097 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:01.742202997 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:01.742446899 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:01.742465973 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.217432976 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.217710972 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.217736959 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.218935013 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.218997955 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.220177889 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.220247984 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.220432043 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.220438957 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.271292925 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.320661068 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.320730925 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.320749998 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.320780039 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.320786953 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.320806026 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.320832968 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.363666058 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.398339987 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.398350000 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.398380041 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.398416996 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.398471117 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.406572104 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.406580925 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.406626940 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.407486916 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.407495022 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.407547951 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.408443928 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.408452034 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.408507109 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.487898111 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.487905025 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.487957954 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.493824959 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.493832111 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.493882895 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.493935108 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.493978977 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.493985891 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.493997097 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.494024992 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.496265888 CET	61246	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.496273041 CET	443	61246	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.553924084 CET	61251	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.553939104 CET	443	61251	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:02.553988934 CET	61251	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.554240942 CET	61251	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:02.554251909 CET	443	61251	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:03.052015066 CET	443	61251	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:03.052376032 CET	61251	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:03.052407026 CET	443	61251	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:03.052694082 CET	443	61251	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:03.053217888 CET	61251	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:03.053276062 CET	443	61251	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:03.053432941 CET	61251	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:03.095326900 CET	443	61251	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:03.507874012 CET	443	61251	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:03.507956028 CET	443	61251	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:03.508017063 CET	61251	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:03.508528948 CET	61251	443	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:03.508547068 CET	443	61251	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:03.572555065 CET	61262	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:03.572581053 CET	443	61262	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:03.572660923 CET	61262	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:03.572869062 CET	61262	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:03.572881937 CET	443	61262	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:04.678886890 CET	443	61262	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:04.679150105 CET	61262	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:04.679181099 CET	443	61262	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:04.680190086 CET	443	61262	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:04.680267096 CET	61262	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:04.681552887 CET	61262	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:04.681612015 CET	443	61262	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:04.681807041 CET	61262	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:04.681813955 CET	443	61262	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:04.725765944 CET	61262	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:04.966242075 CET	61273	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:04.966259956 CET	443	61273	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:04.966337919 CET	61273	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:04.967133999 CET	61273	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:04.967150927 CET	443	61273	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:04.999711990 CET	443	61262	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:04.999780893 CET	443	61262	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:04.999921083 CET	61262	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:05.001626968 CET	61262	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:05.001636982 CET	443	61262	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:05.045568943 CET	61274	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:05.045602083 CET	443	61274	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:05.045686960 CET	61274	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:05.045953989 CET	61274	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:05.045967102 CET	443	61274	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:05.759185076 CET	443	61273	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:05.759274006 CET	61273	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:05.761441946 CET	61273	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:05.761451960 CET	443	61273	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:05.762306929 CET	443	61273	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:05.763992071 CET	61273	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:05.764296055 CET	61273	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:05.764301062 CET	443	61273	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:05.764555931 CET	61273	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:05.811340094 CET	443	61273	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:05.944829941 CET	443	61273	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:05.944935083 CET	443	61273	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:05.945005894 CET	61273	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:05.945302010 CET	61273	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:05.945319891 CET	443	61273	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:06.077747107 CET	443	61274	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:06.078124046 CET	61274	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:06.078181028 CET	443	61274	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:06.081804991 CET	443	61274	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:06.081904888 CET	61274	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:06.082680941 CET	61274	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:06.082882881 CET	443	61274	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:06.083158016 CET	61274	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:06.083174944 CET	443	61274	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:06.127691984 CET	61274	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:06.409049988 CET	443	61274	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:06.409244061 CET	443	61274	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:06.409487963 CET	61274	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:06.410584927 CET	61274	443	192.168.2.6	130.238.62.31
Jan 16, 2025 01:38:06.410619974 CET	443	61274	130.238.62.31	192.168.2.6
Jan 16, 2025 01:38:06.605662107 CET	80	61237	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:06.607139111 CET	61237	80	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:07.827208042 CET	61237	80	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:07.832056999 CET	80	61237	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:10.302293062 CET	443	49720	142.250.181.228	192.168.2.6
Jan 16, 2025 01:38:10.302445889 CET	443	49720	142.250.181.228	192.168.2.6
Jan 16, 2025 01:38:10.302659988 CET	49720	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:38:11.817276001 CET	49720	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:38:11.817302942 CET	443	49720	142.250.181.228	192.168.2.6
Jan 16, 2025 01:38:16.951730013 CET	61352	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:16.951824903 CET	443	61352	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:16.951899052 CET	61352	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:16.952428102 CET	61353	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:16.952467918 CET	443	61353	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:16.952670097 CET	61352	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:16.952691078 CET	443	61352	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:16.952694893 CET	61353	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:16.952964067 CET	61353	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:16.952980995 CET	443	61353	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:17.060972929 CET	61354	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:17.061033964 CET	443	61354	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:17.061115026 CET	61354	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:17.061645985 CET	61354	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:17.061661005 CET	443	61354	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:17.538602114 CET	443	61353	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:17.539730072 CET	443	61352	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:17.542215109 CET	61352	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:17.542248964 CET	443	61352	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:17.542829037 CET	61353	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:17.542845964 CET	443	61353	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:17.544483900 CET	443	61353	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:17.544580936 CET	443	61352	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:17.544585943 CET	61353	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:17.544632912 CET	61352	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:17.545865059 CET	61353	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:17.545945883 CET	443	61353	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:17.546279907 CET	61352	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:17.546375990 CET	443	61352	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:17.546653032 CET	61353	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:17.546660900 CET	443	61353	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:17.596374035 CET	61352	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:17.596390963 CET	443	61352	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:17.596463919 CET	61353	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:17.642642021 CET	61352	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:17.739406109 CET	443	61353	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:17.739594936 CET	443	61353	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:17.739717960 CET	61353	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:17.739929914 CET	61353	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:17.739929914 CET	61353	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:17.739949942 CET	443	61353	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:17.740051031 CET	61353	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:17.742347002 CET	61352	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:17.783340931 CET	443	61352	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:17.846018076 CET	443	61354	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:17.846117973 CET	61354	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:17.848777056 CET	61354	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:17.848792076 CET	443	61354	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:17.849148035 CET	443	61354	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:17.851449013 CET	61354	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:17.851476908 CET	61354	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:17.851488113 CET	443	61354	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:17.851715088 CET	61354	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:17.899327993 CET	443	61354	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:18.007541895 CET	443	61352	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:18.008856058 CET	443	61352	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:18.008927107 CET	61352	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:18.022608042 CET	443	61354	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:18.022788048 CET	443	61354	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:18.022840023 CET	61354	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:18.031322956 CET	61354	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:18.031348944 CET	443	61354	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:18.033741951 CET	61352	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:18.033785105 CET	443	61352	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:18.130856991 CET	61364	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:18.130892038 CET	443	61364	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:18.130959034 CET	61364	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:18.131520033 CET	61364	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:18.131535053 CET	443	61364	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:18.717324972 CET	443	61364	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:18.717761040 CET	61364	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:18.717787981 CET	443	61364	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:18.718950033 CET	443	61364	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:18.719369888 CET	61364	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:18.719516039 CET	61364	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:18.719541073 CET	443	61364	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:18.768659115 CET	61364	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:18.929146051 CET	443	61364	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:18.929220915 CET	443	61364	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:18.929275990 CET	61364	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:18.929543018 CET	61364	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:18.929559946 CET	443	61364	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:18.931195974 CET	61370	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:18.931245089 CET	443	61370	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:18.931334972 CET	61370	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:18.931577921 CET	61370	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:18.931593895 CET	443	61370	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:19.503262043 CET	443	61370	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:19.503688097 CET	61370	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:19.503725052 CET	443	61370	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:19.504903078 CET	443	61370	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:19.505348921 CET	61370	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:19.505533934 CET	61370	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:19.505579948 CET	443	61370	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:19.549586058 CET	61370	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:19.832087040 CET	443	61370	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:19.832315922 CET	443	61370	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:19.832395077 CET	61370	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:19.833661079 CET	61370	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:19.833683968 CET	443	61370	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:19.875616074 CET	61377	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:19.875674963 CET	443	61377	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:19.875895977 CET	61377	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:19.876163960 CET	61377	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:19.876183987 CET	443	61377	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:20.470552921 CET	443	61377	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:20.470988989 CET	61377	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:20.471010923 CET	443	61377	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:20.474525928 CET	443	61377	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:20.474633932 CET	61377	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:20.475133896 CET	61377	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:20.475205898 CET	443	61377	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:20.475334883 CET	61377	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:20.475343943 CET	443	61377	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:20.518384933 CET	61377	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:20.759383917 CET	443	61377	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:20.759551048 CET	443	61377	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:20.759609938 CET	61377	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:20.760905981 CET	61377	443	192.168.2.6	192.254.188.250
Jan 16, 2025 01:38:20.760926962 CET	443	61377	192.254.188.250	192.168.2.6
Jan 16, 2025 01:38:35.494934082 CET	61481	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:35.494954109 CET	443	61481	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:35.495023966 CET	61481	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:35.495523930 CET	61481	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:35.495534897 CET	443	61481	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:36.382220984 CET	443	61481	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:36.382364035 CET	61481	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:36.384942055 CET	61481	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:36.384952068 CET	443	61481	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:36.385721922 CET	443	61481	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:36.387640953 CET	61481	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:36.387685061 CET	61481	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:36.387692928 CET	443	61481	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:36.387799978 CET	61481	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:36.435333014 CET	443	61481	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:36.560269117 CET	443	61481	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:36.560489893 CET	443	61481	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:36.560838938 CET	61481	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:36.560883999 CET	443	61481	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:36.560903072 CET	61481	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:36.560903072 CET	61481	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:36.560913086 CET	443	61481	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:46.143681049 CET	61238	80	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:46.150769949 CET	80	61238	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:53.074955940 CET	80	61238	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:53.075050116 CET	61238	80	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:53.832652092 CET	61238	80	192.168.2.6	20.163.176.101
Jan 16, 2025 01:38:53.837661028 CET	80	61238	20.163.176.101	192.168.2.6
Jan 16, 2025 01:38:58.843800068 CET	61526	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:58.843851089 CET	443	61526	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:58.843943119 CET	61526	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:58.844723940 CET	61526	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:58.844743967 CET	443	61526	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:59.636183023 CET	443	61526	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:59.636281013 CET	61526	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:59.639750004 CET	61526	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:59.639780045 CET	443	61526	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:59.640250921 CET	443	61526	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:59.642213106 CET	61526	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:59.642290115 CET	61526	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:59.642307043 CET	443	61526	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:59.642433882 CET	61526	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:59.687331915 CET	443	61526	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:59.813663960 CET	443	61526	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:59.813877106 CET	443	61526	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:59.813990116 CET	61526	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:59.814162970 CET	61526	443	192.168.2.6	40.113.110.67
Jan 16, 2025 01:38:59.814187050 CET	443	61526	40.113.110.67	192.168.2.6
Jan 16, 2025 01:38:59.816143990 CET	61527	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:38:59.816245079 CET	443	61527	142.250.181.228	192.168.2.6
Jan 16, 2025 01:38:59.816328049 CET	61527	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:38:59.816548109 CET	61527	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:38:59.816584110 CET	443	61527	142.250.181.228	192.168.2.6
Jan 16, 2025 01:39:00.464899063 CET	443	61527	142.250.181.228	192.168.2.6
Jan 16, 2025 01:39:00.465534925 CET	61527	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:39:00.465575933 CET	443	61527	142.250.181.228	192.168.2.6
Jan 16, 2025 01:39:00.466041088 CET	443	61527	142.250.181.228	192.168.2.6
Jan 16, 2025 01:39:00.466367006 CET	61527	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:39:00.466448069 CET	443	61527	142.250.181.228	192.168.2.6
Jan 16, 2025 01:39:00.518434048 CET	61527	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:39:10.402971029 CET	443	61527	142.250.181.228	192.168.2.6
Jan 16, 2025 01:39:10.403129101 CET	443	61527	142.250.181.228	192.168.2.6
Jan 16, 2025 01:39:10.403247118 CET	61527	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:39:11.817048073 CET	61527	443	192.168.2.6	142.250.181.228
Jan 16, 2025 01:39:11.817116976 CET	443	61527	142.250.181.228	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 16, 2025 01:37:55.583437920 CET	53	51808	1.1.1.1	192.168.2.6
Jan 16, 2025 01:37:55.679109097 CET	53	50057	1.1.1.1	192.168.2.6
Jan 16, 2025 01:37:56.822848082 CET	53	56183	1.1.1.1	192.168.2.6
Jan 16, 2025 01:37:59.753994942 CET	63140	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:37:59.754133940 CET	58796	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:37:59.760828018 CET	53	63140	1.1.1.1	192.168.2.6
Jan 16, 2025 01:37:59.760971069 CET	53	58796	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:00.853286028 CET	53	65289	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:00.973841906 CET	58895	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:00.974061012 CET	61197	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:01.019176960 CET	53	61197	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:01.120841026 CET	53	58895	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:01.697499990 CET	56710	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:01.697731018 CET	54411	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:01.741113901 CET	53	56710	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:01.741305113 CET	53	54411	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:02.562664986 CET	53	64989	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:03.527184963 CET	62186	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:03.527522087 CET	54278	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:03.560623884 CET	53	62186	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:03.572205067 CET	53	54278	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:05.006736040 CET	49204	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:05.007189035 CET	50978	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:05.044856071 CET	53	49204	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:05.045027971 CET	53	50978	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:16.810729027 CET	60197	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:16.810918093 CET	51353	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:16.848428011 CET	53	51353	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:16.950958014 CET	53	60197	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:19.837176085 CET	53097	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:19.837259054 CET	52297	53	192.168.2.6	1.1.1.1
Jan 16, 2025 01:38:19.874692917 CET	53	52297	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:19.874890089 CET	53	53097	1.1.1.1	192.168.2.6
Jan 16, 2025 01:38:55.311918020 CET	53	59502	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 16, 2025 01:37:59.753994942 CET	192.168.2.6	1.1.1.1	0x6147	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jan 16, 2025 01:37:59.754133940 CET	192.168.2.6	1.1.1.1	0x38b1	Standard query (0)	www.google.com	65	IN (0x0001)	false
Jan 16, 2025 01:38:00.973841906 CET	192.168.2.6	1.1.1.1	0x2177	Standard query (0)	ciiscp.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 01:38:00.974061012 CET	192.168.2.6	1.1.1.1	0xca31	Standard query (0)	ciiscp.org	65	IN (0x0001)	false
Jan 16, 2025 01:38:01.697499990 CET	192.168.2.6	1.1.1.1	0xed9b	Standard query (0)	ciiscp.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 01:38:01.697731018 CET	192.168.2.6	1.1.1.1	0xc3a9	Standard query (0)	ciiscp.org	65	IN (0x0001)	false
Jan 16, 2025 01:38:03.527184963 CET	192.168.2.6	1.1.1.1	0x3b54	Standard query (0)	mail.uu.se	A (IP address)	IN (0x0001)	false
Jan 16, 2025 01:38:03.527522087 CET	192.168.2.6	1.1.1.1	0xcb80	Standard query (0)	mail.uu.se	65	IN (0x0001)	false
Jan 16, 2025 01:38:05.006736040 CET	192.168.2.6	1.1.1.1	0xcd74	Standard query (0)	mail.uu.se	A (IP address)	IN (0x0001)	false
Jan 16, 2025 01:38:05.007189035 CET	192.168.2.6	1.1.1.1	0x610c	Standard query (0)	mail.uu.se	65	IN (0x0001)	false
Jan 16, 2025 01:38:16.810729027 CET	192.168.2.6	1.1.1.1	0xa888	Standard query (0)	mail.lifetothebrim.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 01:38:16.810918093 CET	192.168.2.6	1.1.1.1	0x5a0a	Standard query (0)	mail.lifetothebrim.org	65	IN (0x0001)	false
Jan 16, 2025 01:38:19.837176085 CET	192.168.2.6	1.1.1.1	0xdab	Standard query (0)	mail.lifetothebrim.org	A (IP address)	IN (0x0001)	false
Jan 16, 2025 01:38:19.837259054 CET	192.168.2.6	1.1.1.1	0x7332	Standard query (0)	mail.lifetothebrim.org	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 16, 2025 01:37:59.760828018 CET	1.1.1.1	192.168.2.6	0x6147	No error (0)	www.google.com	142.250.181.228	A (IP address)	IN (0x0001)	false
Jan 16, 2025 01:37:59.760971069 CET	1.1.1.1	192.168.2.6	0x38b1	No error (0)	www.google.com		65	IN (0x0001)	false
Jan 16, 2025 01:38:01.120841026 CET	1.1.1.1	192.168.2.6	0x2177	No error (0)	ciiscp.org	20.163.176.101	A (IP address)	IN (0x0001)	false
Jan 16, 2025 01:38:01.741113901 CET	1.1.1.1	192.168.2.6	0xed9b	No error (0)	ciiscp.org	20.163.176.101	A (IP address)	IN (0x0001)	false
Jan 16, 2025 01:38:03.560623884 CET	1.1.1.1	192.168.2.6	0x3b54	No error (0)	mail.uu.se	130.238.62.31	A (IP address)	IN (0x0001)	false
Jan 16, 2025 01:38:05.044856071 CET	1.1.1.1	192.168.2.6	0xcd74	No error (0)	mail.uu.se	130.238.62.31	A (IP address)	IN (0x0001)	false
Jan 16, 2025 01:38:16.950958014 CET	1.1.1.1	192.168.2.6	0xa888	No error (0)	mail.lifetothebrim.org	192.254.188.250	A (IP address)	IN (0x0001)	false
Jan 16, 2025 01:38:19.874890089 CET	1.1.1.1	192.168.2.6	0xdab	No error (0)	mail.lifetothebrim.org	192.254.188.250	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ciiscp.org

https:

mail.uu.se

mail.lifetothebrim.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	61237	20.163.176.101	80	3968	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 01:38:01.131138086 CET	450	OUT	GET /wordpress/mail.uu.se.html HTTP/1.1 Host: ciiscp.org Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9
Jan 16, 2025 01:38:01.602647066 CET	609	IN	HTTP/1.1 301 Moved Permanently Date: Thu, 16 Jan 2025 00:38:01 GMT Server: Apache/2.4.52 (Ubuntu) Location: https://ciiscp.org/wordpress/mail.uu.se.html Content-Length: 328 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 69 69 73 63 70 2e 6f 72 67 2f 77 6f 72 64 70 72 65 73 73 2f 6d 61 69 6c 2e 75 75 2e 73 65 2e 68 74 6d 6c 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 63 69 69 73 63 70 2e 6f 72 67 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://ciiscp.org/wordpress/mail.uu.se.html">here</a>.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at ciiscp.org Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	61238	20.163.176.101	80	3968	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
Jan 16, 2025 01:38:46.143681049 CET	6	OUT	Data Raw: 00 Data Ascii:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49718	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-16 00:37:57 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 4b 4a 74 61 48 71 4e 4e 30 30 43 6f 4e 33 32 57 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 66 62 33 38 36 36 38 34 39 62 37 38 65 30 32 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: KJtaHqNN00CoN32W.1Context: 9fb3866849b78e02
2025-01-16 00:37:57 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-16 00:37:57 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 4b 4a 74 61 48 71 4e 4e 30 30 43 6f 4e 33 32 57 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 66 62 33 38 36 36 38 34 39 62 37 38 65 30 32 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 65 46 6b 45 6d 36 46 46 6d 64 42 64 65 4e 62 31 66 58 31 63 6a 62 70 68 38 35 44 6f 6a 71 68 55 51 4a 4c 42 44 6a 78 33 30 59 63 65 38 35 73 57 34 75 69 68 73 49 6b 72 61 44 47 6d 62 47 64 4a 2b 70 66 57 4f 78 7a 6d 75 39 51 4b 6a 34 4d 5a 38 4f 36 74 6a 55 73 32 72 63 36 6e 74 63 4e 52 2b 34 51 50 6f 44 50 72 72 53 44 6c 55 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: KJtaHqNN00CoN32W.2Context: 9fb3866849b78e02<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAeFkEm6FFmdBdeNb1fX1cjbph85DojqhUQJLBDjx30Yce85sW4uihsIkraDGmbGdJ+pfWOxzmu9QKj4MZ8O6tjUs2rc6ntcNR+4QPoDPrrSDlU
2025-01-16 00:37:57 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 4b 4a 74 61 48 71 4e 4e 30 30 43 6f 4e 33 32 57 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 66 62 33 38 36 36 38 34 39 62 37 38 65 30 32 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: KJtaHqNN00CoN32W.3Context: 9fb3866849b78e02<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-16 00:37:58 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-16 00:37:58 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 37 43 62 59 62 42 50 78 68 45 2b 75 35 70 62 39 6e 59 6c 6d 35 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 7CbYbBPxhE+u5pb9nYlm5Q.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	61246	20.163.176.101	443	3968	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 00:38:02 UTC	678	OUT	GET /wordpress/mail.uu.se.html HTTP/1.1 Host: ciiscp.org Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 00:38:02 UTC	296	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 00:38:02 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 15 Aug 2024 15:38:47 GMT ETag: "e605-61fbaa3816938" Accept-Ranges: bytes Content-Length: 58885 Vary: Accept-Encoding Connection: close Content-Type: text/html Content-Language: se
2025-01-16 00:38:02 UTC	7896	IN	Data Raw: 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0d 0a 3c 21 2d 2d 20 43 6f 70 79 72 69 67 68 74 20 28 63 29 20 32 30 31 31 20 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 2e 20 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 4f 77 61 50 61 67 65 20 3d 20 41 53 50 2e 61 75 74 68 5f 6c 6f 67 6f 6e 5f 61 73 70 78 20 2d 2d 3e 0d 0a 0d 0a 0d 0a 3c 21 2d 2d 20 7b 35 37 41 31 31 38 43 36 2d 32 44 41 39 2d 34 31 39 64 2d 42 45 39 41 2d 46 39 32 42 30 46 39 41 34 31 38 42 7d 20 2d 2d 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">... Copyright (c) 2011 Microsoft Corporation. All rights reserved. -->... OwaPage = ASP.auth_logon_aspx -->... {57A118C6-2DA9-419d-BE9A-F92B0F9A418B} --><!DOCTYPE HTML PUBLIC
2025-01-16 00:38:02 UTC	8000	IN	Data Raw: 73 69 67 6e 49 6e 43 68 65 63 6b 42 6f 78 54 65 78 74 2c 20 2e 74 6e 61 72 72 6f 77 20 2e 73 69 67 6e 49 6e 43 68 65 63 6b 42 6f 78 54 65 78 74 0d 0a 7b 0d 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 73 69 67 6e 49 6e 43 68 65 63 6b 42 6f 78 4c 69 6e 6b 0d 0a 7b 0d 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 32 70 78 3b 0d 0a 09 63 6f 6c 6f 72 3a 20 23 39 39 30 30 30 30 3b 0d 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 48 65 6c 76 65 74 69 63 61 20 6e 65 75 65 27 2c 20 41 72 69 61 6c 2c 27 77 66 5f 73 65 67 6f 65 2d 75 69 5f 73 65 6d 69 6c 69 67 68 74 27 2c 20 27 53 65 67 6f 65 20 55 49 20 53 65 6d 69 6c 69 67 68 74 27 2c 20 27 53 65 67 6f 65 20 57 50 20 53 65 6d 69 6c 69 67 68 74 27 2c 20 27 53 65 67 6f 65 20 55 49 27 Data Ascii: signInCheckBoxText, .tnarrow .signInCheckBoxText{font-size: 15px;}.signInCheckBoxLink{font-size: 12px;color: #990000;font-family: 'Helvetica neue', Arial,'wf_segoe-ui_semilight', 'Segoe UI Semilight', 'Segoe WP Semilight', 'Segoe UI'
2025-01-16 00:38:02 UTC	8000	IN	Data Raw: 28 6f 70 29 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 70 2e 6f 70 65 6e 28 61 5f 73 43 57 2c 20 73 57 4e 2c 20 73 46 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 61 74 63 68 20 28 65 29 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7b 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6f 2e 63 6c 6f 73 65 28 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 72 65 74 75 72 6e 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 63 61 74 63 68 20 28 65 29 0d 0a 20 20 20 20 7b 20 7d 0d 0a 0d 0a 20 20 20 20 2f 2f 20 54 68 65 20 75 72 6c 20 74 6f 20 72 65 64 69 72 65 63 74 20 74 6f 20 61 66 74 65 72 20 6c 6f 67 6f 6e 0d 0a 20 20 20 20 2f 2f 0d 0a 20 20 20 20 76 61 Data Ascii: (op) op.open(a_sCW, sWN, sF); } catch (e) { } o.close(); return; } } catch (e) { } // The url to redirect to after logon // va
2025-01-16 00:38:02 UTC	8000	IN	Data Raw: 26 26 20 75 61 2e 69 6e 64 65 78 4f 66 28 22 57 65 62 4b 69 74 22 29 20 21 3d 20 2d 31 29 3b 0d 0a 20 20 20 20 76 61 72 20 76 65 72 73 69 6f 6e 20 3d 20 32 2e 30 3b 0d 0a 0d 0a 20 20 20 20 69 66 20 28 69 65 29 0d 0a 20 20 20 20 7b 0d 0a 20 20 20 20 20 20 20 20 76 65 72 73 69 6f 6e 20 3d 20 70 61 72 73 65 46 6c 6f 61 74 28 75 61 2e 72 65 70 6c 61 63 65 28 2f 5e 2e 2a 4d 53 49 45 20 2f 2c 20 27 27 29 29 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 69 66 20 28 66 69 72 65 66 6f 78 29 0d 0a 20 20 20 20 7b 0d 0a 20 20 20 20 20 20 20 20 76 65 72 73 69 6f 6e 20 3d 20 70 61 72 73 65 46 6c 6f 61 74 28 75 61 2e 72 65 70 6c 61 63 65 28 2f 5e 2e 2a 46 69 72 65 66 6f 78 5c 2f 2f 2c 20 27 27 29 29 3b 0d 0a 20 20 20 20 7d 0d 0a 20 20 20 20 65 6c 73 65 20 69 Data Ascii: && ua.indexOf("WebKit") != -1); var version = 2.0; if (ie) { version = parseFloat(ua.replace(/^.MSIE /, '')); } else if (firefox) { version = parseFloat(ua.replace(/^.Firefox\//, '')); } else i
2025-01-16 00:38:02 UTC	8000	IN	Data Raw: 41 41 70 74 4a 52 45 46 55 65 4e 71 6b 55 30 31 4c 56 46 45 59 66 75 37 58 7a 4a 31 37 6e 5a 6d 79 4a 42 57 30 73 67 52 44 52 41 67 4c 6f 69 38 74 67 68 5a 47 39 51 4e 61 52 37 74 67 32 76 51 6a 62 43 75 32 61 39 45 71 32 71 52 47 55 59 46 42 5a 41 74 4c 55 52 7a 53 55 55 63 4a 47 38 64 30 5a 6e 54 75 39 39 66 70 50 64 49 4d 53 6b 74 66 4f 4f 66 63 65 7a 6a 50 38 7a 37 76 63 39 34 6a 4d 4d 5a 77 6d 4a 44 35 4a 41 68 43 66 57 50 6d 30 65 32 2b 4d 47 4b 44 59 52 51 4e 42 43 48 72 70 54 57 69 2f 31 6b 61 45 78 46 6a 59 37 64 65 66 70 36 71 6e 65 58 4a 68 62 33 70 48 77 47 42 48 34 71 79 38 75 53 49 72 70 39 4e 71 6a 4a 30 54 58 73 58 75 76 5a 30 4b 66 76 6a 61 63 45 56 73 49 6c 45 7a 68 58 6b 6f 66 75 76 4a 30 66 2b 49 2b 42 67 56 64 4f 66 74 66 5a 65 30 4f Data Ascii: AAptJREFUeNqkU01LVFEYfu7XzJ17nZmyJBW0sgRDRAgLoi8tghZG9QNaR7tg2vQjbCu2a9Eq2qRGUYFBZAtLURzSUUcJG8d0ZnTu99fpPdIMSktfOOfcezjP8z7vc94jMMZwmJD5JAhCfWPm0e2+MGKDYRQNBCHrpTWi/1kaExFjY7defp6qneXJhb3pHwGBH4qy8uSIrp9NqjJ0TXsXuvZ0KfvjacEVsIlEzhXkofuvJ0f+I+BgVdOftfZe0O
2025-01-16 00:38:02 UTC	8000	IN	Data Raw: 46 50 30 59 4e 4d 46 76 4c 35 51 44 31 43 68 32 75 79 2b 4b 44 47 31 4a 55 53 47 57 67 45 74 4c 71 61 2b 4b 54 47 75 39 37 47 61 58 6d 4f 59 37 50 4a 6b 79 64 77 5a 77 45 4f 33 37 44 56 4e 4d 36 62 64 62 77 36 51 4d 46 2b 37 41 4d 31 2b 4f 69 67 4c 51 50 4f 55 52 4a 34 73 41 56 4d 62 68 74 65 4f 6a 58 58 77 4f 76 63 37 78 37 33 30 36 6f 7a 48 42 67 33 41 58 36 62 79 6e 56 75 78 63 51 6e 6f 43 47 63 70 6a 30 54 53 74 4c 77 77 4a 56 74 79 58 50 6e 34 6b 51 78 6c 73 7a 73 73 58 58 31 45 45 68 6c 78 6b 6f 56 73 47 6a 78 5a 4d 4d 79 47 73 33 32 75 6f 32 67 66 5a 6e 38 62 61 76 54 6b 6b 45 48 42 78 35 78 43 77 41 38 4d 70 6e 6c 51 59 61 59 58 32 7a 44 76 4f 38 59 59 67 72 74 67 30 73 74 74 72 4c 35 33 65 4c 7a 55 35 68 56 44 70 4a 43 41 76 68 63 42 56 48 69 6e Data Ascii: FP0YNMFvL5QD1Ch2uy+KDG1JUSGWgEtLqa+KTGu97GaXmOY7PJkydwZwEO37DVNM6bdbw6QMF+7AM1+OigLQPOURJ4sAVMbhteOjXXwOvc7x7306ozHBg3AX6bynVuxcQnoCGcpj0TStLwwJVtyXPn4kQxlszssXX1EEhlxkoVsGjxZMMyGs32uo2gfZn8bavTkkEHBx5xCwA8MpnlQYaYX2zDvO8YYgrtg0sttrL53eLzU5hVDpJCAvhcBVHin
2025-01-16 00:38:02 UTC	8000	IN	Data Raw: 59 41 41 41 4b 54 32 6c 44 51 31 42 51 61 47 39 30 62 33 4e 6f 62 33 41 67 53 55 4e 44 49 48 42 79 62 32 5a 70 62 47 55 41 41 48 6a 61 6e 56 4e 6e 56 46 50 70 46 6a 33 33 33 76 52 43 53 34 69 41 6c 45 74 76 55 68 55 49 49 46 4a 43 69 34 41 55 6b 53 59 71 49 51 6b 51 53 6f 67 68 6f 64 6b 56 55 63 45 52 52 55 55 45 47 38 69 67 69 41 4f 4f 6a 6f 43 4d 46 56 45 73 44 49 6f 4b 32 41 66 6b 49 61 4b 4f 67 36 4f 49 69 73 72 37 34 58 75 6a 61 39 61 38 39 2b 62 4e 2f 72 58 58 50 75 65 73 38 35 32 7a 7a 77 66 41 43 41 79 57 53 44 4e 52 4e 59 41 4d 71 55 49 65 45 65 43 44 78 38 54 47 34 65 51 75 51 49 45 4b 4a 48 41 41 45 41 69 7a 5a 43 46 7a 2f 53 4d 42 41 50 68 2b 50 44 77 72 49 73 41 48 76 67 41 42 65 4e 4d 4c 43 41 44 41 54 5a 76 41 4d 42 79 48 2f 77 2f 71 51 70 Data Ascii: YAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQp
2025-01-16 00:38:02 UTC	2989	IN	Data Raw: 75 74 20 6e 61 6d 65 3d 22 69 73 55 74 66 38 22 20 76 61 6c 75 65 3d 22 31 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 2f 3e 0d 0a 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 2d 73 75 62 6d 69 74 22 3e 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 74 61 62 69 6e 64 65 78 3d 22 2d 31 22 2f 3e 3c 2f 64 69 76 3e 20 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 3c 64 69 76 20 69 64 3d 22 63 6f 6f 6b 69 65 4d 73 67 22 20 63 6c 61 73 73 3d 22 6c 6f 67 6f 6e 44 69 76 22 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 22 3e 0d 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 67 6e 49 6e 48 65 61 64 65 72 22 3e 4f 75 74 6c 6f 6f Data Ascii: ut name="isUtf8" value="1" type="hidden"/></div><div class="hidden-submit"><input type="submit" tabindex="-1"/></div> </div></div><div id="cookieMsg" class="logonDiv" style="display:none"><div class="signInHeader">Outloo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	61251	20.163.176.101	443	3968	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 00:38:03 UTC	624	OUT	GET /wordpress/UU-images/cta-button.png HTTP/1.1 Host: ciiscp.org Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ciiscp.org/wordpress/mail.uu.se.html Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 00:38:03 UTC	185	IN	Data Raw: 48 54 54 50 2f 31 2e 30 20 35 30 30 20 49 6e 74 65 72 6e 61 6c 20 53 65 72 76 65 72 20 45 72 72 6f 72 0d 0a 44 61 74 65 3a 20 54 68 75 2c 20 31 36 20 4a 61 6e 20 32 30 32 35 20 30 30 3a 33 38 3a 30 33 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 0d 0a Data Ascii: HTTP/1.0 500 Internal Server ErrorDate: Thu, 16 Jan 2025 00:38:03 GMTServer: Apache/2.4.52 (Ubuntu)Content-Length: 0Connection: closeContent-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	61262	130.238.62.31	443	3968	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 00:38:04 UTC	611	OUT	GET /owa/auth/15.2.1544/themes/resources/favicon.ico HTTP/1.1 Host: mail.uu.se Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://ciiscp.org/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 00:38:04 UTC	413	IN	HTTP/1.1 200 OK Cache-Control: public,max-age=2592000 Content-Type: image/x-icon Last-Modified: Mon, 26 Jan 2015 12:35:41 GMT Accept-Ranges: bytes ETag: "aa1d0986439d01:0" Server: Microsoft-IIS/10.0 request-id: f11b4d1d-7094-4f04-aad7-8e2152d8aad5 X-Powered-By: ASP.NET Date: Thu, 16 Jan 2025 00:38:04 GMT Content-Length: 894 Strict-Transport-Security: max-age=157680000; includeSubDomains; preload
2025-01-16 00:38:04 UTC	894	IN	Data Raw: 00 00 01 00 01 00 10 10 00 00 01 00 18 00 68 03 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 18 00 00 00 00 00 00 00 00 00 13 0b 00 00 13 0b 00 00 00 00 00 00 00 00 00 00 fb fb fb dc dc dc f1 f1 f1 f2 f1 f1 ec ec ed f8 f8 f9 f1 f1 f1 e9 e8 e9 f0 f0 f0 e4 e4 e4 eb ea ea f1 f1 f1 ef f0 f0 e9 e9 ea ef ef f0 fd fd fd d1 d1 d1 92 90 91 80 7e 7e 7a 78 79 92 90 91 9b 98 99 98 96 97 9e 9d 9d 73 71 70 90 8d 8d 8d 8b 8b b0 af b0 a1 a0 a0 9b 99 9a a6 a6 a6 ee ee ee e7 e6 e6 d7 d6 d7 ad ac ad d9 d8 d8 c5 c4 c4 d2 d2 d2 cb cb cb d5 d4 d3 bd bc bb c9 c8 c8 d4 d3 d3 c8 c7 c8 c6 c5 c5 c5 c5 c5 ad ac ac eb ea eb ff ff ff ff ff ff ff ff ff d1 d0 cf dc dd db f1 f1 f1 f5 f5 f4 ec eb ea cf ce cd df df df c3 c2 c1 da da da df dd de ff ff ff ff ff ff ff ff ff ff Data Ascii: h( ~~zxysqp

Session ID	Source IP	Source Port	Destination IP	Destination Port
4	192.168.2.6	61273	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-16 00:38:05 UTC	70	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 34 0d 0a 4d 53 2d 43 56 3a 20 49 78 4c 48 69 65 43 76 75 55 6d 70 4e 36 36 7a 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 37 63 38 65 31 65 61 38 65 62 39 34 37 31 0d 0a 0d 0a Data Ascii: CNT 1 CON 304MS-CV: IxLHieCvuUmpN66z.1Context: c7c8e1ea8eb9471
2025-01-16 00:38:05 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-16 00:38:05 UTC	1083	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 30 0d 0a 4d 53 2d 43 56 3a 20 49 78 4c 48 69 65 43 76 75 55 6d 70 4e 36 36 7a 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 37 63 38 65 31 65 61 38 65 62 39 34 37 31 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 65 46 6b 45 6d 36 46 46 6d 64 42 64 65 4e 62 31 66 58 31 63 6a 62 70 68 38 35 44 6f 6a 71 68 55 51 4a 4c 42 44 6a 78 33 30 59 63 65 38 35 73 57 34 75 69 68 73 49 6b 72 61 44 47 6d 62 47 64 4a 2b 70 66 57 4f 78 7a 6d 75 39 51 4b 6a 34 4d 5a 38 4f 36 74 6a 55 73 32 72 63 36 6e 74 63 4e 52 2b 34 51 50 6f 44 50 72 72 53 44 6c 55 71 Data Ascii: ATH 2 CON\DEVICE 1060MS-CV: IxLHieCvuUmpN66z.2Context: c7c8e1ea8eb9471<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAeFkEm6FFmdBdeNb1fX1cjbph85DojqhUQJLBDjx30Yce85sW4uihsIkraDGmbGdJ+pfWOxzmu9QKj4MZ8O6tjUs2rc6ntcNR+4QPoDPrrSDlUq
2025-01-16 00:38:05 UTC	217	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 36 0d 0a 4d 53 2d 43 56 3a 20 49 78 4c 48 69 65 43 76 75 55 6d 70 4e 36 36 7a 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 37 63 38 65 31 65 61 38 65 62 39 34 37 31 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 196MS-CV: IxLHieCvuUmpN66z.3Context: c7c8e1ea8eb9471<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-16 00:38:05 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-16 00:38:05 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 66 74 68 72 6b 6d 37 7a 31 6b 47 6e 6c 38 2b 53 6a 4f 36 39 31 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: fthrkm7z1kGnl8+SjO691A.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	61274	130.238.62.31	443	3968	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 00:38:06 UTC	381	OUT	GET /owa/auth/15.2.1544/themes/resources/favicon.ico HTTP/1.1 Host: mail.uu.se Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 00:38:06 UTC	413	IN	HTTP/1.1 200 OK Cache-Control: public,max-age=2592000 Content-Type: image/x-icon Last-Modified: Mon, 26 Jan 2015 12:35:41 GMT Accept-Ranges: bytes ETag: "aa1d0986439d01:0" Server: Microsoft-IIS/10.0 request-id: 01ca42fc-bb88-454c-9a69-c8a575adfaec X-Powered-By: ASP.NET Date: Thu, 16 Jan 2025 00:38:05 GMT Content-Length: 894 Strict-Transport-Security: max-age=157680000; includeSubDomains; preload
2025-01-16 00:38:06 UTC	894	IN	Data Raw: 00 00 01 00 01 00 10 10 00 00 01 00 18 00 68 03 00 00 16 00 00 00 28 00 00 00 10 00 00 00 20 00 00 00 01 00 18 00 00 00 00 00 00 00 00 00 13 0b 00 00 13 0b 00 00 00 00 00 00 00 00 00 00 fb fb fb dc dc dc f1 f1 f1 f2 f1 f1 ec ec ed f8 f8 f9 f1 f1 f1 e9 e8 e9 f0 f0 f0 e4 e4 e4 eb ea ea f1 f1 f1 ef f0 f0 e9 e9 ea ef ef f0 fd fd fd d1 d1 d1 92 90 91 80 7e 7e 7a 78 79 92 90 91 9b 98 99 98 96 97 9e 9d 9d 73 71 70 90 8d 8d 8d 8b 8b b0 af b0 a1 a0 a0 9b 99 9a a6 a6 a6 ee ee ee e7 e6 e6 d7 d6 d7 ad ac ad d9 d8 d8 c5 c4 c4 d2 d2 d2 cb cb cb d5 d4 d3 bd bc bb c9 c8 c8 d4 d3 d3 c8 c7 c8 c6 c5 c5 c5 c5 c5 ad ac ac eb ea eb ff ff ff ff ff ff ff ff ff d1 d0 cf dc dd db f1 f1 f1 f5 f5 f4 ec eb ea cf ce cd df df df c3 c2 c1 da da da df dd de ff ff ff ff ff ff ff ff ff ff Data Ascii: h( ~~zxysqp

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	61353	192.254.188.250	443	3968	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 00:38:17 UTC	858	OUT	POST /well-known/pki-validation/uu.php HTTP/1.1 Host: mail.lifetothebrim.org Connection: keep-alive Content-Length: 128 Cache-Control: max-age=0 sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: https://ciiscp.org Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://ciiscp.org/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 00:38:17 UTC	128	OUT	Data Raw: 64 65 73 74 69 6e 61 74 69 6f 6e 3d 68 74 74 70 73 25 33 41 25 32 46 25 32 46 6d 61 69 6c 2e 75 75 2e 73 65 25 32 46 6f 77 61 26 66 6c 61 67 73 3d 34 26 66 6f 72 63 65 64 6f 77 6e 6c 65 76 65 6c 3d 30 26 75 73 65 72 6e 61 6d 65 3d 26 70 61 73 73 77 6f 72 64 3d 2a 46 58 59 55 25 35 44 38 59 71 25 32 31 79 25 35 42 26 70 61 73 73 77 6f 72 64 54 65 78 74 3d 26 69 73 55 74 66 38 3d 31 Data Ascii: destination=https%3A%2F%2Fmail.uu.se%2Fowa&flags=4&forcedownlevel=0&username=&password=*FXYU%5D8Yq%21y%5B&passwordText=&isUtf8=1
2025-01-16 00:38:17 UTC	228	IN	HTTP/1.1 302 Found Date: Thu, 16 Jan 2025 00:38:17 GMT Server: Apache Location: https://mail.lifetothebrim.org/cgi-sys/suspendedpage.cgi Content-Length: 240 Connection: close Content-Type: text/html; charset=iso-8859-1
2025-01-16 00:38:17 UTC	240	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 69 6c 2e 6c 69 66 65 74 6f 74 68 65 62 72 69 6d 2e 6f 72 67 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://mail.lifetothebrim.org/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	61352	192.254.188.250	443	3968	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 00:38:17 UTC	752	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Host: mail.lifetothebrim.org Connection: keep-alive Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Referer: https://ciiscp.org/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 00:38:18 UTC	193	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 00:38:17 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Vary: Accept-Encoding Transfer-Encoding: chunked Content-Type: text/html
2025-01-16 00:38:18 UTC	503	IN	Data Raw: 31 66 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 43 6f 6e 74 61 63 74 20 53 75 70 70 6f 72 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 20 20 20 3c 62 6f 64 79 20 6d 61 72 67 69 6e 77 69 Data Ascii: 1f0<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <title>Contact Support</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body marginwi
2025-01-16 00:38:18 UTC	143	IN	Data Raw: 38 39 0d 0a 53 74 61 74 75 73 3a 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 0d 0a 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 45 78 65 63 75 74 69 6e 67 20 69 6e 20 61 6e 20 69 6e 76 61 6c 69 64 20 65 6e 76 69 72 6f 6e 6d 65 6e 74 20 66 6f 72 20 74 68 65 20 73 75 70 70 6c 69 65 64 20 75 73 65 72 0d 0a Data Ascii: 89Status: 403 ForbiddenContent-Type: text/plain; charset=utf-8403 ForbiddenExecuting in an invalid environment for the supplied user
2025-01-16 00:38:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
8	192.168.2.6	61354	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-16 00:38:17 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 74 77 38 49 73 65 79 65 44 30 4f 4c 39 78 77 37 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 32 33 35 31 62 66 38 38 62 62 61 31 62 66 38 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: tw8IseyeD0OL9xw7.1Context: 12351bf88bba1bf8
2025-01-16 00:38:17 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-16 00:38:17 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 74 77 38 49 73 65 79 65 44 30 4f 4c 39 78 77 37 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 32 33 35 31 62 66 38 38 62 62 61 31 62 66 38 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 65 46 6b 45 6d 36 46 46 6d 64 42 64 65 4e 62 31 66 58 31 63 6a 62 70 68 38 35 44 6f 6a 71 68 55 51 4a 4c 42 44 6a 78 33 30 59 63 65 38 35 73 57 34 75 69 68 73 49 6b 72 61 44 47 6d 62 47 64 4a 2b 70 66 57 4f 78 7a 6d 75 39 51 4b 6a 34 4d 5a 38 4f 36 74 6a 55 73 32 72 63 36 6e 74 63 4e 52 2b 34 51 50 6f 44 50 72 72 53 44 6c 55 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: tw8IseyeD0OL9xw7.2Context: 12351bf88bba1bf8<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAeFkEm6FFmdBdeNb1fX1cjbph85DojqhUQJLBDjx30Yce85sW4uihsIkraDGmbGdJ+pfWOxzmu9QKj4MZ8O6tjUs2rc6ntcNR+4QPoDPrrSDlU
2025-01-16 00:38:17 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 74 77 38 49 73 65 79 65 44 30 4f 4c 39 78 77 37 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 32 33 35 31 62 66 38 38 62 62 61 31 62 66 38 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: tw8IseyeD0OL9xw7.3Context: 12351bf88bba1bf8<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-16 00:38:18 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-16 00:38:18 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 75 2f 4d 48 46 54 32 51 56 30 36 2f 4c 49 67 6e 6b 4c 66 42 55 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: u/MHFT2QV06/LIgnkLfBUQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.6	61364	192.254.188.250	443	3968	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 00:38:18 UTC	625	OUT	GET /favicon.ico HTTP/1.1 Host: mail.lifetothebrim.org Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://mail.lifetothebrim.org/cgi-sys/suspendedpage.cgi Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 00:38:18 UTC	228	IN	HTTP/1.1 302 Found Date: Thu, 16 Jan 2025 00:38:18 GMT Server: Apache Location: https://mail.lifetothebrim.org/cgi-sys/suspendedpage.cgi Content-Length: 240 Connection: close Content-Type: text/html; charset=iso-8859-1
2025-01-16 00:38:18 UTC	240	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 69 6c 2e 6c 69 66 65 74 6f 74 68 65 62 72 69 6d 2e 6f 72 67 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://mail.lifetothebrim.org/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.6	61370	192.254.188.250	443	3968	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 00:38:19 UTC	639	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Host: mail.lifetothebrim.org Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 sec-ch-ua-platform: "Windows" Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://mail.lifetothebrim.org/cgi-sys/suspendedpage.cgi Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 00:38:19 UTC	186	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 00:38:19 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Vary: Accept-Encoding Content-Length: 633 Content-Type: text/html
2025-01-16 00:38:19 UTC	633	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 43 6f 6e 74 61 63 74 20 53 75 70 70 6f 72 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 20 20 20 3c 62 6f 64 79 20 6d 61 72 67 69 6e 77 69 64 74 68 3d 22 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <title>Contact Support</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body marginwidth="

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.6	61377	192.254.188.250	443	3968	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-16 00:38:20 UTC	371	OUT	GET /cgi-sys/suspendedpage.cgi HTTP/1.1 Host: mail.lifetothebrim.org Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: / Sec-Fetch-Site: none Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2025-01-16 00:38:20 UTC	193	IN	HTTP/1.1 200 OK Date: Thu, 16 Jan 2025 00:38:20 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Vary: Accept-Encoding Transfer-Encoding: chunked Content-Type: text/html
2025-01-16 00:38:20 UTC	503	IN	Data Raw: 31 66 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 43 6f 6e 74 61 63 74 20 53 75 70 70 6f 72 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 20 20 20 3c 62 6f 64 79 20 6d 61 72 67 69 6e 77 69 Data Ascii: 1f0<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html> <head> <title>Contact Support</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> </head> <body marginwi
2025-01-16 00:38:20 UTC	143	IN	Data Raw: 38 39 0d 0a 53 74 61 74 75 73 3a 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 70 6c 61 69 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 0d 0a 0d 0a 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 45 78 65 63 75 74 69 6e 67 20 69 6e 20 61 6e 20 69 6e 76 61 6c 69 64 20 65 6e 76 69 72 6f 6e 6d 65 6e 74 20 66 6f 72 20 74 68 65 20 73 75 70 70 6c 69 65 64 20 75 73 65 72 0d 0a Data Ascii: 89Status: 403 ForbiddenContent-Type: text/plain; charset=utf-8403 ForbiddenExecuting in an invalid environment for the supplied user
2025-01-16 00:38:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.6	61481	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-16 00:38:36 UTC	69	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 33 0d 0a 4d 53 2d 43 56 3a 20 43 43 70 76 72 68 53 41 4d 45 75 53 47 69 79 33 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 39 37 32 30 61 39 62 65 36 38 62 64 63 0d 0a 0d 0a Data Ascii: CNT 1 CON 303MS-CV: CCpvrhSAMEuSGiy3.1Context: 99720a9be68bdc
2025-01-16 00:38:36 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-16 00:38:36 UTC	1082	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 35 39 0d 0a 4d 53 2d 43 56 3a 20 43 43 70 76 72 68 53 41 4d 45 75 53 47 69 79 33 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 39 37 32 30 61 39 62 65 36 38 62 64 63 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 65 46 6b 45 6d 36 46 46 6d 64 42 64 65 4e 62 31 66 58 31 63 6a 62 70 68 38 35 44 6f 6a 71 68 55 51 4a 4c 42 44 6a 78 33 30 59 63 65 38 35 73 57 34 75 69 68 73 49 6b 72 61 44 47 6d 62 47 64 4a 2b 70 66 57 4f 78 7a 6d 75 39 51 4b 6a 34 4d 5a 38 4f 36 74 6a 55 73 32 72 63 36 6e 74 63 4e 52 2b 34 51 50 6f 44 50 72 72 53 44 6c 55 71 76 Data Ascii: ATH 2 CON\DEVICE 1059MS-CV: CCpvrhSAMEuSGiy3.2Context: 99720a9be68bdc<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAeFkEm6FFmdBdeNb1fX1cjbph85DojqhUQJLBDjx30Yce85sW4uihsIkraDGmbGdJ+pfWOxzmu9QKj4MZ8O6tjUs2rc6ntcNR+4QPoDPrrSDlUqv
2025-01-16 00:38:36 UTC	216	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 35 0d 0a 4d 53 2d 43 56 3a 20 43 43 70 76 72 68 53 41 4d 45 75 53 47 69 79 33 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 39 37 32 30 61 39 62 65 36 38 62 64 63 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 195MS-CV: CCpvrhSAMEuSGiy3.3Context: 99720a9be68bdc<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-16 00:38:36 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-16 00:38:36 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 53 4d 66 52 43 66 67 70 63 45 4f 4f 61 55 78 36 4c 48 36 55 79 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: SMfRCfgpcEOOaUx6LH6UyA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.6	61526	40.113.110.67	443

Timestamp	Bytes transferred	Direction	Data
2025-01-16 00:38:59 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 41 50 54 72 47 58 34 77 79 30 79 31 58 4a 42 4b 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 33 62 33 64 30 39 34 39 35 62 32 63 31 39 36 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: APTrGX4wy0y1XJBK.1Context: a3b3d09495b2c196
2025-01-16 00:38:59 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2025-01-16 00:38:59 UTC	1084	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 41 50 54 72 47 58 34 77 79 30 79 31 58 4a 42 4b 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 33 62 33 64 30 39 34 39 35 62 32 63 31 39 36 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 65 46 6b 45 6d 36 46 46 6d 64 42 64 65 4e 62 31 66 58 31 63 6a 62 70 68 38 35 44 6f 6a 71 68 55 51 4a 4c 42 44 6a 78 33 30 59 63 65 38 35 73 57 34 75 69 68 73 49 6b 72 61 44 47 6d 62 47 64 4a 2b 70 66 57 4f 78 7a 6d 75 39 51 4b 6a 34 4d 5a 38 4f 36 74 6a 55 73 32 72 63 36 6e 74 63 4e 52 2b 34 51 50 6f 44 50 72 72 53 44 6c 55 Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: APTrGX4wy0y1XJBK.2Context: a3b3d09495b2c196<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAeFkEm6FFmdBdeNb1fX1cjbph85DojqhUQJLBDjx30Yce85sW4uihsIkraDGmbGdJ+pfWOxzmu9QKj4MZ8O6tjUs2rc6ntcNR+4QPoDPrrSDlU
2025-01-16 00:38:59 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 41 50 54 72 47 58 34 77 79 30 79 31 58 4a 42 4b 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 33 62 33 64 30 39 34 39 35 62 32 63 31 39 36 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: APTrGX4wy0y1XJBK.3Context: a3b3d09495b2c196<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2025-01-16 00:38:59 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2025-01-16 00:38:59 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 2f 67 66 69 2f 6c 36 51 62 30 75 74 36 4c 4f 63 4c 4c 32 77 31 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: /gfi/l6Qb0ut6LOcLL2w1A.0Payload parsing failed.

Target ID:	2
Start time:	19:37:50
Start date:	15/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	19:37:54
Start date:	15/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 --field-trial-handle=2264,i,12879587691625082442,13133716170211826207,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	19:37:59
Start date:	15/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://ciiscp.org/wordpress/mail.uu.se.html"
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Source: Yara match	File source: 1.0.pages.csv, type: HTML
Source: Yara match	File source: dropped/chromecache_41, type: DROPPED

Source: global traffic	HTTP traffic detected: GET /wordpress/mail.uu.se.html HTTP/1.1Host: ciiscp.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wordpress/UU-images/cta-button.png HTTP/1.1Host: ciiscp.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ciiscp.org/wordpress/mail.uu.se.htmlAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /owa/auth/15.2.1544/themes/resources/favicon.ico HTTP/1.1Host: mail.uu.seConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://ciiscp.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /owa/auth/15.2.1544/themes/resources/favicon.ico HTTP/1.1Host: mail.uu.seConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: mail.lifetothebrim.orgConnection: keep-aliveCache-Control: max-age=0Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Referer: https://ciiscp.org/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: mail.lifetothebrim.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mail.lifetothebrim.org/cgi-sys/suspendedpage.cgiAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: mail.lifetothebrim.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://mail.lifetothebrim.org/cgi-sys/suspendedpage.cgiAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: mail.lifetothebrim.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wordpress/mail.uu.se.html HTTP/1.1Host: ciiscp.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: ciiscp.org
Source: global traffic	DNS traffic detected: DNS query: mail.uu.se
Source: global traffic	DNS traffic detected: DNS query: mail.lifetothebrim.org

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report http://ciiscp.org/wordpress/mail.uu.se.html

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

HTML

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 40

Chrome Cache Entry: 41

Chrome Cache Entry: 42

Chrome Cache Entry: 43

Chrome Cache Entry: 44

Chrome Cache Entry: 45

Static File Info

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 6440, Parent PID: 5924

General

Chronological Activities

Windows Analysis Report
http://ciiscp.org/wordpress/mail.uu.se.html